f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a

Analysis

max time kernel
147s
max time network
153s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20241127-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20241127-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
03-12-2024 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
Size

108KB
MD5

25a5766ab198742fbca191bb06b221a5
SHA1

6a3ecb6814fe115b1048856be0542aafd5a3571e
SHA256

f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a
SHA512

6d20b507732540114b4aaab4163c2a1616c16ab7812d2b133c0b290f9b99424347c6a9823bf059ea769bd51e2007f611fde0a13589381e99077811aa2a108275
SSDEEP

1536:JvumDCpfSvaRyqTI1eNQ+PA8MtP44JoFD1a56Lz3mCLtCcnJbSq2QkkHIJv:gP6vaRX6eNdA8K44+F5YQ3ntxJ2HkHI

Score

9^/10

defense_evasion discovery

Malware Config

Signatures

Contacts a large (75746) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf

description	ioc	Process
File opened for modification	/dev/watchdog	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for modification	/dev/misc/watchdog	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

Processes:

f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf

description	ioc	Process
File opened for modification	/sbin/watchdog	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for modification	/bin/watchdog	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf

Changes its process name 1 IoCs

Processes:

f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1416	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf

description	ioc	Process
File opened for reading	/proc/17/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/969/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1355/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/3/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/7/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1179/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/166/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/683/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1471/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/792/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/533/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/785/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/948/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1102/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1116/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1477/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/9/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/10/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/14/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/22/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/177/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1148/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/176/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/639/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/981/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1078/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1103/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/102/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1352/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1405/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1054/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/71/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/159/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/521/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1380/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1474/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/174/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1360/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/74/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/201/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/497/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/790/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1092/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/666/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1086/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1087/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1351/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/79/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/449/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/768/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/920/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1468/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/16/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/162/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/751/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/87/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/163/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/627/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1478/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/492/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/906/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1128/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/661/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
File opened for reading	/proc/1202/cmdline	f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf

/tmp/f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
/tmp/f65a49ad21b980dafb33a4b110396337ccd83b4e6e87a494cc8c8b809938030a.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Reads runtime system information
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads