Analysis Overview
SHA256
82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272
Threat Level: Known bad
The file 82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf was found to be: Known bad.
Malicious Activity Summary
Contains strings common to LOLSquad DDoS tools
Writes memory of remote process
Loads a kernel module
Changes its process name
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 01:30
Signatures
Contains strings common to LOLSquad DDoS tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 01:30
Reported
2024-06-28 01:32
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
148s
Max time network
146s
Command Line
Signatures
Writes memory of remote process
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads a kernel module
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | N/A | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | (agent) | /proc/self/fd/9 | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | (sd-rmrf) | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | (sd-rmrf) | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | (anacron) | /proc/self/fd/9 | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | N/A | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/fs/cgroup/system.slice/agent.service/cgroup.events | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/agent.service/memory.peak | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/init.scope/memory.events | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/systemd-timedated.service/cgroup.procs | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/agent.service/memory.swap.peak | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/anacron.service/cgroup.events | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/anacron.service/cpu.stat | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/systemd-timedated.service/memory.events | N/A | N/A |
| File opened for reading | /sys/class | N/A | N/A |
| File opened for reading | /sys/class/power_supply | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/anacron.service | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/anacron.service/cgroup.procs | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/anacron.service/memory.pressure | /proc/self/fd/9 | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/agent.service/cpu.stat | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/cgroup.events | N/A | N/A |
| File opened for reading | /sys/module/apparmor/parameters/enabled | /proc/self/fd/9 | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/systemd-timedated.service | N/A | N/A |
| File opened for reading | /sys/bus | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/agent.service/memory.events | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/systemd-timedated.service/cgroup.events | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/systemd-timedated.service/cgroup.threads | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/systemd-timedated.service/cpu.stat | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/agent.service/cgroup.procs | N/A | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /usr/sbin/agent | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/agent.service/memory.pressure | /proc/self/fd/9 | N/A |
| File opened for reading | /sys/module/apparmor/parameters/enabled | /proc/self/fd/9 | N/A |
| File opened for reading | /sys/fs/cgroup/system.slice/agent.service | N/A | N/A |
| File opened for reading | /sys/fs/cgroup/pids.max | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/2498/comm | N/A | N/A |
| File opened for reading | /proc/pressure/io | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/self/fdinfo/34 | N/A | N/A |
| File opened for reading | /proc/sys/fs/nr_open | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/pressure/cpu | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/sys/kernel/threads-max | N/A | N/A |
| File opened for reading | /proc/1/cgroup | N/A | N/A |
| File opened for reading | /proc/self/fdinfo/51 | N/A | N/A |
| File opened for reading | /proc/2501/comm | N/A | N/A |
| File opened for reading | /proc/2464/cgroup | N/A | N/A |
| File opened for reading | /proc/filesystems | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/2512/cgroup | N/A | N/A |
| File opened for reading | /proc/2525/cgroup | N/A | N/A |
| File opened for reading | /proc/755/cgroup | N/A | N/A |
| File opened for reading | /proc/2464/comm | N/A | N/A |
| File opened for reading | /proc/sys/kernel/cap_last_cap | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/2510/cgroup | N/A | N/A |
| File opened for reading | /proc/self/fdinfo/64 | N/A | N/A |
| File opened for reading | /proc/2460/comm | N/A | N/A |
| File opened for reading | /proc/self/fd/5 | N/A | N/A |
| File opened for reading | /proc/self/fd/3 | N/A | N/A |
| File opened for reading | /proc/sys/kernel/pid_max | N/A | N/A |
| File opened for reading | /proc/584/cgroup | N/A | N/A |
| File opened for reading | /proc/2395/cgroup | N/A | N/A |
| File opened for reading | /proc/2526/cgroup | N/A | N/A |
| File opened for reading | /proc/filesystems | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/2541/cgroup | N/A | N/A |
| File opened for reading | /proc/2545/comm | N/A | N/A |
| File opened for reading | /proc/self/fdinfo/88 | N/A | N/A |
| File opened for reading | /proc/2512/comm | N/A | N/A |
| File opened for reading | /proc/2525/comm | N/A | N/A |
| File opened for reading | /proc/2527/comm | N/A | N/A |
| File opened for reading | /proc/2527/cgroup | N/A | N/A |
| File opened for reading | /proc/357/cgroup | N/A | N/A |
| File opened for reading | /proc/pressure/cpu | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/pressure/memory | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/2544/comm | N/A | N/A |
| File opened for reading | /proc/2510/comm | N/A | N/A |
| File opened for reading | /proc/2459/cgroup | N/A | N/A |
| File opened for reading | /proc/577/cgroup | N/A | N/A |
| File opened for reading | /proc/sys/kernel/cap_last_cap | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/2541/comm | N/A | N/A |
| File opened for reading | /proc/2485/comm | N/A | N/A |
| File opened for reading | /proc/self/fd | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/709/cgroup | N/A | N/A |
| File opened for reading | /proc/2489/stat | N/A | N/A |
| File opened for reading | /proc/2498/cgroup | N/A | N/A |
| File opened for reading | /proc/sys/net/core/somaxconn | /usr/sbin/agent | N/A |
| File opened for reading | /proc/2526/comm | N/A | N/A |
| File opened for reading | /proc/2528/stat | N/A | N/A |
| File opened for reading | /proc/sys/fs/nr_open | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/709/comm | N/A | N/A |
| File opened for reading | /proc/pressure/memory | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/744/cgroup | N/A | N/A |
| File opened for reading | /proc/2544/cgroup | N/A | N/A |
| File opened for reading | /proc/2545/cgroup | N/A | N/A |
| File opened for reading | /proc/2459/comm | N/A | N/A |
| File opened for reading | /proc/2395/comm | N/A | N/A |
| File opened for reading | /proc/2501/cgroup | N/A | N/A |
| File opened for reading | /proc/self/fd | /proc/self/fd/9 | N/A |
| File opened for reading | /proc/439/cgroup | N/A | N/A |
| File opened for reading | /proc/418/cgroup | N/A | N/A |
| File opened for reading | /proc/pressure/io | /proc/self/fd/9 | N/A |
Processes
/tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf
[/tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf]
/proc/self/fd/9
[/usr/lib/systemd/systemd-executor --deserialize 51 --log-level info --log-target journal-or-kmsg]
/usr/sbin/agent
[/usr/sbin/agent]
/proc/self/fd/9
[/usr/lib/systemd/systemd-executor --deserialize 64 --log-level info --log-target journal-or-kmsg]
/usr/sbin/anacron
[/usr/sbin/anacron -d -q -s]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| HK | 103.30.201.250:555 | tcp | |
| HK | 103.30.201.250:555 | tcp | |
| HK | 103.30.201.250:555 | tcp | |
| HK | 103.30.201.250:555 | tcp |