Malware Analysis Report

2024-12-07 17:30

Sample ID 241112-l6bzjatkgn
Target 4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf
SHA256 4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767
Tags
credential_access defense_evasion discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767

Threat Level: Shows suspicious behavior

The file 4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

credential_access defense_evasion discovery

Modifies Watchdog functionality

Enumerates running processes

Reads process memory

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 10:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 10:08

Reported

2024-11-12 10:10

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

146s

Command Line

[/tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf]

Signatures

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/misc/watchdog /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for modification /dev/watchdog /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A

Enumerates running processes

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/414/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/421/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/585/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/588/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/593/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/608/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/638/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/729/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/844/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/416/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/519/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/665/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/777/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/959/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/992/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/409/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/522/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/589/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/662/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/743/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/783/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/846/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/611/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/612/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/644/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/735/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/740/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/965/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/415/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/498/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/772/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/872/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/633/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/634/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/639/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/741/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/769/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/839/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/974/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/997/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/455/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/587/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/670/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/672/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/784/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/411/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/499/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/721/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/868/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/982/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself a /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1073/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1157/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1278/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1313/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1184/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1282/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1490/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1145/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1165/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1166/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1202/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1243/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1040/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1158/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1162/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1163/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1344/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1364/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1580/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1035/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1056/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1159/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1190/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1233/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1557/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1081/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1015/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1085/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1064/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1095/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1133/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1431/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1439/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1452/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1046/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1142/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1189/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1546/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1104/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1126/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1160/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1161/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1164/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1177/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1248/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1558/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1571/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1086/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1169/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1241/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1253/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1055/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1196/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1290/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1106/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1174/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1255/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1287/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1386/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1102/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1353/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1382/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A
File opened for reading /proc/1573/maps /tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf N/A

Processes

/tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf

[/tmp/4ed362103fa27a8618955696b657c80cb5f1491b282cca11ee28ef966d1a1767.elf]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 193.84.71.119:38241 tcp

Files

N/A