Analysis
-
max time kernel
149s -
max time network
151s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240729-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
14-11-2024 11:07
Static task
static1
Behavioral task
behavioral1
Sample
x86.elf
Resource
ubuntu2404-amd64-20240729-en
General
-
Target
x86.elf
-
Size
70KB
-
MD5
18d166aa0a8825bfc772a23899028817
-
SHA1
ec3479418e02b246f028111a2412fc9768730c07
-
SHA256
c90a3da886eb3ca64580bf336147c75b05f9b2cee7fd060164e0102799c114e8
-
SHA512
b32f3a4e2ed63eda2042cd20e0ab56200f6b2ad8ded85e9f1376a5e95a4ac392b9a8cb6cdde756d9853b2910d78fa9e5f4f8230b62d2fc60f98c27925ce70dca
-
SSDEEP
1536:3u1LbYmm3aSuCKiilvIeAecynKMy1sekB:3u13Ymm3PEiilAyxyu
Malware Config
Signatures
-
Contacts a large (35503) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
x86.elfdescription ioc Process File opened for modification /dev/watchdog x86.elf File opened for modification /dev/misc/watchdog x86.elf -
Renames itself 1 IoCs
Processes:
x86.elfpid Process 2489 x86.elf -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 138.197.140.189 Destination IP 45.61.49.203 Destination IP 130.61.64.122 -
Checks mountinfo of local process 1 TTPs 1 IoCs
Checks mountinfo of running processes which indicate if it is running in chroot jail.
Processes:
x86.elfdescription ioc Process File opened for reading /proc/776/mountinfo x86.elf -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
x86.elfdescription ioc Process File opened for reading /proc/net/tcp x86.elf -
Reads process memory 1 TTPs 1 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
Processes:
x86.elfdescription ioc Process File opened for reading /proc/1/maps x86.elf -
Changes its process name 14 IoCs
Processes:
x86.elfdescription ioc pid Process Changes the process name, possibly in an attempt to hide itself httpd 2489 x86.elf Changes the process name, possibly in an attempt to hide itself httpd 2492 x86.elf Changes the process name, possibly in an attempt to hide itself lighttpd 2492 x86.elf Changes the process name, possibly in an attempt to hide itself udhcpc 2492 x86.elf Changes the process name, possibly in an attempt to hide itself telnetd 2492 x86.elf Changes the process name, possibly in an attempt to hide itself upnpc-static 2492 x86.elf Changes the process name, possibly in an attempt to hide itself boa 2492 x86.elf Changes the process name, possibly in an attempt to hide itself ntpclient 2492 x86.elf Changes the process name, possibly in an attempt to hide itself upnpc-static 2492 x86.elf Changes the process name, possibly in an attempt to hide itself lighttpd 2492 x86.elf Changes the process name, possibly in an attempt to hide itself ntpclient 2492 x86.elf Changes the process name, possibly in an attempt to hide itself ntpclient 2492 x86.elf Changes the process name, possibly in an attempt to hide itself httpd 2492 x86.elf Changes the process name, possibly in an attempt to hide itself lighttpd 2492 x86.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
x86.elfdescription ioc Process File opened for reading /proc/net/tcp x86.elf -
Processes:
x86.elfdescription ioc Process File opened for reading /proc/776/fd x86.elf
Processes
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1