Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    04-11-2024 02:26

General

  • Target

    68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e.elf

  • Size

    99KB

  • MD5

    9438d9bc392bcf300a5583b6df5bc8f6

  • SHA1

    375a6ae34b516f6f3eeea8030c4084f585017efa

  • SHA256

    68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

  • SHA512

    1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

  • SSDEEP

    3072:kFPlxndf22h/xwXnTkai7MYRApCg9dgdmk1b5wdL35sPX:kZlxndf8nTqtS/9dgdmk1b5wdj5sPX

Malware Config

Signatures

  • Contacts a large (2250) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Processes

  • /tmp/68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e.elf
    /tmp/68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e.elf
    1⤵
    • Loads a kernel module
    PID:2817
    • /usr/bin/crontab
      crontab -l
      2⤵
        PID:2820
      • /usr/bin/crontab
        crontab -
        2⤵
        • Creates/modifies Cron job
        PID:2823

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /var/spool/cron/crontabs/tmp.lpkMln

      Filesize

      210B

      MD5

      b8a380455ea6dafe4962d83195f0d3d1

      SHA1

      66a712a7827cb3449b15ca39cff77fd5f53bb767

      SHA256

      3167fc0148918e56973daad5e3bbc00aebff52db71a4cabe33951b3a64087546

      SHA512

      ee6d1751066c202b337b528e73bf6fa54df273d20084d0bfd1515cb7c54ca72d2f9661c03e972c324725bafaa361afa0950a5b62b5f616413594f3b528427644