Extracted

• • Target

    20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7.elf

  • Size

    1.7MB

  • MD5

    503c35c37d00d04ff2793c2b4bf5038f

  • SHA1

    a03a9d06ca8441cb2ec7fe0c49cb56023130d884

  • SHA256

    20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7

  • SHA512

    c653fd4f8a6724b9a25e24e9a2a0152340be294d4d53d82e5762fd8599b014dabc4be6a2830822d51ce744ef256f1e5fe78b5c016fc24907de7ea964fb5835ee

  • SSDEEP

    24576:94GdIhU6rF5IF0pGVZa4B6dmyw5DQ7EQ6LPni2Mt+aa:XShUL7VZ1BYZw5DcRt+a

  Score

  10^/10

  antivmdefense_evasiondiscoverypersistenceprivilege_escalationransomware

  • Renames multiple (107) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Adds new SSH keys

    Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    persistenceprivilege_escalation

  • Creates/modifies environment variables

    Creating/modifying environment variables is a common persistence mechanism.

    persistenceprivilege_escalationdefense_evasion

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes file to system bin folder

  • Modifies Bash startup script

    persistence
  behavioral1