Analysis
-
max time kernel
147s -
max time network
149s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
27/06/2024, 18:31
Behavioral task
behavioral1
Sample
LinuxTF.elf
Resource
ubuntu2404-amd64-20240523-en
ubuntu-24.04-amd64
5 signatures
150 seconds
General
-
Target
LinuxTF.elf
-
Size
1.0MB
-
MD5
26109e7fce4c8039245b081c641a6431
-
SHA1
244acb320b2cf22dd82489a271160cc4c427b59e
-
SHA256
82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272
-
SHA512
c72d9373c4cf960bff4ff5317c1d7ed080a57c2be67914294a2ce01918e552d1f7c23e8e7b3d834d712ba480046bf1a9ab51f2b028918df008dbbe58baf5ad83
-
SSDEEP
24576:RsqZhvnhHXuhshNjm3Bp6gDgR16lwzBWa4wwS49TrHg29XE/PnroyUkNR9:PhvnhHXuhshNjK8AlGWao2royUk
Score
8/10
Malware Config
Signatures
-
Writes memory of remote process 3 IoCs
pid Process 2483 LinuxTF.elf 2522 Process not Found 2528 Process not Found -
Loads a kernel module 28 IoCs
Loads a Linux kernel module, potentially to achieve persistence
pid Process 2483 LinuxTF.elf 2483 LinuxTF.elf 2484 Process not Found 2483 LinuxTF.elf 2483 LinuxTF.elf 2489 Process not Found 2483 LinuxTF.elf 2483 LinuxTF.elf 2493 Process not Found 2483 LinuxTF.elf 2483 LinuxTF.elf 2497 Process not Found 2483 LinuxTF.elf 2483 LinuxTF.elf 2501 Process not Found 2483 LinuxTF.elf 2483 LinuxTF.elf 2505 Process not Found 2483 LinuxTF.elf 2483 LinuxTF.elf 2509 Process not Found 2483 LinuxTF.elf 2483 LinuxTF.elf 2513 Process not Found 2483 LinuxTF.elf 2483 LinuxTF.elf 2518 Process not Found 2483 LinuxTF.elf -
Changes its process name 11 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself 2487 Process not Found Changes the process name, possibly in an attempt to hide itself (agent) 2517 9 Changes the process name, possibly in an attempt to hide itself 2534 Process not Found Changes the process name, possibly in an attempt to hide itself 2537 Process not Found Changes the process name, possibly in an attempt to hide itself 2550 Process not Found Changes the process name, possibly in an attempt to hide itself (sd-rmrf) 2551 Process not Found Changes the process name, possibly in an attempt to hide itself (sd-rmrf) 2552 Process not Found Changes the process name, possibly in an attempt to hide itself (anacron) 2553 9 Changes the process name, possibly in an attempt to hide itself 2566 Process not Found Changes the process name, possibly in an attempt to hide itself 2569 Process not Found Changes the process name, possibly in an attempt to hide itself 2570 Process not Found -
Enumerates kernel/hardware configuration 1 TTPs 28 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/bus Process not Found File opened for reading /sys/class Process not Found File opened for reading /sys/fs/cgroup/system.slice/anacron.service/memory.pressure 9 File opened for reading /sys/class/power_supply Process not Found File opened for reading /sys/fs/cgroup/pids.max Process not Found File opened for reading /sys/fs/cgroup/system.slice/anacron.service/cgroup.events Process not Found File opened for reading /sys/fs/cgroup/system.slice/agent.service Process not Found File opened for reading /sys/fs/cgroup/system.slice/agent.service/cgroup.events Process not Found File opened for reading /sys/fs/cgroup/system.slice/systemd-timedated.service Process not Found File opened for reading /sys/fs/cgroup/system.slice/anacron.service Process not Found File opened for reading /sys/fs/cgroup/system.slice/agent.service/cpu.stat Process not Found File opened for reading /sys/fs/cgroup/system.slice/systemd-timedated.service/cgroup.events Process not Found File opened for reading /sys/fs/cgroup/system.slice/anacron.service/cgroup.procs Process not Found File opened for reading /sys/fs/cgroup/system.slice/agent.service/memory.events Process not Found File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size agent File opened for reading /sys/fs/cgroup/system.slice/systemd-timedated.service/cgroup.threads Process not Found File opened for reading /sys/fs/cgroup/system.slice/agent.service/memory.peak Process not Found File opened for reading /sys/fs/cgroup/system.slice/anacron.service/cpu.stat Process not Found File opened for reading /sys/module/apparmor/parameters/enabled 9 File opened for reading /sys/fs/cgroup/system.slice/cgroup.events Process not Found File opened for reading /sys/module/apparmor/parameters/enabled 9 File opened for reading /sys/fs/cgroup/system.slice/systemd-timedated.service/cgroup.procs Process not Found File opened for reading /sys/fs/cgroup/init.scope/memory.events Process not Found File opened for reading /sys/fs/cgroup/system.slice/agent.service/memory.pressure 9 File opened for reading /sys/fs/cgroup/system.slice/systemd-timedated.service/memory.events Process not Found File opened for reading /sys/fs/cgroup/system.slice/agent.service/cgroup.procs Process not Found File opened for reading /sys/fs/cgroup/system.slice/agent.service/memory.swap.peak Process not Found File opened for reading /sys/fs/cgroup/system.slice/systemd-timedated.service/cpu.stat Process not Found -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/2537/cgroup Process not Found File opened for reading /proc/2550/comm Process not Found File opened for reading /proc/sys/fs/nr_open 9 File opened for reading /proc/2487/cgroup Process not Found File opened for reading /proc/2525/comm Process not Found File opened for reading /proc/2534/cgroup Process not Found File opened for reading /proc/2552/comm Process not Found File opened for reading /proc/2553/stat Process not Found File opened for reading /proc/filesystems 9 File opened for reading /proc/pressure/memory 9 File opened for reading /proc/592/cgroup Process not Found File opened for reading /proc/2487/comm Process not Found File opened for reading /proc/358/cgroup Process not Found File opened for reading /proc/2534/comm Process not Found File opened for reading /proc/2566/cgroup Process not Found File opened for reading /proc/2483/comm Process not Found File opened for reading /proc/pressure/cpu 9 File opened for reading /proc/self/fdinfo/60 Process not Found File opened for reading /proc/419/cgroup Process not Found File opened for reading /proc/2570/cgroup Process not Found File opened for reading /proc/2524/comm Process not Found File opened for reading /proc/773/cgroup Process not Found File opened for reading /proc/sys/kernel/pid_max Process not Found File opened for reading /proc/sys/kernel/cap_last_cap 9 File opened for reading /proc/1/cgroup Process not Found File opened for reading /proc/721/cgroup Process not Found File opened for reading /proc/self/fdinfo/20 Process not Found File opened for reading /proc/self/fdinfo/45 Process not Found File opened for reading /proc/pressure/io 9 File opened for reading /proc/2524/cgroup Process not Found File opened for reading /proc/586/cgroup Process not Found File opened for reading /proc/2570/comm Process not Found File opened for reading /proc/filesystems 9 File opened for reading /proc/self/fd 9 File opened for reading /proc/sys/fs/nr_open 9 File opened for reading /proc/pressure/io 9 File opened for reading /proc/pressure/memory 9 File opened for reading /proc/2525/cgroup Process not Found File opened for reading /proc/self/fd/3 Process not Found File opened for reading /proc/self/fd/5 Process not Found File opened for reading /proc/2551/comm Process not Found File opened for reading /proc/721/comm Process not Found File opened for reading /proc/2523/cgroup Process not Found File opened for reading /proc/440/cgroup Process not Found File opened for reading /proc/2484/comm Process not Found File opened for reading /proc/2517/stat Process not Found File opened for reading /proc/sys/net/core/somaxconn agent File opened for reading /proc/pressure/cpu 9 File opened for reading /proc/2420/cgroup Process not Found File opened for reading /proc/2420/comm Process not Found File opened for reading /proc/self/fdinfo/88 Process not Found File opened for reading /proc/2522/comm Process not Found File opened for reading /proc/2523/comm Process not Found File opened for reading /proc/2522/cgroup Process not Found File opened for reading /proc/2552/cgroup Process not Found File opened for reading /proc/2569/cgroup Process not Found File opened for reading /proc/2537/comm Process not Found File opened for reading /proc/2550/cgroup Process not Found File opened for reading /proc/2551/cgroup Process not Found File opened for reading /proc/781/cgroup Process not Found File opened for reading /proc/self/fd 9 File opened for reading /proc/2513/comm Process not Found File opened for reading /proc/2483/cgroup Process not Found File opened for reading /proc/2569/comm Process not Found
Processes
-
/tmp/LinuxTF.elf/tmp/LinuxTF.elf1⤵
- Writes memory of remote process
- Loads a kernel module
PID:2483
-
/proc/self/fd/9/usr/lib/systemd/systemd-executor --deserialize 45 --log-level info --log-target journal-or-kmsg1⤵
- Changes its process name
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2517
-
/usr/sbin/agent/usr/sbin/agent1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2517
-
/proc/self/fd/9/usr/lib/systemd/systemd-executor --deserialize 60 --log-level info --log-target journal-or-kmsg1⤵
- Changes its process name
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2553
-
/usr/sbin/anacron/usr/sbin/anacron -d -q -s1⤵PID:2553