Analysis
-
max time kernel
149s -
max time network
151s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240729-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
17-12-2024 02:25
Behavioral task
behavioral1
Sample
2e71415282819431dc21990148d312a268b9ba3f6a3f30de65b1fbece0daf916.elf
Resource
ubuntu2004-amd64-20240729-en
General
-
Target
2e71415282819431dc21990148d312a268b9ba3f6a3f30de65b1fbece0daf916.elf
-
Size
61KB
-
MD5
593921b0d2fb2b66221ba1b29d3db579
-
SHA1
84fa95c60f1f8c330d5d8b82f5c7b9d6eb67edcd
-
SHA256
2e71415282819431dc21990148d312a268b9ba3f6a3f30de65b1fbece0daf916
-
SHA512
92c57b195cd9af1351cf1f14b2dea7a10d07d6966ed6c023636aeb9a2d079219ed17abb864f875fbfc6b5657f57ab08a6a1d74fbea6117d4b8dc257728837736
-
SSDEEP
1536:dpmbSQ6U3q7cCBT/lZsK/0DiQ54LiKimfFoktCe3fYRMJ:WShU3q7cEDlCK/0Du9i8Fok06fYRO
Malware Config
Signatures
-
Contacts a large (38133) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1387 sh 1390 chmod -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /bin/watchdog 1386 2e71415282819431dc21990148d312a268b9ba3f6a3f30de65b1fbece0daf916.elf -
description ioc Process File opened for reading /proc/filesystems mkdir -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/bin/watchdog sh
Processes
-
/tmp/2e71415282819431dc21990148d312a268b9ba3f6a3f30de65b1fbece0daf916.elf/tmp/2e71415282819431dc21990148d312a268b9ba3f6a3f30de65b1fbece0daf916.elf1⤵
- Changes its process name
PID:1386 -
/bin/shsh -c "rm -rf bin/watchdog && mkdir bin����; >bin/watchdog && mv /tmp/2e71415282819431dc21990148d312a268b9ba3f6a3f30de65b1fbece0daf916.elf bin/watchdog; chmod 777 bin/watchdog"2⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
PID:1387 -
/usr/bin/rmrm -rf bin/watchdog3⤵PID:1388
-
-
/usr/bin/mkdirmkdir "bin����"3⤵
- Reads runtime system information
PID:1389
-
-
/usr/bin/chmodchmod 777 bin/watchdog3⤵
- File and Directory Permissions Modification
PID:1390
-
-