b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
03/07/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
Size

5.1MB
MD5

2be087e54204a6c395e05516c53fd579
SHA1

3bdad143cd168a2015aba2053e53f99a24d52ace
SHA256

b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330
SHA512

2ab629a5f9637c7026069e5cc7b473968290b8eb42158dc93c46613d2b4b0ef39149f158b71dda8b2c8bbbebd58ba28cf5437fc0d083fca37deb84423a769db8
SSDEEP

49152:YB9Em2vjYVfh5jw9aF8k4yHwXrD3LwJKiCb85E6l9HblTLEGdvIRKnuI:QDVf/Y4jMrDr8E+rvuK1

Score

7^/10

persistence

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/dev/misc/watchdog	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf

Creates/modifies environment variables 1 TTPs 3 IoCs

Creating/modifying environment variables is a common persistence mechanism.

persistence

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/etc/profile.d/bash.cfg	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/profile.d/bash.cfg.sh	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/profile.d/gateway.sh	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf

Modifies init.d 1 TTPs 34 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/anacron	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/bluetooth	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/lvm2-lvmpolld	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/ssh	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/unattended-upgrades	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/dns-udp4	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/apparmor	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/cups-browsed	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/kmod	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/open-iscsi	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/openvpn	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/sssd	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/iscsid	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/cron	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/keyboard-setup.sh	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/plymouth-log	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/rsync	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/x11-common	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/apport	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/gdm3	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/cryptdisks-early	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/dbus	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/hwclock.sh	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/spice-vdagent	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/udev	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/alsa-utils	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/cryptdisks	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/cups	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/plymouth	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/saned	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/acpid	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/avahi-daemon	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/console-setup.sh	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/init.d/procps	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf

Modifies Bash startup script 1 TTPs 3 IoCs

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/profile.d/bash.cfg	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/profile.d/bash.cfg.sh	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for modification	/etc/profile.d/gateway.sh	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl

/tmp/b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
/tmp/b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
1⤵
- Enumerates kernel/hardware configuration
PID:1558
- /tmp/b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf
  /tmp/b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330.elf " "
  2⤵
  - Modifies Watchdog functionality
  - Creates/modifies environment variables
  - Modifies init.d
  - Modifies Bash startup script
  - Enumerates kernel/hardware configuration
  PID:1562
- - /usr/sbin/update-rc.d
    update-rc.d dns-udp4 defaults
    3⤵
    PID:1566
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:1570
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:1570
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:1570
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads runtime system information
      PID:1570
- - /usr/bin/mount
    mount -o bind /tmp/ /proc/1562
    3⤵
    - Reads runtime system information
    PID:1604
- - /usr/sbin/service
    service cron start
    3⤵
    PID:1606
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1607
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1608
  - - /usr/bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      Reads runtime system information
      PID:1611
  - - /usr/bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      Reads runtime system information
      PID:1610
- - /usr/local/sbin/systemctl
    systemctl start cron.service
    3⤵
    PID:1606
- - /usr/local/bin/systemctl
    systemctl start cron.service
    3⤵
    PID:1606
- - /usr/sbin/systemctl
    systemctl start cron.service
    3⤵
    PID:1606
- - /usr/bin/systemctl
    systemctl start cron.service
    3⤵
    - Reads runtime system information
    PID:1606
- - /usr/bin/systemctl
    systemctl start crond.service
    3⤵
    - Reads runtime system information
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.mod

Filesize
27B

MD5
f449ef47c4f79ab4ecfe3d11022333d5

SHA1
61ebb524cee5a049cc96bf2cbf339a47dcb1b622

SHA256
503dffa20530956c5f61187e00935f20fe508c35dbb1fcf665b5d28d07d3d704

SHA512
a7015de8bd582dbf7ce6df708a58a725e1b1cd472c6616fbb89a9738c533c042ac39c071ca0cf2fc5df8e56f33bf8a28b1ebd3076570f5028cff773af89031f6

Download Submit
/boot/system.pub

Filesize
5.1MB

MD5
2be087e54204a6c395e05516c53fd579

SHA1
3bdad143cd168a2015aba2053e53f99a24d52ace

SHA256
b60ad90687871ae94e2b33cf2320f523ee614893215335dc5958a6a705488330

SHA512
2ab629a5f9637c7026069e5cc7b473968290b8eb42158dc93c46613d2b4b0ef39149f158b71dda8b2c8bbbebd58ba28cf5437fc0d083fca37deb84423a769db8

Download Submit
/etc/.cfg

Filesize
57B

MD5
25bfc97b9241077f7ee65c9d5831c0ae

SHA1
4d1e84cfe6f0619642400cbcc77ee008d452f622

SHA256
7e18da2137e9453fd98ed61aa79420a173383b2f7a5fe6538b70fbb560f9b3f6

SHA512
e3686c1fe664e67fc503275c6c0fa831ee43c1b081d8f826a616314505e3f952f98a8697911d1799e3f8c1957cd3a1bb5f888766877e5081b32942a6f2d8bff3

Download Submit
/etc/.cfg

Filesize
114B

MD5
9bd634dda9f92aebfaa5c6344e0509c6

SHA1
3a9ec3411adad7c88a469ccf338ea1bd0f3a84e3

SHA256
35e0867340e4e264ec784b1316cc2a90e029e47c49074c3e5acd41643db38c43

SHA512
f628c5f89e6ced158848e74445da1f4a66c236a1af549efb4e155c4da8c30638f48679d4d649030720f11f1c09e0de82d1c40938ae9eb5b5872e97020ce2f20f

Download Submit
/etc/init.d/dns-udp4

Filesize
159B

MD5
79f1a0bf1a838c817142e43a5818733a

SHA1
768ed04a737dbdc969165092694e0e977321ca19

SHA256
a3f7d4499b03a14ff2de76122b6a61c221151f59daa6a63a78ae5a805c95a482

SHA512
b6d6f76f3e5b768a6670e05276724b70609259c856ba90ad34f8a782ac40134b9cf5cdabebb4aa55f076a786cedf8491adda9835f9d4aee90bd1820a45b2fbce

Download Submit
/etc/profile.d/gateway.sh

Filesize
4KB

MD5
66ce3560c71d5b73dd75e533cbe7c50a

SHA1
c4d71c28ffe510dfb1775e642b753d58cd2f0601

SHA256
cfb6bda992f4f82fca5598d12664ecba717d80ef6f330468a0d325b3c0cb84be

SHA512
abcb2b69af6c6c72e65d86fc0de7c2a36d3f961ccdc98387782280b8aa932078343c6be41c2cc5aa72f8a55f4b70e3b4813ece0e27f1274cd2592978679e9c3f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads