4b8f796a0bf6d0854fd53a2f04ddeb898b055be3cc09ea923be613bc83406ae3

Analysis

max time kernel
13s
max time network
16s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
20-11-2024 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x86
Size

57KB
MD5

9ae358f27d23a2c907261646e42afe2a
SHA1

3b5f5568fbf51f832018fcd407e890e1f4b9dc31
SHA256

4b8f796a0bf6d0854fd53a2f04ddeb898b055be3cc09ea923be613bc83406ae3
SHA512

ddcdb92fe5b98bdbb766dc4f552d108a0212dc482efb9a773a98abc072316574905ad3091df32774f7156d7c123df83570a6dfb75a7f15a7f2571a844dd48d3a
SSDEEP

1536:/FtvA1fRWt01JffeXR3A/d4au5eMLeMWJJuV/sQrz6pz:/Q1f8t01JffeXRw/ea4eMLe9JuJ1Xaz

Score

9^/10

defense_evasion discovery

Malware Config

Signatures

Contacts a large (7168) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	x86
File opened for modification	/dev/misc/watchdog	x86

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/var/Sofia	1597	x86

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/404/cmdline	x86
File opened for reading	/proc/632/cmdline	x86
File opened for reading	/proc/1206/cmdline	x86
File opened for reading	/proc/157/cmdline	x86
File opened for reading	/proc/76/cmdline	x86
File opened for reading	/proc/208/cmdline	x86
File opened for reading	/proc/1114/cmdline	x86
File opened for reading	/proc/12/cmdline	x86
File opened for reading	/proc/1302/cmdline	x86
File opened for reading	/proc/1156/cmdline	x86
File opened for reading	/proc/83/cmdline	x86
File opened for reading	/proc/215/cmdline	x86
File opened for reading	/proc/631/cmdline	x86
File opened for reading	/proc/748/cmdline	x86
File opened for reading	/proc/15/cmdline	x86
File opened for reading	/proc/221/cmdline	x86
File opened for reading	/proc/780/cmdline	x86
File opened for reading	/proc/1187/cmdline	x86
File opened for reading	/proc/1379/cmdline	x86
File opened for reading	/proc/9/cmdline	x86
File opened for reading	/proc/27/cmdline	x86
File opened for reading	/proc/100/cmdline	x86
File opened for reading	/proc/212/cmdline	x86
File opened for reading	/proc/219/cmdline	x86
File opened for reading	/proc/1058/cmdline	x86
File opened for reading	/proc/1154/cmdline	x86
File opened for reading	/proc/23/cmdline	x86
File opened for reading	/proc/7/cmdline	x86
File opened for reading	/proc/96/cmdline	x86
File opened for reading	/proc/408/cmdline	x86
File opened for reading	/proc/833/cmdline	x86
File opened for reading	/proc/840/cmdline	x86
File opened for reading	/proc/3/cmdline	x86
File opened for reading	/proc/89/cmdline	x86
File opened for reading	/proc/95/cmdline	x86
File opened for reading	/proc/693/cmdline	x86
File opened for reading	/proc/953/cmdline	x86
File opened for reading	/proc/988/cmdline	x86
File opened for reading	/proc/1051/cmdline	x86
File opened for reading	/proc/1195/cmdline	x86
File opened for reading	/proc/73/cmdline	x86
File opened for reading	/proc/1479/cmdline	x86
File opened for reading	/proc/1328/cmdline	x86
File opened for reading	/proc/584/cmdline	x86
File opened for reading	/proc/589/cmdline	x86
File opened for reading	/proc/968/cmdline	x86
File opened for reading	/proc/1288/cmdline	x86
File opened for reading	/proc/1584/cmdline	x86
File opened for reading	/proc/211/cmdline	x86
File opened for reading	/proc/82/cmdline	x86
File opened for reading	/proc/112/cmdline	x86
File opened for reading	/proc/523/cmdline	x86
File opened for reading	/proc/987/cmdline	x86
File opened for reading	/proc/1030/cmdline	x86
File opened for reading	/proc/1109/cmdline	x86
File opened for reading	/proc/1122/cmdline	x86
File opened for reading	/proc/14/cmdline	x86
File opened for reading	/proc/1513/cmdline	x86
File opened for reading	/proc/1573/cmdline	x86
File opened for reading	/proc/1274/cmdline	x86
File opened for reading	/proc/218/cmdline	x86
File opened for reading	/proc/606/cmdline	x86
File opened for reading	/proc/1035/cmdline	x86
File opened for reading	/proc/1160/cmdline	x86

/tmp/x86
/tmp/x86
1⤵
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:1597

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads