0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237

Analysis

max time kernel
149s
max time network
135s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240729-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
03/01/2025, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf
Size

79KB
MD5

793608dcc966f10f356cc0c84b68f618
SHA1

7042c74fc2ef1c8acdb11e020348d66b0c0a65ec
SHA256

0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237
SHA512

b49664b0cc0848ac96a1cc3d1a99e35e57158499b5b77f2c74d737eb39a1987ea33a198ab58f8a15ca6417f8a8c5003aff98464a9524d4f192e3d4674a7fb911
SSDEEP

1536:jEZ7dF3Nw8V/OjhJgpZqLKfFVb5/QR6qngwfR6eeiTzrcL1RPSnReSNESw3SVXF:jUdRa8VQHgp9FVSR60gw1XTza1RPS8SN

Score

7^/10

defense_evasion discovery evasion persistence privilege_escalation

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/audit/audit.log	0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf

Deletes itself 1 IoCs

pid	Process
2516	0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf

Deletes journal logs 1 TTPs 1 IoCs

Deletes systemd journal logs. Likely to evade detection.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/journal/36e6eb39a6fa405996e79cad2731865d/system.journal	0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf
File opened for modification	/dev/misc/watchdog	0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf

Enumerates running processes
Discovers information about currently running processes on the system

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence privilege_escalation

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/startup_command.service	0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	erfa0m0drkmfm1o2vhitlfdis12osj1e	2516	0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf

Reads CPU attributes 1 TTPs 10 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill

Enumerates kernel/hardware configuration 1 TTPs 10 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/2184/status	pkill
File opened for reading	/proc/14/cgroup	pkill
File opened for reading	/proc/433/ctty	pkill
File opened for reading	/proc/1065/cgroup	pkill
File opened for reading	/proc/1084/status	pkill
File opened for reading	/proc/2156/cgroup	pkill
File opened for reading	/proc/2340/cgroup	pkill
File opened for reading	/proc/387/status	pkill
File opened for reading	/proc/784/cmdline	pkill
File opened for reading	/proc/1711/cmdline	pkill
File opened for reading	/proc/2057/cmdline	pkill
File opened for reading	/proc/2340/ctty	pkill
File opened for reading	/proc/10/ctty	pkill
File opened for reading	/proc/203/cgroup	pkill
File opened for reading	/proc/784/ctty	pkill
File opened for reading	/proc/2734/cmdline	0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf
File opened for reading	/proc/14/ctty	pkill
File opened for reading	/proc/433/ctty	pkill
File opened for reading	/proc/2362/cmdline	pkill
File opened for reading	/proc/2515/cgroup	pkill
File opened for reading	/proc/589/cmdline	0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf
File opened for reading	/proc/34/cgroup	pkill
File opened for reading	/proc/37/stat	pkill
File opened for reading	/proc/1410/status	pkill
File opened for reading	/proc/2519/status	pkill
File opened for reading	/proc/54/ctty	pkill
File opened for reading	/proc/762/status	pkill
File opened for reading	/proc/1719/status	pkill
File opened for reading	/proc/2244/cgroup	pkill
File opened for reading	/proc/2329/stat	pkill
File opened for reading	/proc/21/status	pkill
File opened for reading	/proc/31/stat	pkill
File opened for reading	/proc/1054/ctty	pkill
File opened for reading	/proc/1065/cgroup	pkill
File opened for reading	/proc/1081/cgroup	pkill
File opened for reading	/proc/2226/status	pkill
File opened for reading	/proc/32/ctty	pkill
File opened for reading	/proc/37/cgroup	pkill
File opened for reading	/proc/140/cgroup	pkill
File opened for reading	/proc/192/cmdline	pkill
File opened for reading	/proc/200/cmdline	pkill
File opened for reading	/proc/2226/status	pkill
File opened for reading	/proc/192/cmdline	0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf
File opened for reading	/proc/387/cgroup	pkill
File opened for reading	/proc/797/ctty	pkill
File opened for reading	/proc/1952/stat	pkill
File opened for reading	/proc/1984/stat	pkill
File opened for reading	/proc/17/ctty	pkill
File opened for reading	/proc/795/cgroup	pkill
File opened for reading	/proc/1106/status	pkill
File opened for reading	/proc/2277/status	pkill
File opened for reading	/proc/2322/stat	pkill
File opened for reading	/proc/339/status	pkill
File opened for reading	/proc/1054/cmdline	pkill
File opened for reading	/proc/1864/stat	pkill
File opened for reading	/proc/1947/stat	pkill
File opened for reading	/proc/2184/cgroup	pkill
File opened for reading	/proc/2311/status	pkill
File opened for reading	/proc/2522/status	pkill
File opened for reading	/proc/2528/ctty	pkill
File opened for reading	/proc/1/stat	pkill
File opened for reading	/proc/160/stat	pkill
File opened for reading	/proc/236/ctty	pkill
File opened for reading	/proc/2162/status	pkill

/tmp/0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf
/tmp/0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf
1⤵
- Deletes Audit logs
- Deletes itself
- Deletes journal logs
- Modifies Watchdog functionality
- Modifies systemd
- Changes its process name
- Reads runtime system information
PID:2516
- /usr/local/sbin/pkill
  pkill tcpdump
  2⤵
  PID:2519
- /usr/local/bin/pkill
  pkill tcpdump
  2⤵
  PID:2519
- /usr/sbin/pkill
  pkill tcpdump
  2⤵
  PID:2519
- /usr/bin/pkill
  pkill tcpdump
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2519
- /usr/local/sbin/pkill
  pkill tshark
  2⤵
  PID:2520
- /usr/local/bin/pkill
  pkill tshark
  2⤵
  PID:2520
- /usr/sbin/pkill
  pkill tshark
  2⤵
  PID:2520
- /usr/bin/pkill
  pkill tshark
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2520
- /usr/local/sbin/pkill
  pkill wireshark
  2⤵
  PID:2521
- /usr/local/bin/pkill
  pkill wireshark
  2⤵
  PID:2521
- /usr/sbin/pkill
  pkill wireshark
  2⤵
  PID:2521
- /usr/bin/pkill
  pkill wireshark
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2521
- /usr/local/sbin/pkill
  pkill dumpcap
  2⤵
  PID:2522
- /usr/local/bin/pkill
  pkill dumpcap
  2⤵
  PID:2522
- /usr/sbin/pkill
  pkill dumpcap
  2⤵
  PID:2522
- /usr/bin/pkill
  pkill dumpcap
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2522
- /usr/local/sbin/pkill
  pkill ettercap
  2⤵
  PID:2523
- /usr/local/bin/pkill
  pkill ettercap
  2⤵
  PID:2523
- /usr/sbin/pkill
  pkill ettercap
  2⤵
  PID:2523
- /usr/bin/pkill
  pkill ettercap
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2523
- /usr/local/sbin/pkill
  pkill dsniff
  2⤵
  PID:2524
- /usr/local/bin/pkill
  pkill dsniff
  2⤵
  PID:2524
- /usr/sbin/pkill
  pkill dsniff
  2⤵
  PID:2524
- /usr/bin/pkill
  pkill dsniff
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2524
- /usr/local/sbin/pkill
  pkill ngrep
  2⤵
  PID:2525
- /usr/local/bin/pkill
  pkill ngrep
  2⤵
  PID:2525
- /usr/sbin/pkill
  pkill ngrep
  2⤵
  PID:2525
- /usr/bin/pkill
  pkill ngrep
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2525
- /usr/local/sbin/pkill
  pkill tcpflow
  2⤵
  PID:2526
- /usr/local/bin/pkill
  pkill tcpflow
  2⤵
  PID:2526
- /usr/sbin/pkill
  pkill tcpflow
  2⤵
  PID:2526
- /usr/bin/pkill
  pkill tcpflow
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2526
- /usr/local/sbin/pkill
  pkill windump
  2⤵
  PID:2527
- /usr/local/bin/pkill
  pkill windump
  2⤵
  PID:2527
- /usr/sbin/pkill
  pkill windump
  2⤵
  PID:2527
- /usr/bin/pkill
  pkill windump
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2527
- /usr/local/sbin/pkill
  pkill netsniff-ng
  2⤵
  PID:2528
- /usr/local/bin/pkill
  pkill netsniff-ng
  2⤵
  PID:2528
- /usr/sbin/pkill
  pkill netsniff-ng
  2⤵
  PID:2528
- /usr/bin/pkill
  pkill netsniff-ng
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2528
- /usr/local/sbin/rm
  rm -rf /usr/sbin/tcpdump
  2⤵
  PID:2532
- /usr/local/bin/rm
  rm -rf /usr/sbin/tcpdump
  2⤵
  PID:2532
- /usr/sbin/rm
  rm -rf /usr/sbin/tcpdump
  2⤵
  PID:2532
- /usr/bin/rm
  rm -rf /usr/sbin/tcpdump
  2⤵
  PID:2532
- /usr/local/sbin/rm
  rm -rf /usr/sbin/tshark
  2⤵
  PID:2533
- /usr/local/bin/rm
  rm -rf /usr/sbin/tshark
  2⤵
  PID:2533
- /usr/sbin/rm
  rm -rf /usr/sbin/tshark
  2⤵
  PID:2533
- /usr/bin/rm
  rm -rf /usr/sbin/tshark
  2⤵
  PID:2533
- /usr/local/sbin/rm
  rm -rf /usr/sbin/wireshark
  2⤵
  PID:2534
- /usr/local/bin/rm
  rm -rf /usr/sbin/wireshark
  2⤵
  PID:2534
- /usr/sbin/rm
  rm -rf /usr/sbin/wireshark
  2⤵
  PID:2534
- /usr/bin/rm
  rm -rf /usr/sbin/wireshark
  2⤵
  PID:2534
- /usr/local/sbin/rm
  rm -rf /usr/sbin/dumpcap
  2⤵
  PID:2535
- /usr/local/bin/rm
  rm -rf /usr/sbin/dumpcap
  2⤵
  PID:2535
- /usr/sbin/rm
  rm -rf /usr/sbin/dumpcap
  2⤵
  PID:2535
- /usr/bin/rm
  rm -rf /usr/sbin/dumpcap
  2⤵
  PID:2535
- /usr/local/sbin/rm
  rm -rf /usr/sbin/ettercap
  2⤵
  PID:2536
- /usr/local/bin/rm
  rm -rf /usr/sbin/ettercap
  2⤵
  PID:2536
- /usr/sbin/rm
  rm -rf /usr/sbin/ettercap
  2⤵
  PID:2536
- /usr/bin/rm
  rm -rf /usr/sbin/ettercap
  2⤵
  PID:2536
- /usr/local/sbin/rm
  rm -rf /usr/sbin/dsniff
  2⤵
  PID:2537
- /usr/local/bin/rm
  rm -rf /usr/sbin/dsniff
  2⤵
  PID:2537
- /usr/sbin/rm
  rm -rf /usr/sbin/dsniff
  2⤵
  PID:2537
- /usr/bin/rm
  rm -rf /usr/sbin/dsniff
  2⤵
  PID:2537
- /usr/local/sbin/rm
  rm -rf /usr/sbin/ngrep
  2⤵
  PID:2538
- /usr/local/bin/rm
  rm -rf /usr/sbin/ngrep
  2⤵
  PID:2538
- /usr/sbin/rm
  rm -rf /usr/sbin/ngrep
  2⤵
  PID:2538
- /usr/bin/rm
  rm -rf /usr/sbin/ngrep
  2⤵
  PID:2538
- /usr/local/sbin/rm
  rm -rf /usr/sbin/tcpflow
  2⤵
  PID:2539
- /usr/local/bin/rm
  rm -rf /usr/sbin/tcpflow
  2⤵
  PID:2539
- /usr/sbin/rm
  rm -rf /usr/sbin/tcpflow
  2⤵
  PID:2539
- /usr/bin/rm
  rm -rf /usr/sbin/tcpflow
  2⤵
  PID:2539
- /usr/local/sbin/rm
  rm -rf /usr/sbin/windump
  2⤵
  PID:2540
- /usr/local/bin/rm
  rm -rf /usr/sbin/windump
  2⤵
  PID:2540
- /usr/sbin/rm
  rm -rf /usr/sbin/windump
  2⤵
  PID:2540
- /usr/bin/rm
  rm -rf /usr/sbin/windump
  2⤵
  PID:2540
- /usr/local/sbin/rm
  rm -rf /usr/sbin/netsniff-ng
  2⤵
  PID:2541
- /usr/local/bin/rm
  rm -rf /usr/sbin/netsniff-ng
  2⤵
  PID:2541
- /usr/sbin/rm
  rm -rf /usr/sbin/netsniff-ng
  2⤵
  PID:2541
- /usr/bin/rm
  rm -rf /usr/sbin/netsniff-ng
  2⤵
  PID:2541
- /usr/local/sbin/rm
  rm -rf /usr/bin/tcpdump
  2⤵
  PID:2542
- /usr/local/bin/rm
  rm -rf /usr/bin/tcpdump
  2⤵
  PID:2542
- /usr/sbin/rm
  rm -rf /usr/bin/tcpdump
  2⤵
  PID:2542
- /usr/bin/rm
  rm -rf /usr/bin/tcpdump
  2⤵
  PID:2542
- /usr/local/sbin/rm
  rm -rf /usr/bin/tshark
  2⤵
  PID:2543
- /usr/local/bin/rm
  rm -rf /usr/bin/tshark
  2⤵
  PID:2543
- /usr/sbin/rm
  rm -rf /usr/bin/tshark
  2⤵
  PID:2543
- /usr/bin/rm
  rm -rf /usr/bin/tshark
  2⤵
  PID:2543
- /usr/local/sbin/rm
  rm -rf /usr/bin/wireshark
  2⤵
  PID:2544
- /usr/local/bin/rm
  rm -rf /usr/bin/wireshark
  2⤵
  PID:2544
- /usr/sbin/rm
  rm -rf /usr/bin/wireshark
  2⤵
  PID:2544
- /usr/bin/rm
  rm -rf /usr/bin/wireshark
  2⤵
  PID:2544
- /usr/local/sbin/rm
  rm -rf /usr/bin/dumpcap
  2⤵
  PID:2545
- /usr/local/bin/rm
  rm -rf /usr/bin/dumpcap
  2⤵
  PID:2545
- /usr/sbin/rm
  rm -rf /usr/bin/dumpcap
  2⤵
  PID:2545
- /usr/bin/rm
  rm -rf /usr/bin/dumpcap
  2⤵
  PID:2545
- /usr/local/sbin/rm
  rm -rf /usr/bin/ettercap
  2⤵
  PID:2546
- /usr/local/bin/rm
  rm -rf /usr/bin/ettercap
  2⤵
  PID:2546
- /usr/sbin/rm
  rm -rf /usr/bin/ettercap
  2⤵
  PID:2546
- /usr/bin/rm
  rm -rf /usr/bin/ettercap
  2⤵
  PID:2546
- /usr/local/sbin/rm
  rm -rf /usr/bin/dsniff
  2⤵
  PID:2547
- /usr/local/bin/rm
  rm -rf /usr/bin/dsniff
  2⤵
  PID:2547
- /usr/sbin/rm
  rm -rf /usr/bin/dsniff
  2⤵
  PID:2547
- /usr/bin/rm
  rm -rf /usr/bin/dsniff
  2⤵
  PID:2547
- /usr/local/sbin/rm
  rm -rf /usr/bin/ngrep
  2⤵
  PID:2548
- /usr/local/bin/rm
  rm -rf /usr/bin/ngrep
  2⤵
  PID:2548
- /usr/sbin/rm
  rm -rf /usr/bin/ngrep
  2⤵
  PID:2548
- /usr/bin/rm
  rm -rf /usr/bin/ngrep
  2⤵
  PID:2548
- /usr/local/sbin/rm
  rm -rf /usr/bin/tcpflow
  2⤵
  PID:2549
- /usr/local/bin/rm
  rm -rf /usr/bin/tcpflow
  2⤵
  PID:2549
- /usr/sbin/rm
  rm -rf /usr/bin/tcpflow
  2⤵
  PID:2549
- /usr/bin/rm
  rm -rf /usr/bin/tcpflow
  2⤵
  PID:2549
- /usr/local/sbin/rm
  rm -rf /usr/bin/windump
  2⤵
  PID:2550
- /usr/local/bin/rm
  rm -rf /usr/bin/windump
  2⤵
  PID:2550
- /usr/sbin/rm
  rm -rf /usr/bin/windump
  2⤵
  PID:2550
- /usr/bin/rm
  rm -rf /usr/bin/windump
  2⤵
  PID:2550
- /usr/local/sbin/rm
  rm -rf /usr/bin/netsniff-ng
  2⤵
  PID:2551
- /usr/local/bin/rm
  rm -rf /usr/bin/netsniff-ng
  2⤵
  PID:2551
- /usr/sbin/rm
  rm -rf /usr/bin/netsniff-ng
  2⤵
  PID:2551
- /usr/bin/rm
  rm -rf /usr/bin/netsniff-ng
  2⤵
  PID:2551
- /bin/sh
  sh -c "systemctl daemon-reload"
  2⤵
  PID:2554
- - /usr/bin/systemctl
    systemctl daemon-reload
    3⤵
    PID:2556
- /bin/sh
  sh -c "systemctl enable startup_command.service"
  2⤵
  PID:2706
- - /usr/bin/systemctl
    systemctl enable startup_command.service
    3⤵
    PID:2707

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/systemd/system/startup_command.service

Filesize
361B

MD5
4d2c868f454b6c55731485cf0f886dc0

SHA1
032b125de0a28dcee8d8d25fbeeb56db7f403f04

SHA256
8c4ae1b82477698f3a8c273b439cb9079794afb8fc33cd4def854936ba37ea2c

SHA512
060b2413a0cb2dec0db059c190467b5cb0d76209effea4ae3de2701fa71429b811a6f7e11e813b26806cf72578d1f32b608a02a4ce670ec58b5b65433e3cf11d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads