73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6

General

Target

73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
Size

98KB
MD5

241cfe3b4768f3986ac511d292f88bbb
SHA1

a674f8b5ed8f17e3f30916ce30d09c90a13ae9aa
SHA256

73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6
SHA512

53f9ceccf6483ea5d95fde4933937ada277afcdf609e68e0000fe7e249c12e1aa0cfaccfb529d7617ac03eeb51e138031cea490ae7f2ff7e98a6ea8c67a98942
SSDEEP

3072:PNaEkEJoa9niU5yae9xfKqF6bBtUKKRsSY6r:PNa09iWyae9xfKq2BifdY6r

Score

9^/10

discovery evasion

Malware Config

Signatures

Contacts a large (110316) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
evasion

Indicator Removal
T1070

Processes:

73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf

description ioc process

File deleted /var/log/audit/audit.log 73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf

description	ioc	process
File deleted	/var/log/audit/audit.log	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf

Deletes journal logs 1 TTPs 1 IoCs

Deletes systemd journal logs. Likely to evade detection.

evasion

Indicator Removal

T1070

Processes:

73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf

description	ioc	process
File deleted	/var/log/journal/65779e181e584f059cb9deb1099989c3/system.journal	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf

description	ioc	process
File opened for modification	/dev/watchdog	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for modification	/dev/misc/watchdog	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

Processes:

73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/var/Cyber	708	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf

description	ioc	process
File opened for reading	/proc/195/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/300/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/6/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/7/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/17/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/20/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/325/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/14/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/15/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/210/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/326/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/657/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/665/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/32/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/200/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/713/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/142/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/338/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/705/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/12/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/26/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/30/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/35/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/143/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/16/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/24/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/187/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/212/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/706/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/21/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/23/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/8/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/10/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/13/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/31/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/34/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/51/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/2/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/4/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/642/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/687/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/73/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/355/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/685/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/712/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/3/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/5/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/46/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/682/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/9/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/27/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/36/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/45/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/714/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/1/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/22/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/254/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/274/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/344/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/351/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/683/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/715/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/29/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
File opened for reading	/proc/42/cmdline	73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf

/tmp/73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
/tmp/73ece8ffa7c0f7f625a070aa3e98d0eb450716927cec046803c8b818bfcbc9d6.elf
1⤵
- Deletes Audit logs
- Deletes journal logs
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

Impair Defenses

1

T1562

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads