Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
135s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240729-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
03/01/2025, 03:12
Behavioral task
behavioral1
Sample
0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf
Resource
ubuntu2404-amd64-20240729-en
General
-
Target
0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf
-
Size
79KB
-
MD5
793608dcc966f10f356cc0c84b68f618
-
SHA1
7042c74fc2ef1c8acdb11e020348d66b0c0a65ec
-
SHA256
0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237
-
SHA512
b49664b0cc0848ac96a1cc3d1a99e35e57158499b5b77f2c74d737eb39a1987ea33a198ab58f8a15ca6417f8a8c5003aff98464a9524d4f192e3d4674a7fb911
-
SSDEEP
1536:jEZ7dF3Nw8V/OjhJgpZqLKfFVb5/QR6qngwfR6eeiTzrcL1RPSnReSNESw3SVXF:jUdRa8VQHgp9FVSR60gw1XTza1RPS8SN
Malware Config
Signatures
-
description ioc Process File deleted /var/log/audit/audit.log 0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf -
Deletes itself 1 IoCs
pid Process 2516 0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf -
description ioc Process File deleted /var/log/journal/36e6eb39a6fa405996e79cad2731865d/system.journal 0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog 0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf File opened for modification /dev/misc/watchdog 0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /etc/systemd/system/startup_command.service 0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself erfa0m0drkmfm1o2vhitlfdis12osj1e 2516 0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf -
Reads CPU attributes 1 TTPs 10 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/possible pkill File opened for reading /sys/devices/system/cpu/possible pkill File opened for reading /sys/devices/system/cpu/possible pkill File opened for reading /sys/devices/system/cpu/possible pkill File opened for reading /sys/devices/system/cpu/possible pkill File opened for reading /sys/devices/system/cpu/possible pkill File opened for reading /sys/devices/system/cpu/possible pkill File opened for reading /sys/devices/system/cpu/possible pkill File opened for reading /sys/devices/system/cpu/possible pkill File opened for reading /sys/devices/system/cpu/possible pkill -
Enumerates kernel/hardware configuration 1 TTPs 10 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/devices/system/node pkill File opened for reading /sys/devices/system/node pkill File opened for reading /sys/devices/system/node pkill File opened for reading /sys/devices/system/node pkill File opened for reading /sys/devices/system/node pkill File opened for reading /sys/devices/system/node pkill File opened for reading /sys/devices/system/node pkill File opened for reading /sys/devices/system/node pkill File opened for reading /sys/devices/system/node pkill File opened for reading /sys/devices/system/node pkill -
description ioc Process File opened for reading /proc/2184/status pkill File opened for reading /proc/14/cgroup pkill File opened for reading /proc/433/ctty pkill File opened for reading /proc/1065/cgroup pkill File opened for reading /proc/1084/status pkill File opened for reading /proc/2156/cgroup pkill File opened for reading /proc/2340/cgroup pkill File opened for reading /proc/387/status pkill File opened for reading /proc/784/cmdline pkill File opened for reading /proc/1711/cmdline pkill File opened for reading /proc/2057/cmdline pkill File opened for reading /proc/2340/ctty pkill File opened for reading /proc/10/ctty pkill File opened for reading /proc/203/cgroup pkill File opened for reading /proc/784/ctty pkill File opened for reading /proc/2734/cmdline 0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf File opened for reading /proc/14/ctty pkill File opened for reading /proc/433/ctty pkill File opened for reading /proc/2362/cmdline pkill File opened for reading /proc/2515/cgroup pkill File opened for reading /proc/589/cmdline 0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf File opened for reading /proc/34/cgroup pkill File opened for reading /proc/37/stat pkill File opened for reading /proc/1410/status pkill File opened for reading /proc/2519/status pkill File opened for reading /proc/54/ctty pkill File opened for reading /proc/762/status pkill File opened for reading /proc/1719/status pkill File opened for reading /proc/2244/cgroup pkill File opened for reading /proc/2329/stat pkill File opened for reading /proc/21/status pkill File opened for reading /proc/31/stat pkill File opened for reading /proc/1054/ctty pkill File opened for reading /proc/1065/cgroup pkill File opened for reading /proc/1081/cgroup pkill File opened for reading /proc/2226/status pkill File opened for reading /proc/32/ctty pkill File opened for reading /proc/37/cgroup pkill File opened for reading /proc/140/cgroup pkill File opened for reading /proc/192/cmdline pkill File opened for reading /proc/200/cmdline pkill File opened for reading /proc/2226/status pkill File opened for reading /proc/192/cmdline 0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf File opened for reading /proc/387/cgroup pkill File opened for reading /proc/797/ctty pkill File opened for reading /proc/1952/stat pkill File opened for reading /proc/1984/stat pkill File opened for reading /proc/17/ctty pkill File opened for reading /proc/795/cgroup pkill File opened for reading /proc/1106/status pkill File opened for reading /proc/2277/status pkill File opened for reading /proc/2322/stat pkill File opened for reading /proc/339/status pkill File opened for reading /proc/1054/cmdline pkill File opened for reading /proc/1864/stat pkill File opened for reading /proc/1947/stat pkill File opened for reading /proc/2184/cgroup pkill File opened for reading /proc/2311/status pkill File opened for reading /proc/2522/status pkill File opened for reading /proc/2528/ctty pkill File opened for reading /proc/1/stat pkill File opened for reading /proc/160/stat pkill File opened for reading /proc/236/ctty pkill File opened for reading /proc/2162/status pkill
Processes
-
/tmp/0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf/tmp/0ede5fe6fc280fd897bfafe958262eae21f5e866aa7fbc0c74aaf4a3e9ec3237.elf1⤵
- Deletes Audit logs
- Deletes itself
- Deletes journal logs
- Modifies Watchdog functionality
- Modifies systemd
- Changes its process name
- Reads runtime system information
PID:2516 -
/usr/local/sbin/pkillpkill tcpdump2⤵PID:2519
-
-
/usr/local/bin/pkillpkill tcpdump2⤵PID:2519
-
-
/usr/sbin/pkillpkill tcpdump2⤵PID:2519
-
-
/usr/bin/pkillpkill tcpdump2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2519
-
-
/usr/local/sbin/pkillpkill tshark2⤵PID:2520
-
-
/usr/local/bin/pkillpkill tshark2⤵PID:2520
-
-
/usr/sbin/pkillpkill tshark2⤵PID:2520
-
-
/usr/bin/pkillpkill tshark2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2520
-
-
/usr/local/sbin/pkillpkill wireshark2⤵PID:2521
-
-
/usr/local/bin/pkillpkill wireshark2⤵PID:2521
-
-
/usr/sbin/pkillpkill wireshark2⤵PID:2521
-
-
/usr/bin/pkillpkill wireshark2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2521
-
-
/usr/local/sbin/pkillpkill dumpcap2⤵PID:2522
-
-
/usr/local/bin/pkillpkill dumpcap2⤵PID:2522
-
-
/usr/sbin/pkillpkill dumpcap2⤵PID:2522
-
-
/usr/bin/pkillpkill dumpcap2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2522
-
-
/usr/local/sbin/pkillpkill ettercap2⤵PID:2523
-
-
/usr/local/bin/pkillpkill ettercap2⤵PID:2523
-
-
/usr/sbin/pkillpkill ettercap2⤵PID:2523
-
-
/usr/bin/pkillpkill ettercap2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2523
-
-
/usr/local/sbin/pkillpkill dsniff2⤵PID:2524
-
-
/usr/local/bin/pkillpkill dsniff2⤵PID:2524
-
-
/usr/sbin/pkillpkill dsniff2⤵PID:2524
-
-
/usr/bin/pkillpkill dsniff2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2524
-
-
/usr/local/sbin/pkillpkill ngrep2⤵PID:2525
-
-
/usr/local/bin/pkillpkill ngrep2⤵PID:2525
-
-
/usr/sbin/pkillpkill ngrep2⤵PID:2525
-
-
/usr/bin/pkillpkill ngrep2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2525
-
-
/usr/local/sbin/pkillpkill tcpflow2⤵PID:2526
-
-
/usr/local/bin/pkillpkill tcpflow2⤵PID:2526
-
-
/usr/sbin/pkillpkill tcpflow2⤵PID:2526
-
-
/usr/bin/pkillpkill tcpflow2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2526
-
-
/usr/local/sbin/pkillpkill windump2⤵PID:2527
-
-
/usr/local/bin/pkillpkill windump2⤵PID:2527
-
-
/usr/sbin/pkillpkill windump2⤵PID:2527
-
-
/usr/bin/pkillpkill windump2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2527
-
-
/usr/local/sbin/pkillpkill netsniff-ng2⤵PID:2528
-
-
/usr/local/bin/pkillpkill netsniff-ng2⤵PID:2528
-
-
/usr/sbin/pkillpkill netsniff-ng2⤵PID:2528
-
-
/usr/bin/pkillpkill netsniff-ng2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2528
-
-
/usr/local/sbin/rmrm -rf /usr/sbin/tcpdump2⤵PID:2532
-
-
/usr/local/bin/rmrm -rf /usr/sbin/tcpdump2⤵PID:2532
-
-
/usr/sbin/rmrm -rf /usr/sbin/tcpdump2⤵PID:2532
-
-
/usr/bin/rmrm -rf /usr/sbin/tcpdump2⤵PID:2532
-
-
/usr/local/sbin/rmrm -rf /usr/sbin/tshark2⤵PID:2533
-
-
/usr/local/bin/rmrm -rf /usr/sbin/tshark2⤵PID:2533
-
-
/usr/sbin/rmrm -rf /usr/sbin/tshark2⤵PID:2533
-
-
/usr/bin/rmrm -rf /usr/sbin/tshark2⤵PID:2533
-
-
/usr/local/sbin/rmrm -rf /usr/sbin/wireshark2⤵PID:2534
-
-
/usr/local/bin/rmrm -rf /usr/sbin/wireshark2⤵PID:2534
-
-
/usr/sbin/rmrm -rf /usr/sbin/wireshark2⤵PID:2534
-
-
/usr/bin/rmrm -rf /usr/sbin/wireshark2⤵PID:2534
-
-
/usr/local/sbin/rmrm -rf /usr/sbin/dumpcap2⤵PID:2535
-
-
/usr/local/bin/rmrm -rf /usr/sbin/dumpcap2⤵PID:2535
-
-
/usr/sbin/rmrm -rf /usr/sbin/dumpcap2⤵PID:2535
-
-
/usr/bin/rmrm -rf /usr/sbin/dumpcap2⤵PID:2535
-
-
/usr/local/sbin/rmrm -rf /usr/sbin/ettercap2⤵PID:2536
-
-
/usr/local/bin/rmrm -rf /usr/sbin/ettercap2⤵PID:2536
-
-
/usr/sbin/rmrm -rf /usr/sbin/ettercap2⤵PID:2536
-
-
/usr/bin/rmrm -rf /usr/sbin/ettercap2⤵PID:2536
-
-
/usr/local/sbin/rmrm -rf /usr/sbin/dsniff2⤵PID:2537
-
-
/usr/local/bin/rmrm -rf /usr/sbin/dsniff2⤵PID:2537
-
-
/usr/sbin/rmrm -rf /usr/sbin/dsniff2⤵PID:2537
-
-
/usr/bin/rmrm -rf /usr/sbin/dsniff2⤵PID:2537
-
-
/usr/local/sbin/rmrm -rf /usr/sbin/ngrep2⤵PID:2538
-
-
/usr/local/bin/rmrm -rf /usr/sbin/ngrep2⤵PID:2538
-
-
/usr/sbin/rmrm -rf /usr/sbin/ngrep2⤵PID:2538
-
-
/usr/bin/rmrm -rf /usr/sbin/ngrep2⤵PID:2538
-
-
/usr/local/sbin/rmrm -rf /usr/sbin/tcpflow2⤵PID:2539
-
-
/usr/local/bin/rmrm -rf /usr/sbin/tcpflow2⤵PID:2539
-
-
/usr/sbin/rmrm -rf /usr/sbin/tcpflow2⤵PID:2539
-
-
/usr/bin/rmrm -rf /usr/sbin/tcpflow2⤵PID:2539
-
-
/usr/local/sbin/rmrm -rf /usr/sbin/windump2⤵PID:2540
-
-
/usr/local/bin/rmrm -rf /usr/sbin/windump2⤵PID:2540
-
-
/usr/sbin/rmrm -rf /usr/sbin/windump2⤵PID:2540
-
-
/usr/bin/rmrm -rf /usr/sbin/windump2⤵PID:2540
-
-
/usr/local/sbin/rmrm -rf /usr/sbin/netsniff-ng2⤵PID:2541
-
-
/usr/local/bin/rmrm -rf /usr/sbin/netsniff-ng2⤵PID:2541
-
-
/usr/sbin/rmrm -rf /usr/sbin/netsniff-ng2⤵PID:2541
-
-
/usr/bin/rmrm -rf /usr/sbin/netsniff-ng2⤵PID:2541
-
-
/usr/local/sbin/rmrm -rf /usr/bin/tcpdump2⤵PID:2542
-
-
/usr/local/bin/rmrm -rf /usr/bin/tcpdump2⤵PID:2542
-
-
/usr/sbin/rmrm -rf /usr/bin/tcpdump2⤵PID:2542
-
-
/usr/bin/rmrm -rf /usr/bin/tcpdump2⤵PID:2542
-
-
/usr/local/sbin/rmrm -rf /usr/bin/tshark2⤵PID:2543
-
-
/usr/local/bin/rmrm -rf /usr/bin/tshark2⤵PID:2543
-
-
/usr/sbin/rmrm -rf /usr/bin/tshark2⤵PID:2543
-
-
/usr/bin/rmrm -rf /usr/bin/tshark2⤵PID:2543
-
-
/usr/local/sbin/rmrm -rf /usr/bin/wireshark2⤵PID:2544
-
-
/usr/local/bin/rmrm -rf /usr/bin/wireshark2⤵PID:2544
-
-
/usr/sbin/rmrm -rf /usr/bin/wireshark2⤵PID:2544
-
-
/usr/bin/rmrm -rf /usr/bin/wireshark2⤵PID:2544
-
-
/usr/local/sbin/rmrm -rf /usr/bin/dumpcap2⤵PID:2545
-
-
/usr/local/bin/rmrm -rf /usr/bin/dumpcap2⤵PID:2545
-
-
/usr/sbin/rmrm -rf /usr/bin/dumpcap2⤵PID:2545
-
-
/usr/bin/rmrm -rf /usr/bin/dumpcap2⤵PID:2545
-
-
/usr/local/sbin/rmrm -rf /usr/bin/ettercap2⤵PID:2546
-
-
/usr/local/bin/rmrm -rf /usr/bin/ettercap2⤵PID:2546
-
-
/usr/sbin/rmrm -rf /usr/bin/ettercap2⤵PID:2546
-
-
/usr/bin/rmrm -rf /usr/bin/ettercap2⤵PID:2546
-
-
/usr/local/sbin/rmrm -rf /usr/bin/dsniff2⤵PID:2547
-
-
/usr/local/bin/rmrm -rf /usr/bin/dsniff2⤵PID:2547
-
-
/usr/sbin/rmrm -rf /usr/bin/dsniff2⤵PID:2547
-
-
/usr/bin/rmrm -rf /usr/bin/dsniff2⤵PID:2547
-
-
/usr/local/sbin/rmrm -rf /usr/bin/ngrep2⤵PID:2548
-
-
/usr/local/bin/rmrm -rf /usr/bin/ngrep2⤵PID:2548
-
-
/usr/sbin/rmrm -rf /usr/bin/ngrep2⤵PID:2548
-
-
/usr/bin/rmrm -rf /usr/bin/ngrep2⤵PID:2548
-
-
/usr/local/sbin/rmrm -rf /usr/bin/tcpflow2⤵PID:2549
-
-
/usr/local/bin/rmrm -rf /usr/bin/tcpflow2⤵PID:2549
-
-
/usr/sbin/rmrm -rf /usr/bin/tcpflow2⤵PID:2549
-
-
/usr/bin/rmrm -rf /usr/bin/tcpflow2⤵PID:2549
-
-
/usr/local/sbin/rmrm -rf /usr/bin/windump2⤵PID:2550
-
-
/usr/local/bin/rmrm -rf /usr/bin/windump2⤵PID:2550
-
-
/usr/sbin/rmrm -rf /usr/bin/windump2⤵PID:2550
-
-
/usr/bin/rmrm -rf /usr/bin/windump2⤵PID:2550
-
-
/usr/local/sbin/rmrm -rf /usr/bin/netsniff-ng2⤵PID:2551
-
-
/usr/local/bin/rmrm -rf /usr/bin/netsniff-ng2⤵PID:2551
-
-
/usr/sbin/rmrm -rf /usr/bin/netsniff-ng2⤵PID:2551
-
-
/usr/bin/rmrm -rf /usr/bin/netsniff-ng2⤵PID:2551
-
-
/bin/shsh -c "systemctl daemon-reload"2⤵PID:2554
-
/usr/bin/systemctlsystemctl daemon-reload3⤵PID:2556
-
-
-
/bin/shsh -c "systemctl enable startup_command.service"2⤵PID:2706
-
/usr/bin/systemctlsystemctl enable startup_command.service3⤵PID:2707
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Privilege Escalation
Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
361B
MD54d2c868f454b6c55731485cf0f886dc0
SHA1032b125de0a28dcee8d8d25fbeeb56db7f403f04
SHA2568c4ae1b82477698f3a8c273b439cb9079794afb8fc33cd4def854936ba37ea2c
SHA512060b2413a0cb2dec0db059c190467b5cb0d76209effea4ae3de2701fa71429b811a6f7e11e813b26806cf72578d1f32b608a02a4ce670ec58b5b65433e3cf11d