6d011b0cebea4188de630dad5a6fa8bdc61a3784b0958a07617eb6b94354e567

Analysis

max time kernel
120s
max time network
133s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
27-07-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b392483d5c55d8618b8a921306a08eb1.elf
Size

93KB
MD5

b392483d5c55d8618b8a921306a08eb1
SHA1

c4f582f62197b0046b15031b01d2d0164359c7b2
SHA256

6d011b0cebea4188de630dad5a6fa8bdc61a3784b0958a07617eb6b94354e567
SHA512

57be539f25d1bbb12bbbff2544fb370ebbd1ca58ce7c86b5ef39ac0488c1cda48c0f0dabd14a9d91b1350b5eb2ce2b38fb232d771d08483abfa1208214b15a8d
SSDEEP

1536:dgGN1+S0EUf0S7iOxChSm6V1BToFGHGI9WzmaXY0KGrHisZi0Oz/LBDQHRP:eG+SLUcSmgCh16LBTo4HwbI0iYi0Oz/K

Score

7^/10

evasion

Malware Config

Signatures

Deletes journal logs 1 TTPs 3 IoCs

Deletes systemd journal logs. Likely to evade detection.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/journal/f2de92a803c744e586bd87567a26b68a/system.journal	rm
File deleted	/var/log/journal/f2de92a803c744e586bd87567a26b68a/system@5d9f2360db104821ae6d0ca2a2cf5265-0000000000000001-00061aa41e3a5cd0.journal	rm
File deleted	/var/log/journal/f2de92a803c744e586bd87567a26b68a	rm

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
File opened for modification	/etc/resolv.conf	b392483d5c55d8618b8a921306a08eb1.elf

Deletes log files 1 TTPs 62 IoCs

Deletes log files on the system.

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/installer/media-info	rm
File deleted	/var/log/bootstrap.log	rm
File deleted	/var/log/installer/block/probe-data.json	rm
File deleted	/var/log/gpu-manager.log	rm
File deleted	/var/log/unattended-upgrades/unattended-upgrades-dpkg.log	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/Xorg.0.log	rm
File deleted	/var/log/lastlog	rm
File deleted	/var/log/apt/history.log	rm
File deleted	/var/log/cloud-init.log	rm
File deleted	/var/log/installer/block	rm
File deleted	/var/log/installer/cloud-init.log	rm
File deleted	/var/log/installer/device-map.json	rm
File deleted	/var/log/cups/access_log	rm
File deleted	/var/log/unattended-upgrades/unattended-upgrades.log	rm
File deleted	/var/log/installer/subiquity-server-info.log.1910	rm
File deleted	/var/log/installer/curtin-install/subiquity-curthooks.conf	rm
File deleted	/var/log/journal	rm
File deleted	/var/log/installer/subiquity-client-debug.log	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/apt	rm
File deleted	/var/log/installer/subiquity-server-debug.log	rm
File deleted	/var/log/installer/autoinstall-user-data	rm
File deleted	/var/log/sssd	rm
File deleted	/var/log/hp	rm
File deleted	/var/log/Xorg.0.log.old	rm
File deleted	/var/log/installer/curtin-install/subiquity-partitioning.conf	rm
File deleted	/var/log/installer/subiquity-client-info.log	rm
File deleted	/var/log/installer/curtin-install	rm
File deleted	/var/log/cloud-init-output.log	rm
File deleted	/var/log/installer/block/discover.log	rm
File deleted	/var/log/cups	rm
File deleted	/var/log/ubuntu-advantage.log	rm
File deleted	/var/log/private	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/installer/subiquity-client-debug.log.1108	rm
File deleted	/var/log/installer/subiquity-client-debug.log.1883	rm
File deleted	/var/log/installer/subiquity-server-debug.log.1910	rm
File deleted	/var/log/installer/subiquity-curtin-apt.conf	rm
File deleted	/var/log/unattended-upgrades/unattended-upgrades-shutdown.log	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/hp/tmp	rm
File deleted	/var/log/apt/eipp.log.xz	rm
File deleted	/var/log/btmp	rm
File deleted	/var/log/installer/subiquity-client-info.log.1108	rm
File deleted	/var/log/installer/curtin-install.log	rm
File deleted	/var/log/installer/installer-journal.txt	rm
File deleted	/var/log/installer/curtin-install/subiquity-initial.conf	rm
File deleted	/var/log/dist-upgrade	rm
File deleted	/var/log/installer/cloud-init-output.log	rm
File deleted	/var/log/speech-dispatcher	rm
File deleted	/var/log/installer/subiquity-server-info.log	rm
File deleted	/var/log/installer/casper-md5check.json	rm
File deleted	/var/log/installer	rm
File deleted	/var/log/unattended-upgrades	rm
File deleted	/var/log/openvpn	rm
File deleted	/var/log/apt/term.log	rm
File deleted	/var/log/installer/subiquity-client-info.log.1883	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/installer/curtin-install/subiquity-extract.conf	rm
File deleted	/var/log/gdm3	rm

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1569	b392483d5c55d8618b8a921306a08eb1.elf

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1572/cmdline	pkill
File opened for reading	/proc/209/status	pkill
File opened for reading	/proc/1186/status	pkill
File opened for reading	/proc/1283/cmdline	pkill
File opened for reading	/proc/83/status	pkill
File opened for reading	/proc/1058/status	pkill
File opened for reading	/proc/398/status	pkill
File opened for reading	/proc/1106/cmdline	pkill
File opened for reading	/proc/self/auxv	pkill
File opened for reading	/proc/214/cmdline	pkill
File opened for reading	/proc/959/status	pkill
File opened for reading	/proc/1157/status	pkill
File opened for reading	/proc/585/cmdline	pkill
File opened for reading	/proc/1530/status	pkill
File opened for reading	/proc/75/status	pkill
File opened for reading	/proc/599/status	pkill
File opened for reading	/proc/1139/cmdline	pkill
File opened for reading	/proc/118/cmdline	pkill
File opened for reading	/proc/765/cmdline	pkill
File opened for reading	/proc/1318/status	pkill
File opened for reading	/proc/26/cmdline	pkill
File opened for reading	/proc/80/cmdline	pkill
File opened for reading	/proc/1077/cmdline	pkill
File opened for reading	/proc/1123/cmdline	pkill
File opened for reading	/proc/1584/cmdline	pkill
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/99/cmdline	pkill
File opened for reading	/proc/211/cmdline	pkill
File opened for reading	/proc/259/cmdline	pkill
File opened for reading	/proc/94/cmdline	pkill
File opened for reading	/proc/868/status	pkill
File opened for reading	/proc/3/status	pkill
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/307/cmdline	pkill
File opened for reading	/proc/18/status	pkill
File opened for reading	/proc/79/status	pkill
File opened for reading	/proc/1113/status	pkill
File opened for reading	/proc/1197/status	pkill
File opened for reading	/proc/101/cmdline	pkill
File opened for reading	/proc/209/cmdline	pkill
File opened for reading	/proc/211/status	pkill
File opened for reading	/proc/413/status	pkill
File opened for reading	/proc/1/status	pkill
File opened for reading	/proc/23/cmdline	pkill
File opened for reading	/proc/225/status	pkill
File opened for reading	/proc/16/status	pkill
File opened for reading	/proc/215/status	pkill
File opened for reading	/proc/217/status	pkill
File opened for reading	/proc/78/status	pkill
File opened for reading	/proc/220/cmdline	pkill
File opened for reading	/proc/745/status	pkill
File opened for reading	/proc/1463/status	pkill
File opened for reading	/proc/599/cmdline	pkill
File opened for reading	/proc/765/status	pkill
File opened for reading	/proc/1245/cmdline	pkill
File opened for reading	/proc/92/cmdline	pkill
File opened for reading	/proc/216/cmdline	pkill
File opened for reading	/proc/405/status	pkill
File opened for reading	/proc/411/cmdline	pkill
File opened for reading	/proc/692/status	pkill
File opened for reading	/proc/749/status	pkill
File opened for reading	/proc/1317/cmdline	pkill
File opened for reading	/proc/216/status	pkill
File opened for reading	/proc/225/cmdline	pkill

/tmp/b392483d5c55d8618b8a921306a08eb1.elf
/tmp/b392483d5c55d8618b8a921306a08eb1.elf
1⤵
- Writes DNS configuration
- Changes its process name
PID:1569
- /bin/sh
  sh -c "pkill -9 busybox"
  2⤵
  PID:1584
- - /usr/bin/pkill
    pkill -9 busybox
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1585
- /bin/sh
  sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
  2⤵
  PID:1598
- - /usr/bin/rm
    rm -rf /tmp/b392483d5c55d8618b8a921306a08eb1.elf /tmp/gdm3-config-err-Yzo6Ct /tmp/snap-private-tmp /tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-ModemManager.service-Dvt640 /tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-colord.service-ZhxDOd /tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-power-profiles-daemon.service-1WjcMq /tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-switcheroo-control.service-vEXzTF /tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-systemd-logind.service-1Cdrak /tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-systemd-oomd.service-I5zAsS /tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-systemd-resolved.service-Cx30u3 /tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-systemd-timedated.service-f8iiT8 /tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-upower.service-eaoiLp /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/agetty.reload /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/credentials /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/fsck /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/lock /var/run/log /var/run/lvm /var/run/lxd-installer.socket /var/run/mount /var/run/multipath /var/run/multipathd.pid /var/run/openvpn /var/run/openvpn-client /var/run/openvpn-server /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/user /var/run/utmp /var/tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-ModemManager.service-7lyQ4q /var/tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-colord.service-MeoKHr /var/tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-power-profiles-daemon.service-60SszU /var/tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-switcheroo-control.service-Gld7uD /var/tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-systemd-logind.service-u4T68w /var/tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-systemd-oomd.service-0IqKbZ /var/tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-systemd-resolved.service-MftqAX /var/tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-systemd-timedated.service-7tAWeM /var/tmp/systemd-private-20b0b10133a747048c4c111c913ea85a-upower.service-pI5Xg1
    3⤵
    - Deletes journal logs
    - Deletes log files
    PID:1599
- /bin/sh
  sh -c "rm -rf /var/log/wtmp"
  2⤵
  PID:1628
- - /usr/bin/rm
    rm -rf /var/log/wtmp
    3⤵
    - Deletes log files
    PID:1629
- /bin/sh
  sh -c "rm -rf ~/.bash_history"
  2⤵
  PID:1630
- - /usr/bin/rm
    rm -rf "~/.bash_history"
    3⤵
    PID:1631
- /bin/sh
  sh -c "history -c;history -w"
  2⤵
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads