Malware Analysis Report

2025-01-22 13:44

Sample ID 240628-bw1j2awepn
Target 82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf
SHA256 82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272
Tags
botnet rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272

Threat Level: Known bad

The file 82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf was found to be: Known bad.

Malicious Activity Summary

botnet rootkit

Contains strings common to LOLSquad DDoS tools

Writes memory of remote process

Loads a kernel module

Changes its process name

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 01:30

Signatures

Contains strings common to LOLSquad DDoS tools

botnet
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 01:30

Reported

2024-06-28 01:32

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

148s

Max time network

146s

Command Line

[/tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf]

Signatures

Writes memory of remote process

Description Indicator Process Target
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads a kernel module

rootkit
Description Indicator Process Target
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A N/A N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A N/A N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A N/A N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A N/A N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A N/A N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A N/A N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A N/A N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A N/A N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A
N/A N/A N/A N/A
N/A N/A /tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself N/A N/A N/A
Changes the process name, possibly in an attempt to hide itself (agent) /proc/self/fd/9 N/A
Changes the process name, possibly in an attempt to hide itself N/A N/A N/A
Changes the process name, possibly in an attempt to hide itself N/A N/A N/A
Changes the process name, possibly in an attempt to hide itself (sd-rmrf) N/A N/A
Changes the process name, possibly in an attempt to hide itself (sd-rmrf) N/A N/A
Changes the process name, possibly in an attempt to hide itself N/A N/A N/A
Changes the process name, possibly in an attempt to hide itself (anacron) /proc/self/fd/9 N/A
Changes the process name, possibly in an attempt to hide itself N/A N/A N/A
Changes the process name, possibly in an attempt to hide itself N/A N/A N/A
Changes the process name, possibly in an attempt to hide itself N/A N/A N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/fs/cgroup/system.slice/agent.service/cgroup.events N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/agent.service/memory.peak N/A N/A
File opened for reading /sys/fs/cgroup/init.scope/memory.events N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/systemd-timedated.service/cgroup.procs N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/agent.service/memory.swap.peak N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/anacron.service/cgroup.events N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/anacron.service/cpu.stat N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/systemd-timedated.service/memory.events N/A N/A
File opened for reading /sys/class N/A N/A
File opened for reading /sys/class/power_supply N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/anacron.service N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/anacron.service/cgroup.procs N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/anacron.service/memory.pressure /proc/self/fd/9 N/A
File opened for reading /sys/fs/cgroup/system.slice/agent.service/cpu.stat N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/cgroup.events N/A N/A
File opened for reading /sys/module/apparmor/parameters/enabled /proc/self/fd/9 N/A
File opened for reading /sys/fs/cgroup/system.slice/systemd-timedated.service N/A N/A
File opened for reading /sys/bus N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/agent.service/memory.events N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/systemd-timedated.service/cgroup.events N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/systemd-timedated.service/cgroup.threads N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/systemd-timedated.service/cpu.stat N/A N/A
File opened for reading /sys/fs/cgroup/system.slice/agent.service/cgroup.procs N/A N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /usr/sbin/agent N/A
File opened for reading /sys/fs/cgroup/system.slice/agent.service/memory.pressure /proc/self/fd/9 N/A
File opened for reading /sys/module/apparmor/parameters/enabled /proc/self/fd/9 N/A
File opened for reading /sys/fs/cgroup/system.slice/agent.service N/A N/A
File opened for reading /sys/fs/cgroup/pids.max N/A N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/2498/comm N/A N/A
File opened for reading /proc/pressure/io /proc/self/fd/9 N/A
File opened for reading /proc/self/fdinfo/34 N/A N/A
File opened for reading /proc/sys/fs/nr_open /proc/self/fd/9 N/A
File opened for reading /proc/pressure/cpu /proc/self/fd/9 N/A
File opened for reading /proc/sys/kernel/threads-max N/A N/A
File opened for reading /proc/1/cgroup N/A N/A
File opened for reading /proc/self/fdinfo/51 N/A N/A
File opened for reading /proc/2501/comm N/A N/A
File opened for reading /proc/2464/cgroup N/A N/A
File opened for reading /proc/filesystems /proc/self/fd/9 N/A
File opened for reading /proc/2512/cgroup N/A N/A
File opened for reading /proc/2525/cgroup N/A N/A
File opened for reading /proc/755/cgroup N/A N/A
File opened for reading /proc/2464/comm N/A N/A
File opened for reading /proc/sys/kernel/cap_last_cap /proc/self/fd/9 N/A
File opened for reading /proc/2510/cgroup N/A N/A
File opened for reading /proc/self/fdinfo/64 N/A N/A
File opened for reading /proc/2460/comm N/A N/A
File opened for reading /proc/self/fd/5 N/A N/A
File opened for reading /proc/self/fd/3 N/A N/A
File opened for reading /proc/sys/kernel/pid_max N/A N/A
File opened for reading /proc/584/cgroup N/A N/A
File opened for reading /proc/2395/cgroup N/A N/A
File opened for reading /proc/2526/cgroup N/A N/A
File opened for reading /proc/filesystems /proc/self/fd/9 N/A
File opened for reading /proc/2541/cgroup N/A N/A
File opened for reading /proc/2545/comm N/A N/A
File opened for reading /proc/self/fdinfo/88 N/A N/A
File opened for reading /proc/2512/comm N/A N/A
File opened for reading /proc/2525/comm N/A N/A
File opened for reading /proc/2527/comm N/A N/A
File opened for reading /proc/2527/cgroup N/A N/A
File opened for reading /proc/357/cgroup N/A N/A
File opened for reading /proc/pressure/cpu /proc/self/fd/9 N/A
File opened for reading /proc/pressure/memory /proc/self/fd/9 N/A
File opened for reading /proc/2544/comm N/A N/A
File opened for reading /proc/2510/comm N/A N/A
File opened for reading /proc/2459/cgroup N/A N/A
File opened for reading /proc/577/cgroup N/A N/A
File opened for reading /proc/sys/kernel/cap_last_cap /proc/self/fd/9 N/A
File opened for reading /proc/2541/comm N/A N/A
File opened for reading /proc/2485/comm N/A N/A
File opened for reading /proc/self/fd /proc/self/fd/9 N/A
File opened for reading /proc/709/cgroup N/A N/A
File opened for reading /proc/2489/stat N/A N/A
File opened for reading /proc/2498/cgroup N/A N/A
File opened for reading /proc/sys/net/core/somaxconn /usr/sbin/agent N/A
File opened for reading /proc/2526/comm N/A N/A
File opened for reading /proc/2528/stat N/A N/A
File opened for reading /proc/sys/fs/nr_open /proc/self/fd/9 N/A
File opened for reading /proc/709/comm N/A N/A
File opened for reading /proc/pressure/memory /proc/self/fd/9 N/A
File opened for reading /proc/744/cgroup N/A N/A
File opened for reading /proc/2544/cgroup N/A N/A
File opened for reading /proc/2545/cgroup N/A N/A
File opened for reading /proc/2459/comm N/A N/A
File opened for reading /proc/2395/comm N/A N/A
File opened for reading /proc/2501/cgroup N/A N/A
File opened for reading /proc/self/fd /proc/self/fd/9 N/A
File opened for reading /proc/439/cgroup N/A N/A
File opened for reading /proc/418/cgroup N/A N/A
File opened for reading /proc/pressure/io /proc/self/fd/9 N/A

Processes

/tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf

[/tmp/82408466094a73994c42bd890a9732a9f731474b8d697d845c864fb81727f272.elf]

/proc/self/fd/9

[/usr/lib/systemd/systemd-executor --deserialize 51 --log-level info --log-target journal-or-kmsg]

/usr/sbin/agent

[/usr/sbin/agent]

/proc/self/fd/9

[/usr/lib/systemd/systemd-executor --deserialize 64 --log-level info --log-target journal-or-kmsg]

/usr/sbin/anacron

[/usr/sbin/anacron -d -q -s]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
HK 103.30.201.250:555 tcp
HK 103.30.201.250:555 tcp
HK 103.30.201.250:555 tcp
HK 103.30.201.250:555 tcp

Files

N/A