Analysis Overview
SHA256
49b23a5a004a963df243807e75a4cb3450c9242377b4eb2f2dfe274a80542dd8
Threat Level: Shows suspicious behavior
The file ub8ehJSePAfc9FYqZIT6.i686.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies Watchdog functionality
Enumerates running processes
Writes file to system bin folder
UPX packed file
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 07:32
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 07:32
Reported
2024-11-13 07:34
Platform
ubuntu2204-amd64-20240522.1-en
Max time kernel
135s
Max time network
146s
Command Line
Signatures
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/watchdog | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for modification | /sbin/watchdog | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/994/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1241/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1548/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/693/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/723/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1036/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1175/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1194/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/80/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/101/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/696/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/703/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1150/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/651/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/840/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1138/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1330/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1499/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/205/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/221/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/313/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/516/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/630/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/871/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1062/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1365/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/93/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/114/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/428/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1546/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/610/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/636/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/995/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1077/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1186/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/13/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/17/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/83/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1230/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1127/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/75/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/95/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/632/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1184/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/89/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/668/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1016/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/211/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1090/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1102/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1185/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/7/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/21/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/201/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/987/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1189/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1240/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/1529/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/16/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/88/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/207/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/416/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
| File opened for reading | /proc/631/status | /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf | N/A |
Processes
/tmp/ub8ehJSePAfc9FYqZIT6.i686.elf
[/tmp/ub8ehJSePAfc9FYqZIT6.i686.elf]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 45.137.70.156:3778 | tcp | |
| DE | 45.137.70.156:3778 | tcp |
Files
memory/1558-1-0x0000000008048000-0x000000000805cc08-memory.dmp