cbf5056d52a2ae8703611527edd723b72dcfa0ea3c7576c09f728f379d124220

Analysis

max time kernel
149s
max time network
139s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
06-01-2025 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

i586.elf
Size

69KB
MD5

2d0bd765ed70648d44343839f6927c45
SHA1

9348135e9d1e451b6b0b45b1017c5c6e29900a43
SHA256

cbf5056d52a2ae8703611527edd723b72dcfa0ea3c7576c09f728f379d124220
SHA512

f82ebd3fbda4d6ed0ae6baa9c317fcb0f5f8b7738c139972a7a8d4760349e610db5977c0172d9fd595beac0a9e26e088b259c4a395ca8985b13ce5cf451c0890
SSDEEP

1536:yPQsRePYB4WZhMXaH96kYVBKBoj1d21vlOmNtW:yPtMPYB4WZhMXoYmBoZdedPA

Score

7^/10

defense_evasion discovery evasion persistence privilege_escalation

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1551	i586.elf

Deletes journal logs 1 TTPs 1 IoCs

Deletes systemd journal logs. Likely to evade detection.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/journal/f2de92a803c744e586bd87567a26b68a/system.journal	i586.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	i586.elf
File opened for modification	/dev/misc/watchdog	i586.elf

Enumerates running processes
Discovers information about currently running processes on the system

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence privilege_escalation

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/startup_command.service	i586.elf

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1551	i586.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1569/cmdline	i586.elf
File opened for reading	/proc/1574/cmdline	i586.elf
File opened for reading	/proc/1588/cmdline	i586.elf
File opened for reading	/proc/20/cmdline	i586.elf
File opened for reading	/proc/22/cmdline	i586.elf
File opened for reading	/proc/208/cmdline	i586.elf
File opened for reading	/proc/210/cmdline	i586.elf
File opened for reading	/proc/1170/cmdline	i586.elf
File opened for reading	/proc/110/cmdline	i586.elf
File opened for reading	/proc/592/cmdline	i586.elf
File opened for reading	/proc/853/cmdline	i586.elf
File opened for reading	/proc/1547/cmdline	i586.elf
File opened for reading	/proc/1652/cmdline	i586.elf
File opened for reading	/proc/1678/cmdline	i586.elf
File opened for reading	/proc/88/cmdline	i586.elf
File opened for reading	/proc/113/cmdline	i586.elf
File opened for reading	/proc/868/cmdline	i586.elf
File opened for reading	/proc/970/cmdline	i586.elf
File opened for reading	/proc/1644/cmdline	i586.elf
File opened for reading	/proc/6/cmdline	i586.elf
File opened for reading	/proc/79/cmdline	i586.elf
File opened for reading	/proc/1579/cmdline	i586.elf
File opened for reading	/proc/25/cmdline	i586.elf
File opened for reading	/proc/1584/cmdline	i586.elf
File opened for reading	/proc/1681/cmdline	i586.elf
File opened for reading	/proc/92/cmdline	i586.elf
File opened for reading	/proc/585/cmdline	i586.elf
File opened for reading	/proc/764/cmdline	i586.elf
File opened for reading	/proc/1570/cmdline	i586.elf
File opened for reading	/proc/1586/cmdline	i586.elf
File opened for reading	/proc/1629/cmdline	i586.elf
File opened for reading	/proc/74/cmdline	i586.elf
File opened for reading	/proc/823/cmdline	i586.elf
File opened for reading	/proc/1011/cmdline	i586.elf
File opened for reading	/proc/1116/cmdline	i586.elf
File opened for reading	/proc/1300/cmdline	i586.elf
File opened for reading	/proc/11/cmdline	i586.elf
File opened for reading	/proc/745/cmdline	i586.elf
File opened for reading	/proc/1132/cmdline	i586.elf
File opened for reading	/proc/1407/cmdline	i586.elf
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/24/cmdline	i586.elf
File opened for reading	/proc/412/cmdline	i586.elf
File opened for reading	/proc/744/cmdline	i586.elf
File opened for reading	/proc/1144/cmdline	i586.elf
File opened for reading	/proc/1556/cmdline	i586.elf
File opened for reading	/proc/1091/cmdline	i586.elf
File opened for reading	/proc/1620/cmdline	i586.elf
File opened for reading	/proc/1642/cmdline	i586.elf
File opened for reading	/proc/98/cmdline	i586.elf
File opened for reading	/proc/206/cmdline	i586.elf
File opened for reading	/proc/1573/cmdline	i586.elf
File opened for reading	/proc/197/cmdline	i586.elf
File opened for reading	/proc/851/cmdline	i586.elf
File opened for reading	/proc/1628/cmdline	i586.elf
File opened for reading	/proc/73/cmdline	i586.elf
File opened for reading	/proc/1188/cmdline	i586.elf
File opened for reading	/proc/1605/cmdline	i586.elf
File opened for reading	/proc/1610/cmdline	i586.elf
File opened for reading	/proc/1649/cmdline	i586.elf
File opened for reading	/proc/85/cmdline	i586.elf
File opened for reading	/proc/221/cmdline	i586.elf
File opened for reading	/proc/1624/cmdline	i586.elf
File opened for reading	/proc/76/cmdline	i586.elf

/tmp/i586.elf
/tmp/i586.elf
1⤵
- Deletes itself
- Deletes journal logs
- Modifies Watchdog functionality
- Modifies systemd
- Changes its process name
- Reads runtime system information
PID:1551
- /bin/sh
  sh -c "systemctl daemon-reload"
  2⤵
  PID:1555
- - /usr/bin/systemctl
    systemctl daemon-reload
    3⤵
    PID:1557
- /bin/sh
  sh -c "systemctl enable startup_command.service"
  2⤵
  PID:1609
- - /usr/bin/systemctl
    systemctl enable startup_command.service
    3⤵
    - Reads runtime system information
    PID:1610

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/systemd/system/startup_command.service

Filesize
361B

MD5
af7d62b73266e0b457b114fe91f7e926

SHA1
11261aef4573b56b67b32020049c69c7282fc212

SHA256
14cb525e5a6b8aaf20c38672f8a9f974a684990888214848818326a739906642

SHA512
3926fbb53496c3aaa34cc782bd5c8379e0ab94b11fe4e63bbbfeac4e2b5057369c94bbe25ac56c3f04363076c91b978f9199fed97c5ed8377a6dc852b01ebfd9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads