fc139908a4cc0fa85ab1415b23e985863b4deb45b8cae876ac4583b58265660c

Analysis

max time kernel
149s
max time network
152s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
17/01/2025, 02:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

pecga.x86.elf
Size

65KB
MD5

2949d884ed9af407513107d67b12d186
SHA1

05d7dd2a6aed675fdf2e6a6acdf90b95351c68cb
SHA256

fc139908a4cc0fa85ab1415b23e985863b4deb45b8cae876ac4583b58265660c
SHA512

deacfde826626d71426a53a5e6bfb8d5afaece11ed8146a82c3dfc0e74a44e8d1a5d2f23294ca19ad02d6c489d487224d4a047c76cc1f60215f99372f590238d
SSDEEP

1536:fVmfE7g9MK/MBxvy43IrIx3TRtvMUmbe1mam+ZfS+:Nmc7g9MK/tytFtUpC1XBv

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1589	pecga.x86.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	pecga.x86.elf
File opened for modification	/dev/misc/watchdog	pecga.x86.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	pecga.x86.elf
File opened for modification	/bin/watchdog	pecga.x86.elf

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1589	pecga.x86.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/692/cmdline	pecga.x86.elf
File opened for reading	/proc/988/cmdline	pecga.x86.elf
File opened for reading	/proc/1159/cmdline	pecga.x86.elf
File opened for reading	/proc/1578/cmdline	pecga.x86.elf
File opened for reading	/proc/1703/cmdline	pecga.x86.elf
File opened for reading	/proc/225/cmdline	pecga.x86.elf
File opened for reading	/proc/411/cmdline	pecga.x86.elf
File opened for reading	/proc/525/cmdline	pecga.x86.elf
File opened for reading	/proc/590/cmdline	pecga.x86.elf
File opened for reading	/proc/1710/cmdline	pecga.x86.elf
File opened for reading	/proc/1035/cmdline	pecga.x86.elf
File opened for reading	/proc/1607/cmdline	pecga.x86.elf
File opened for reading	/proc/1679/cmdline	pecga.x86.elf
File opened for reading	/proc/1709/cmdline	pecga.x86.elf
File opened for reading	/proc/97/cmdline	pecga.x86.elf
File opened for reading	/proc/209/cmdline	pecga.x86.elf
File opened for reading	/proc/779/cmdline	pecga.x86.elf
File opened for reading	/proc/1113/cmdline	pecga.x86.elf
File opened for reading	/proc/1186/cmdline	pecga.x86.elf
File opened for reading	/proc/1640/cmdline	pecga.x86.elf
File opened for reading	/proc/79/cmdline	pecga.x86.elf
File opened for reading	/proc/112/cmdline	pecga.x86.elf
File opened for reading	/proc/158/cmdline	pecga.x86.elf
File opened for reading	/proc/634/cmdline	pecga.x86.elf
File opened for reading	/proc/1317/cmdline	pecga.x86.elf
File opened for reading	/proc/1602/cmdline	pecga.x86.elf
File opened for reading	/proc/1695/cmdline	pecga.x86.elf
File opened for reading	/proc/73/cmdline	pecga.x86.elf
File opened for reading	/proc/95/cmdline	pecga.x86.elf
File opened for reading	/proc/425/cmdline	pecga.x86.elf
File opened for reading	/proc/1685/cmdline	pecga.x86.elf
File opened for reading	/proc/90/cmdline	pecga.x86.elf
File opened for reading	/proc/1659/cmdline	pecga.x86.elf
File opened for reading	/proc/1196/cmdline	pecga.x86.elf
File opened for reading	/proc/1209/cmdline	pecga.x86.elf
File opened for reading	/proc/1318/cmdline	pecga.x86.elf
File opened for reading	/proc/1605/cmdline	pecga.x86.elf
File opened for reading	/proc/1727/cmdline	pecga.x86.elf
File opened for reading	/proc/833/cmdline	pecga.x86.elf
File opened for reading	/proc/987/cmdline	pecga.x86.elf
File opened for reading	/proc/630/cmdline	pecga.x86.elf
File opened for reading	/proc/745/cmdline	pecga.x86.elf
File opened for reading	/proc/1157/cmdline	pecga.x86.elf
File opened for reading	/proc/1295/cmdline	pecga.x86.elf
File opened for reading	/proc/1638/cmdline	pecga.x86.elf
File opened for reading	/proc/10/cmdline	pecga.x86.elf
File opened for reading	/proc/82/cmdline	pecga.x86.elf
File opened for reading	/proc/1646/cmdline	pecga.x86.elf
File opened for reading	/proc/1696/cmdline	pecga.x86.elf
File opened for reading	/proc/413/cmdline	pecga.x86.elf
File opened for reading	/proc/1623/cmdline	pecga.x86.elf
File opened for reading	/proc/1657/cmdline	pecga.x86.elf
File opened for reading	/proc/81/cmdline	pecga.x86.elf
File opened for reading	/proc/523/cmdline	pecga.x86.elf
File opened for reading	/proc/1245/cmdline	pecga.x86.elf
File opened for reading	/proc/1530/cmdline	pecga.x86.elf
File opened for reading	/proc/75/cmdline	pecga.x86.elf
File opened for reading	/proc/1123/cmdline	pecga.x86.elf
File opened for reading	/proc/772/cmdline	pecga.x86.elf
File opened for reading	/proc/86/cmdline	pecga.x86.elf
File opened for reading	/proc/602/cmdline	pecga.x86.elf
File opened for reading	/proc/1270/cmdline	pecga.x86.elf
File opened for reading	/proc/1593/cmdline	pecga.x86.elf
File opened for reading	/proc/222/cmdline	pecga.x86.elf

/tmp/pecga.x86.elf
/tmp/pecga.x86.elf
1⤵
- Deletes itself
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Reads runtime system information
PID:1589

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads