Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
153s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
22/01/2025, 03:03
Behavioral task
behavioral1
Sample
918dd047c1af1812bfc671246161b360d59644bbf409855e84161dc1b3544bb3.elf
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
918dd047c1af1812bfc671246161b360d59644bbf409855e84161dc1b3544bb3.elf
-
Size
91KB
-
MD5
7ef6bf4413596613dcb0534e53c8c5df
-
SHA1
f4974945306c659fbf663fbb7f0d3d2c532373d9
-
SHA256
918dd047c1af1812bfc671246161b360d59644bbf409855e84161dc1b3544bb3
-
SHA512
af3600d62139586c8767d41f1b5899f03c21809ce47553299be79adb8e04fc87bc6295e8c6fd567b6778a4aa474e5dd0d793de91d996180bd8abc5aaf5932ace
-
SSDEEP
1536:Pu9xvdDK6oO8+ZjO8o/yZBUORMUD2moBVVHyGCLCfXJM9HoUXEkTQv3P4QwDmt5N:Pu9xvdDK6ot+Zjto/6BlRMU2mUVsdLb2
Malware Config
Signatures
-
Contacts a large (23673) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 4067 sh 4072 chmod -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /bin/watchdog 4066 918dd047c1af1812bfc671246161b360d59644bbf409855e84161dc1b3544bb3.elf -
description ioc Process File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mv -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/bin/watchdog sh
Processes
-
/tmp/918dd047c1af1812bfc671246161b360d59644bbf409855e84161dc1b3544bb3.elf/tmp/918dd047c1af1812bfc671246161b360d59644bbf409855e84161dc1b3544bb3.elf1⤵
- Changes its process name
PID:4066 -
/bin/shsh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/918dd047c1af1812bfc671246161b360d59644bbf409855e84161dc1b3544bb3.elf bin/watchdog; chmod 777 bin/watchdog"2⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
PID:4067 -
/usr/bin/rmrm -rf bin/watchdog3⤵PID:4068
-
-
/usr/bin/mkdirmkdir bin3⤵
- Reads runtime system information
PID:4070
-
-
/usr/bin/mvmv /tmp/918dd047c1af1812bfc671246161b360d59644bbf409855e84161dc1b3544bb3.elf bin/watchdog3⤵
- Reads runtime system information
PID:4071
-
-
/usr/bin/chmodchmod 777 bin/watchdog3⤵
- File and Directory Permissions Modification
PID:4072
-
-