Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
31/10/2024, 03:54
Behavioral task
behavioral1
Sample
d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf
-
Size
3.3MB
-
MD5
27e51ee7a66488556425956010659e7f
-
SHA1
4c24cef837b500e362fae34f73cf42f4d0f107e0
-
SHA256
d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547
-
SHA512
8b470d69a8972f5d2870abbb2dfc002dcc3d3b6be3b2b96399541f4b7cbc5afe29f44a087cdc70855f810b4d6c594b9a94fad448520e1a2752cf1d5e94293d60
-
SSDEEP
98304:1Z8CdALXjA+mDvUr3kqzIWK6LLQJzyGAiM8AiZ:j8CdAL113Lcyc1Z
Malware Config
Signatures
-
Virtualization/Sandbox Evasion: Time Based Evasion 1 TTPs 1 IoCs
Adversaries may detect and evade virtualized environments and sandboxes.
pid Process 1569 uptime -
Reads CPU attributes 1 TTPs 1 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online uptime -
Reads system network configuration 1 TTPs 6 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/dev cat File opened for reading /proc/net/dev cat File opened for reading /proc/net/dev cat File opened for reading /proc/net/dev cat File opened for reading /proc/net/dev cat File opened for reading /proc/net/dev cat -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf -
description ioc Process File opened for reading /proc/self/maps grep File opened for reading /proc/self/maps grep File opened for reading /proc/self/maps awk File opened for reading /proc/self/auxv uptime File opened for reading /proc/uptime uptime File opened for reading /proc/self/maps grep File opened for reading /proc/stat d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf File opened for reading /proc/loadavg uptime File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/exe d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf File opened for reading /proc/sys/kernel/osrelease uptime File opened for reading /proc/self/maps grep File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps grep File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps grep
Processes
-
/tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf/tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1565 -
/bin/bash/bin/bash -c uptime2⤵PID:1569
-
-
/usr/bin/uptimeuptime2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
- Reads CPU attributes
- Reads runtime system information
PID:1569
-
-
/usr/bin/bashbash -c "cat /proc/net/dev |grep ens3 |awk '{print \$2}'"2⤵PID:1572
-
/usr/bin/awkawk "{print \$2}"3⤵
- Reads runtime system information
PID:1576
-
-
/usr/bin/grepgrep ens33⤵
- Reads runtime system information
PID:1575
-
-
/usr/bin/catcat /proc/net/dev3⤵
- Reads system network configuration
PID:1574
-
-
-
/usr/bin/bashbash -c "cat /proc/net/dev |grep ens3 |awk '{print \$10}'"2⤵PID:1580
-
/usr/bin/awkawk "{print \$10}"3⤵
- Reads runtime system information
PID:1583
-
-
/usr/bin/grepgrep ens33⤵
- Reads runtime system information
PID:1582
-
-
/usr/bin/catcat /proc/net/dev3⤵
- Reads system network configuration
PID:1581
-
-
-
/usr/bin/bashbash -c "cat /proc/net/dev |grep ens3 |awk '{print \$2}'"2⤵PID:1592
-
/usr/bin/awkawk "{print \$2}"3⤵
- Reads runtime system information
PID:1595
-
-
/usr/bin/grepgrep ens33⤵
- Reads runtime system information
PID:1594
-
-
/usr/bin/catcat /proc/net/dev3⤵
- Reads system network configuration
PID:1593
-
-
-
/usr/bin/bashbash -c "cat /proc/net/dev |grep ens3 |awk '{print \$10}'"2⤵PID:1596
-
/usr/bin/awkawk "{print \$10}"3⤵
- Reads runtime system information
PID:1599
-
-
/usr/bin/grepgrep ens33⤵
- Reads runtime system information
PID:1598
-
-
/usr/bin/catcat /proc/net/dev3⤵
- Reads system network configuration
PID:1597
-
-
-
/usr/bin/bashbash -c "cat /proc/net/dev |grep ens3 |awk '{print \$2}'"2⤵PID:1603
-
/usr/bin/awkawk "{print \$2}"3⤵
- Reads runtime system information
PID:1606
-
-
/usr/bin/grepgrep ens33⤵
- Reads runtime system information
PID:1605
-
-
/usr/bin/catcat /proc/net/dev3⤵
- Reads system network configuration
PID:1604
-
-
-
/usr/bin/bashbash -c "cat /proc/net/dev |grep ens3 |awk '{print \$10}'"2⤵PID:1607
-
/usr/bin/awkawk "{print \$10}"3⤵
- Reads runtime system information
PID:1610
-
-
/usr/bin/grepgrep ens33⤵
- Reads runtime system information
PID:1609
-
-
/usr/bin/catcat /proc/net/dev3⤵
- Reads system network configuration
PID:1608
-
-