cab713be24d5b1c7320d93a1957937a3dc472d1cd9f3fdc48d10a08cfa01b8c2

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
29-12-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x86_64.elf
Size

105KB
MD5

5c2d301a3602cdc7f8f7260e1f27781d
SHA1

0a76681142d81a2971d2321cf1061317a875d7ee
SHA256

cab713be24d5b1c7320d93a1957937a3dc472d1cd9f3fdc48d10a08cfa01b8c2
SHA512

b586f5a951470842392885d7272667a39b097a581e55fcbc571377f7193a4a84291d8805e2ddfbcfbc8c8ae9048615c288b668ebbb1cf403dfb05b7b38ac64bd
SSDEEP

3072:Sp0QUdRZF4zFJGJFD9kVT5bneXE2Jk41egvz8BeRmUE:SpdUdRZF4zFJGJFD9kVTd9bhg7Rm

Score

9^/10

defense_evasion discovery

Malware Config

Signatures

Contacts a large (49399) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	x86_64.elf
File opened for modification	/dev/misc/watchdog	x86_64.elf

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	x86_64.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	kQdAfVRaLzptjdYmQXT	1568	x86_64.elf

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	x86_64.elf

/tmp/x86_64.elf
/tmp/x86_64.elf
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads