Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
02-02-2025 05:16
Behavioral task
behavioral1
Sample
ef2c1fb3021bd5fdd2a2a666dfea2129b6c40e7028a950899177c69eadf2c226.elf
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
General
-
Target
ef2c1fb3021bd5fdd2a2a666dfea2129b6c40e7028a950899177c69eadf2c226.elf
-
Size
33KB
-
MD5
e51e5ad5ab2f56f44eeee5c3e6383107
-
SHA1
3190ef741256308fa4f53a4f05c699207515a641
-
SHA256
ef2c1fb3021bd5fdd2a2a666dfea2129b6c40e7028a950899177c69eadf2c226
-
SHA512
a5c2ced3712937db0d7ac0779ca33017ac7f5e9fcd5f6f23c9f4ad7042409a95c7a6b32c51ea47b668d305428f66eed3717b7639e800ef074e2bcb999906b785
-
SSDEEP
768:Tjha+4zu8iCkF3zA1NwZMj+nWZZAxPUmLii:TjhaBaXMHg0+nWZZiMmLii
Malware Config
Signatures
-
Contacts a large (6613) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
pid 1570 -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Renames itself 1 IoCs
pid 1570 -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 185.181.61.24 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
description pid Changes the process name, possibly in an attempt to hide itself 1570 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc File opened for reading /proc/net/tcp -
description ioc File opened for reading /proc/635/status File opened for reading /proc/769/status File opened for reading /proc/984/status File opened for reading /proc/1048/status File opened for reading /proc/1089/status File opened for reading /proc/1108/status File opened for reading /proc/1162/status File opened for reading /proc/1275/status File opened for reading /proc/1491/status File opened for reading /proc/742/status File opened for reading /proc/1066/status File opened for reading /proc/1163/status File opened for reading /proc/590/status File opened for reading /proc/613/status File opened for reading /proc/678/status File opened for reading /proc/737/status File opened for reading /proc/786/status File opened for reading /proc/1057/status File opened for reading /proc/1159/status File opened for reading /proc/1164/status File opened for reading /proc/1184/status File opened for reading /proc/1225/status File opened for reading /proc/1235/status File opened for reading /proc/1315/status File opened for reading /proc/377/status File opened for reading /proc/722/status File opened for reading /proc/776/status File opened for reading /proc/1148/status File opened for reading /proc/1175/status File opened for reading /proc/1270/status File opened for reading /proc/1345/status File opened for reading /proc/1387/status File opened for reading /proc/453/status File opened for reading /proc/536/status File opened for reading /proc/639/status File opened for reading /proc/761/status File opened for reading /proc/771/status File opened for reading /proc/1042/status File opened for reading /proc/1239/status File opened for reading /proc/1439/status File opened for reading /proc/594/status File opened for reading /proc/783/status File opened for reading /proc/1183/status File opened for reading /proc/1311/status File opened for reading /proc/1427/status File opened for reading /proc/1101/status File opened for reading /proc/1244/status File opened for reading /proc/1511/status File opened for reading /proc/586/status File opened for reading /proc/588/status File opened for reading /proc/610/status File opened for reading /proc/634/status File opened for reading /proc/637/status File opened for reading /proc/747/status File opened for reading /proc/870/status File opened for reading /proc/1093/status File opened for reading /proc/1105/status File opened for reading /proc/1115/status File opened for reading /proc/1201/status File opened for reading /proc/746/status File opened for reading /proc/838/status File opened for reading /proc/843/status File opened for reading /proc/992/status File opened for reading /proc/609/status