4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4

Analysis

max time kernel
149s
max time network
153s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
07/01/2025, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf
Size

79KB
MD5

2320b08c36f0f883e99f2b2e0cc4190d
SHA1

14c4a26918a8cf7042952baf8706cdd223b17d20
SHA256

4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4
SHA512

47470bc7341fb593ee7ba385ad9422c07b938143bb0b15beb7fdac8da97e7b51beef63da7176111ad89610f8ad9e67382db2739f28da70d4279523a964d38261
SSDEEP

1536:jEZ7dF3Nw8V/OjhJgpZqLKfFVE5/Q62wnR6eeiTzrcL1RPSnReS4ESw3SVH:jUdRa8VQHgp9FVF62wdXTza1RPS8S4K+

Score

7^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1592	4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf
File opened for modification	/dev/misc/watchdog	4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf

Enumerates running processes
Discovers information about currently running processes on the system

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence privilege_escalation

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/startup_command.service	4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	tfrq4gfk3ogl5sas	1592	4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf

Reads CPU attributes 1 TTPs 10 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1195/status	pkill
File opened for reading	/proc/745/cmdline	pkill
File opened for reading	/proc/1607/cmdline	4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf
File opened for reading	/proc/98/cmdline	pkill
File opened for reading	/proc/109/cmdline	pkill
File opened for reading	/proc/373/cmdline	pkill
File opened for reading	/proc/1172/status	pkill
File opened for reading	/proc/18/status	pkill
File opened for reading	/proc/86/status	pkill
File opened for reading	/proc/981/status	pkill
File opened for reading	/proc/1267/cmdline	pkill
File opened for reading	/proc/225/cmdline	pkill
File opened for reading	/proc/1411/cmdline	pkill
File opened for reading	/proc/1581/cmdline	pkill
File opened for reading	/proc/220/status	pkill
File opened for reading	/proc/606/status	pkill
File opened for reading	/proc/1556/cmdline	pkill
File opened for reading	/proc/94/cmdline	pkill
File opened for reading	/proc/738/status	pkill
File opened for reading	/proc/968/cmdline	pkill
File opened for reading	/proc/77/status	pkill
File opened for reading	/proc/98/status	pkill
File opened for reading	/proc/223/cmdline	pkill
File opened for reading	/proc/767/cmdline	pkill
File opened for reading	/proc/11/cmdline	pkill
File opened for reading	/proc/1607/cmdline	pkill
File opened for reading	/proc/12/cmdline	pkill
File opened for reading	/proc/75/cmdline	pkill
File opened for reading	/proc/83/cmdline	pkill
File opened for reading	/proc/1123/status	pkill
File opened for reading	/proc/82/status	pkill
File opened for reading	/proc/23/status	pkill
File opened for reading	/proc/772/cmdline	pkill
File opened for reading	/proc/745/status	pkill
File opened for reading	/proc/212/cmdline	pkill
File opened for reading	/proc/981/cmdline	pkill
File opened for reading	/proc/1580/cmdline	pkill
File opened for reading	/proc/74/cmdline	pkill
File opened for reading	/proc/90/status	pkill
File opened for reading	/proc/88/cmdline	pkill
File opened for reading	/proc/20/status	pkill
File opened for reading	/proc/1153/status	pkill
File opened for reading	/proc/1467/status	pkill
File opened for reading	/proc/1197/cmdline	pkill
File opened for reading	/proc/1075/cmdline	4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf
File opened for reading	/proc/73/cmdline	pkill
File opened for reading	/proc/109/cmdline	pkill
File opened for reading	/proc/218/status	pkill
File opened for reading	/proc/77/status	pkill
File opened for reading	/proc/1167/cmdline	pkill
File opened for reading	/proc/1300/status	pkill
File opened for reading	/proc/1595/cmdline	pkill
File opened for reading	/proc/1123/status	pkill
File opened for reading	/proc/1267/cmdline	4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf
File opened for reading	/proc/81/cmdline	pkill
File opened for reading	/proc/311/status	pkill
File opened for reading	/proc/1580/status	pkill
File opened for reading	/proc/76/status	pkill
File opened for reading	/proc/216/status	pkill
File opened for reading	/proc/1092/cmdline	pkill
File opened for reading	/proc/1036/cmdline	4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf
File opened for reading	/proc/1139/cmdline	pkill
File opened for reading	/proc/1195/cmdline	pkill
File opened for reading	/proc/989/cmdline	4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf

/tmp/4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf
/tmp/4bccd6464611aab4a804bc9a9c03b7670a0b7978422eb8178e23b408155003d4.elf
1⤵
- Deletes itself
- Modifies Watchdog functionality
- Modifies systemd
- Changes its process name
- Reads runtime system information
PID:1592
- /usr/local/sbin/pkill
  pkill wireshark
  2⤵
  PID:1596
- /usr/local/bin/pkill
  pkill wireshark
  2⤵
  PID:1596
- /usr/sbin/pkill
  pkill wireshark
  2⤵
  PID:1596
- /usr/bin/pkill
  pkill wireshark
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1596
- /usr/local/sbin/pkill
  pkill dumpcap
  2⤵
  PID:1597
- /usr/local/sbin/pkill
  pkill ettercap
  2⤵
  PID:1598
- /usr/local/bin/pkill
  pkill dumpcap
  2⤵
  PID:1597
- /usr/local/sbin/pkill
  pkill dsniff
  2⤵
  PID:1599
- /usr/local/sbin/pkill
  pkill tshark
  2⤵
  PID:1595
- /usr/local/bin/pkill
  pkill ettercap
  2⤵
  PID:1598
- /usr/sbin/pkill
  pkill dumpcap
  2⤵
  PID:1597
- /usr/local/bin/pkill
  pkill tshark
  2⤵
  PID:1595
- /usr/sbin/pkill
  pkill ettercap
  2⤵
  PID:1598
- /usr/local/bin/pkill
  pkill dsniff
  2⤵
  PID:1599
- /usr/bin/pkill
  pkill dumpcap
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1597
- /usr/local/sbin/pkill
  pkill ngrep
  2⤵
  PID:1600
- /usr/sbin/pkill
  pkill tshark
  2⤵
  PID:1595
- /usr/bin/pkill
  pkill ettercap
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1598
- /usr/sbin/pkill
  pkill dsniff
  2⤵
  PID:1599
- /usr/local/bin/pkill
  pkill ngrep
  2⤵
  PID:1600
- /usr/bin/pkill
  pkill tshark
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1595
- /usr/bin/pkill
  pkill dsniff
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1599
- /usr/local/sbin/pkill
  pkill tcpflow
  2⤵
  PID:1601
- /usr/sbin/pkill
  pkill ngrep
  2⤵
  PID:1600
- /usr/local/sbin/pkill
  pkill windump
  2⤵
  PID:1602
- /usr/bin/pkill
  pkill ngrep
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1600
- /usr/local/bin/pkill
  pkill tcpflow
  2⤵
  PID:1601
- /usr/local/sbin/pkill
  pkill netsniff-ng
  2⤵
  PID:1603
- /usr/sbin/pkill
  pkill tcpflow
  2⤵
  PID:1601
- /usr/local/bin/pkill
  pkill windump
  2⤵
  PID:1602
- /usr/bin/pkill
  pkill tcpflow
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1601
- /usr/sbin/pkill
  pkill windump
  2⤵
  PID:1602
- /usr/local/bin/pkill
  pkill netsniff-ng
  2⤵
  PID:1603
- /usr/sbin/pkill
  pkill netsniff-ng
  2⤵
  PID:1603
- /usr/bin/pkill
  pkill windump
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1602
- /usr/local/sbin/pkill
  pkill tcpdump
  2⤵
  PID:1594
- /usr/bin/pkill
  pkill netsniff-ng
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1603
- /usr/local/bin/pkill
  pkill tcpdump
  2⤵
  PID:1594
- /usr/sbin/pkill
  pkill tcpdump
  2⤵
  PID:1594
- /usr/bin/pkill
  pkill tcpdump
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1594
- /usr/local/sbin/rm
  rm -rf /usr/sbin/ngrep
  2⤵
  PID:1624
- /usr/local/sbin/rm
  rm -rf /usr/sbin/windump
  2⤵
  PID:1626
- /usr/local/sbin/rm
  rm -rf /usr/sbin/netsniff-ng
  2⤵
  PID:1627
- /usr/local/sbin/rm
  rm -rf /usr/bin/tcpdump
  2⤵
  PID:1628
- /usr/local/sbin/rm
  rm -rf /usr/bin/tshark
  2⤵
  PID:1629
- /usr/local/sbin/rm
  rm -rf /usr/bin/wireshark
  2⤵
  PID:1630
- /usr/local/sbin/rm
  rm -rf /usr/bin/dumpcap
  2⤵
  PID:1631
- /usr/local/sbin/rm
  rm -rf /usr/bin/ettercap
  2⤵
  PID:1632
- /usr/local/sbin/rm
  rm -rf /usr/bin/dsniff
  2⤵
  PID:1633
- /usr/local/sbin/rm
  rm -rf /usr/bin/ngrep
  2⤵
  PID:1634
- /usr/local/sbin/rm
  rm -rf /usr/bin/tcpflow
  2⤵
  PID:1635
- /usr/local/sbin/rm
  rm -rf /usr/bin/windump
  2⤵
  PID:1636
- /usr/local/sbin/rm
  rm -rf /usr/bin/netsniff-ng
  2⤵
  PID:1637
- /usr/local/bin/rm
  rm -rf /usr/bin/ngrep
  2⤵
  PID:1634
- /usr/local/bin/rm
  rm -rf /usr/bin/tcpflow
  2⤵
  PID:1635
- /usr/local/sbin/rm
  rm -rf /usr/sbin/tcpflow
  2⤵
  PID:1625
- /usr/local/bin/rm
  rm -rf /usr/bin/ettercap
  2⤵
  PID:1632
- /usr/local/bin/rm
  rm -rf /usr/bin/wireshark
  2⤵
  PID:1630
- /usr/local/bin/rm
  rm -rf /usr/sbin/netsniff-ng
  2⤵
  PID:1627
- /usr/local/bin/rm
  rm -rf /usr/bin/dumpcap
  2⤵
  PID:1631
- /usr/local/bin/rm
  rm -rf /usr/bin/netsniff-ng
  2⤵
  PID:1637
- /usr/local/bin/rm
  rm -rf /usr/sbin/windump
  2⤵
  PID:1626
- /usr/local/bin/rm
  rm -rf /usr/bin/dsniff
  2⤵
  PID:1633
- /usr/local/bin/rm
  rm -rf /usr/sbin/ngrep
  2⤵
  PID:1624
- /usr/local/bin/rm
  rm -rf /usr/bin/tcpdump
  2⤵
  PID:1628
- /usr/local/bin/rm
  rm -rf /usr/bin/windump
  2⤵
  PID:1636
- /usr/local/bin/rm
  rm -rf /usr/sbin/tcpflow
  2⤵
  PID:1625
- /usr/local/bin/rm
  rm -rf /usr/bin/tshark
  2⤵
  PID:1629
- /usr/sbin/rm
  rm -rf /usr/bin/wireshark
  2⤵
  PID:1630
- /usr/local/sbin/rm
  rm -rf /usr/sbin/dsniff
  2⤵
  PID:1623
- /usr/sbin/rm
  rm -rf /usr/bin/ettercap
  2⤵
  PID:1632
- /usr/sbin/rm
  rm -rf /usr/sbin/netsniff-ng
  2⤵
  PID:1627
- /usr/sbin/rm
  rm -rf /usr/bin/dumpcap
  2⤵
  PID:1631
- /usr/sbin/rm
  rm -rf /usr/bin/netsniff-ng
  2⤵
  PID:1637
- /usr/sbin/rm
  rm -rf /usr/bin/ngrep
  2⤵
  PID:1634
- /usr/sbin/rm
  rm -rf /usr/sbin/windump
  2⤵
  PID:1626
- /usr/sbin/rm
  rm -rf /usr/bin/tcpflow
  2⤵
  PID:1635
- /usr/sbin/rm
  rm -rf /usr/bin/tcpdump
  2⤵
  PID:1628
- /usr/sbin/rm
  rm -rf /usr/sbin/ngrep
  2⤵
  PID:1624
- /usr/sbin/rm
  rm -rf /usr/bin/windump
  2⤵
  PID:1636
- /usr/sbin/rm
  rm -rf /usr/bin/dsniff
  2⤵
  PID:1633
- /usr/sbin/rm
  rm -rf /usr/sbin/tcpflow
  2⤵
  PID:1625
- /usr/sbin/rm
  rm -rf /usr/bin/tshark
  2⤵
  PID:1629
- /usr/bin/rm
  rm -rf /usr/bin/wireshark
  2⤵
  PID:1630
- /usr/bin/rm
  rm -rf /usr/bin/netsniff-ng
  2⤵
  PID:1637
- /usr/bin/rm
  rm -rf /usr/sbin/netsniff-ng
  2⤵
  PID:1627
- /usr/bin/rm
  rm -rf /usr/bin/dumpcap
  2⤵
  PID:1631
- /usr/bin/rm
  rm -rf /usr/sbin/windump
  2⤵
  PID:1626
- /usr/bin/rm
  rm -rf /usr/bin/ngrep
  2⤵
  PID:1634
- /usr/bin/rm
  rm -rf /usr/bin/ettercap
  2⤵
  PID:1632
- /usr/bin/rm
  rm -rf /usr/bin/tcpflow
  2⤵
  PID:1635
- /usr/local/bin/rm
  rm -rf /usr/sbin/dsniff
  2⤵
  PID:1623
- /usr/bin/rm
  rm -rf /usr/bin/tcpdump
  2⤵
  PID:1628
- /usr/bin/rm
  rm -rf /usr/sbin/ngrep
  2⤵
  PID:1624
- /usr/bin/rm
  rm -rf /usr/bin/windump
  2⤵
  PID:1636
- /usr/bin/rm
  rm -rf /usr/sbin/tcpflow
  2⤵
  PID:1625
- /usr/bin/rm
  rm -rf /usr/bin/dsniff
  2⤵
  PID:1633
- /usr/bin/rm
  rm -rf /usr/bin/tshark
  2⤵
  PID:1629
- /usr/sbin/rm
  rm -rf /usr/sbin/dsniff
  2⤵
  PID:1623
- /usr/local/sbin/rm
  rm -rf /usr/sbin/ettercap
  2⤵
  PID:1622
- /usr/bin/rm
  rm -rf /usr/sbin/dsniff
  2⤵
  PID:1623
- /usr/local/bin/rm
  rm -rf /usr/sbin/ettercap
  2⤵
  PID:1622
- /usr/sbin/rm
  rm -rf /usr/sbin/ettercap
  2⤵
  PID:1622
- /usr/bin/rm
  rm -rf /usr/sbin/ettercap
  2⤵
  PID:1622
- /usr/local/sbin/rm
  rm -rf /usr/sbin/dumpcap
  2⤵
  PID:1621
- /usr/local/bin/rm
  rm -rf /usr/sbin/dumpcap
  2⤵
  PID:1621
- /usr/sbin/rm
  rm -rf /usr/sbin/dumpcap
  2⤵
  PID:1621
- /usr/bin/rm
  rm -rf /usr/sbin/dumpcap
  2⤵
  PID:1621
- /usr/local/sbin/rm
  rm -rf /usr/sbin/wireshark
  2⤵
  PID:1620
- /usr/local/bin/rm
  rm -rf /usr/sbin/wireshark
  2⤵
  PID:1620
- /usr/sbin/rm
  rm -rf /usr/sbin/wireshark
  2⤵
  PID:1620
- /usr/bin/rm
  rm -rf /usr/sbin/wireshark
  2⤵
  PID:1620
- /usr/local/sbin/rm
  rm -rf /usr/sbin/tshark
  2⤵
  PID:1619
- /usr/local/bin/rm
  rm -rf /usr/sbin/tshark
  2⤵
  PID:1619
- /usr/sbin/rm
  rm -rf /usr/sbin/tshark
  2⤵
  PID:1619
- /usr/bin/rm
  rm -rf /usr/sbin/tshark
  2⤵
  PID:1619
- /usr/local/sbin/rm
  rm -rf /usr/sbin/tcpdump
  2⤵
  PID:1618
- /usr/local/bin/rm
  rm -rf /usr/sbin/tcpdump
  2⤵
  PID:1618
- /usr/sbin/rm
  rm -rf /usr/sbin/tcpdump
  2⤵
  PID:1618
- /usr/bin/rm
  rm -rf /usr/sbin/tcpdump
  2⤵
  PID:1618
- /bin/sh
  sh -c "systemctl daemon-reload"
  2⤵
  PID:1640
- - /usr/bin/systemctl
    systemctl daemon-reload
    3⤵
    PID:1642
- /bin/sh
  sh -c "systemctl enable startup_command.service"
  2⤵
  PID:1697
- - /usr/bin/systemctl
    systemctl enable startup_command.service
    3⤵
    PID:1698

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/systemd/system/startup_command.service

Filesize
361B

MD5
af7d62b73266e0b457b114fe91f7e926

SHA1
11261aef4573b56b67b32020049c69c7282fc212

SHA256
14cb525e5a6b8aaf20c38672f8a9f974a684990888214848818326a739906642

SHA512
3926fbb53496c3aaa34cc782bd5c8379e0ab94b11fe4e63bbbfeac4e2b5057369c94bbe25ac56c3f04363076c91b978f9199fed97c5ed8377a6dc852b01ebfd9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads