c9e2cf5f4e9f34ec1bb8a14d4aa57d2336cc72b7c0efa86de9bc417a6050ecae

Analysis

max time kernel
125s
max time network
150s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
02-02-2025 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9e2cf5f4e9f34ec1bb8a14d4aa57d2336cc72b7c0efa86de9bc417a6050ecae.elf
Size

48KB
MD5

0b58310f356d2589747136f3ef14e653
SHA1

084ae0f0a86a8fdfbb5af25b7efd119204c57a4c
SHA256

c9e2cf5f4e9f34ec1bb8a14d4aa57d2336cc72b7c0efa86de9bc417a6050ecae
SHA512

d98679bdb359dbeb56cdb32c56d42b14f1f7bf9361b8fe5663d66c54470c9632fcfdc4567a829c40597ce41e7d82222650be0df7dcb585c8740385ac39adc38b
SSDEEP

1536:aH3oG7jBo2VZXuP58wCw0JRoxabmbe1sz4xab:aH40jBo2ru58FtJtbmbeyzW8

Score

9^/10

defense_evasion discovery

Malware Config

Signatures

Contacts a large (44385) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Deletes itself 1 IoCs

pid
1564

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Renames itself 1 IoCs

pid
1564

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.36.144.87
Destination IP	194.36.144.87
Destination IP	194.36.144.87
Destination IP	194.36.144.87

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc
File opened for reading	/proc/net/tcp

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	pid
Changes the process name, possibly in an attempt to hide itself	1564

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc
File opened for reading	/proc/net/tcp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc
File opened for reading	/proc/1233/status
File opened for reading	/proc/1437/status
File opened for reading	/proc/641/status
File opened for reading	/proc/746/status
File opened for reading	/proc/957/status
File opened for reading	/proc/1102/status
File opened for reading	/proc/1163/status
File opened for reading	/proc/1232/status
File opened for reading	/proc/1505/status
File opened for reading	/proc/426/status
File opened for reading	/proc/594/status
File opened for reading	/proc/634/status
File opened for reading	/proc/738/status
File opened for reading	/proc/1157/status
File opened for reading	/proc/1182/status
File opened for reading	/proc/1107/status
File opened for reading	/proc/1167/status
File opened for reading	/proc/589/status
File opened for reading	/proc/613/status
File opened for reading	/proc/754/status
File opened for reading	/proc/1050/status
File opened for reading	/proc/1087/status
File opened for reading	/proc/1092/status
File opened for reading	/proc/1180/status
File opened for reading	/proc/1450/status
File opened for reading	/proc/1013/status
File opened for reading	/proc/1081/status
File opened for reading	/proc/1132/status
File opened for reading	/proc/1161/status
File opened for reading	/proc/1314/status
File opened for reading	/proc/1376/status
File opened for reading	/proc/588/status
File opened for reading	/proc/990/status
File opened for reading	/proc/1268/status
File opened for reading	/proc/1305/status
File opened for reading	/proc/1342/status
File opened for reading	/proc/640/status
File opened for reading	/proc/1173/status
File opened for reading	/proc/1221/status
File opened for reading	/proc/1419/status
File opened for reading	/proc/1351/status
File opened for reading	/proc/636/status
File opened for reading	/proc/681/status
File opened for reading	/proc/1054/status
File opened for reading	/proc/1105/status
File opened for reading	/proc/1175/status
File opened for reading	/proc/1196/status
File opened for reading	/proc/1162/status
File opened for reading	/proc/1170/status
File opened for reading	/proc/416/status
File opened for reading	/proc/614/status
File opened for reading	/proc/723/status
File opened for reading	/proc/771/status
File opened for reading	/proc/1062/status
File opened for reading	/proc/1141/status
File opened for reading	/proc/1183/status
File opened for reading	/proc/1291/status
File opened for reading	/proc/747/status
File opened for reading	/proc/776/status
File opened for reading	/proc/868/status
File opened for reading	/proc/1044/status
File opened for reading	/proc/1164/status
File opened for reading	/proc/1237/status
File opened for reading	/proc/1388/status

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads