bef49b6194de69c6a390caead8ec74e6c0641b911699b3ffb9c9856509883c8e

Analysis

max time kernel
145s
max time network
147s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
22/02/2025, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hoodlum.i586.elf
Size

107KB
MD5

b8860e33ab9767d7cc38e10dda5ffcad
SHA1

2d3c691ccadaa36f4ac4383b9131707d03dfdc84
SHA256

bef49b6194de69c6a390caead8ec74e6c0641b911699b3ffb9c9856509883c8e
SHA512

b60f4adea683146001f8660503d54f2c9c46df1beab840c1b080505c73d3e847590279575b3b8ac4ae1de089bfb440a5dffc15d27fdac9ee75052c647c1060af
SSDEEP

3072:E/opUnUp90MjphxhZsd18tl3xzELtpD5hqYkWmu80CjKaIU:L0690MjphxDsdklhzELD5hqY9mu80C+E

Score

7^/10

defense_evasion discovery privilege_escalation rootkit

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/audit/audit.log	rm

Deletes journal logs 1 TTPs 5 IoCs

Deletes systemd journal logs. Likely to evade detection.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/journal/36e6eb39a6fa405996e79cad2731865d/system@2f9a113f963c42d99d92af4f1c84541d-0000000000001a1e-0006191bdf2a8009.journal	rm
File deleted	/var/log/journal/36e6eb39a6fa405996e79cad2731865d/system.journal	rm
File deleted	/var/log/journal/36e6eb39a6fa405996e79cad2731865d	rm
File deleted	/var/log/journal/36e6eb39a6fa405996e79cad2731865d/system@1a2ef1001a404ed681597fc40661e509-0000000000000276-0006191adabf1a42.journal	rm
File deleted	/var/log/journal/36e6eb39a6fa405996e79cad2731865d/system@ec992dfb740d4b3386bf48d8260248fb-00000000000010a0-0006191bc4669764.journal	rm

Flushes firewall rules 1 TTPs 6 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
2509	systemctl
2509	systemctl
2506	iptables
2507	iptables
2509	systemctl
2509	systemctl

Loads a kernel module 39 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
2469	hoodlum.i586.elf
2471	hoodlum.i586.elf
2469	hoodlum.i586.elf
2469	hoodlum.i586.elf
2485	hoodlum.i586.elf
2469	hoodlum.i586.elf
2469	hoodlum.i586.elf
2487	hoodlum.i586.elf
2469	hoodlum.i586.elf
2469	hoodlum.i586.elf
2489	hoodlum.i586.elf
2469	hoodlum.i586.elf
2469	hoodlum.i586.elf
2491	hoodlum.i586.elf
2469	hoodlum.i586.elf
2469	hoodlum.i586.elf
2492	hoodlum.i586.elf
2469	hoodlum.i586.elf
2469	hoodlum.i586.elf
2494	hoodlum.i586.elf
2469	hoodlum.i586.elf
2469	hoodlum.i586.elf
2496	hoodlum.i586.elf
2469	hoodlum.i586.elf
2469	hoodlum.i586.elf
2498	hoodlum.i586.elf
2469	hoodlum.i586.elf
2469	hoodlum.i586.elf
2505	hoodlum.i586.elf
2469	hoodlum.i586.elf
2469	hoodlum.i586.elf
2508	hoodlum.i586.elf
2469	hoodlum.i586.elf
2469	hoodlum.i586.elf
2515	hoodlum.i586.elf
2469	hoodlum.i586.elf
2469	hoodlum.i586.elf
2517	hoodlum.i586.elf
2469	hoodlum.i586.elf

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
2472	rm

Deletes log files 1 TTPs 64 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/installer/subiquity-client-info.log	rm
File deleted	/var/log/installer/curtin-install	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/cloud-init.log	rm
File deleted	/var/log/gpu-manager.log	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/installer/device-map.json	rm
File deleted	/var/log/installer/curtin-install/subiquity-curtin-apt.conf	rm
File deleted	/var/log/speech-dispatcher	rm
File deleted	/var/log/sssd	rm
File deleted	/var/log/installer/cloud-init.log	rm
File deleted	/var/log/openvpn	rm
File deleted	/var/log/btmp	rm
File deleted	/var/log/apport.log	rm
File deleted	/var/log/bootstrap.log	rm
File deleted	/var/log/installer/subiquity-client-debug.log	rm
File deleted	/var/log/installer/installer-journal.txt	rm
File deleted	/var/log/Xorg.0.log.old	rm
File deleted	/var/log/installer/subiquity-server-info.log.1668	rm
File deleted	/var/log/installer/curtin-install/subiquity-extract.conf	rm
File deleted	/var/log/README	rm
File deleted	/var/log/installer/casper-md5check.json	rm
File deleted	/var/log/installer/subiquity-server-info.log	rm
File deleted	/var/log/unattended-upgrades/unattended-upgrades-shutdown.log	rm
File deleted	/var/log/unattended-upgrades	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/cups/error_log	rm
File deleted	/var/log/installer/block/discover.log	rm
File deleted	/var/log/installer/curtin-install/subiquity-initial.conf	rm
File deleted	/var/log/installer/subiquity-server-debug.log.1668	rm
File deleted	/var/log/unattended-upgrades/unattended-upgrades.log	rm
File deleted	/var/log/apt/history.log	rm
File deleted	/var/log/cloud-init-output.log	rm
File deleted	/var/log/Xorg.0.log	rm
File deleted	/var/log/installer/subiquity-client-info.log.1654	rm
File deleted	/var/log/installer/subiquity-server-debug.log	rm
File deleted	/var/log/installer/curtin-install/subiquity-partitioning.conf	rm
File deleted	/var/log/dist-upgrade	rm
File deleted	/var/log/private	rm
File deleted	/var/log/installer/subiquity-client-debug.log.1654	rm
File deleted	/var/log/installer/subiquity-client-debug.log.1514	rm
File deleted	/var/log/installer/curtin-install.log	rm
File deleted	/var/log/installer	rm
File deleted	/var/log/cups/access_log	rm
File deleted	/var/log/installer/subiquity-client-info.log.1514	rm
File deleted	/var/log/installer/cloud-init-output.log	rm
File deleted	/var/log/installer/autoinstall-user-data	rm
File deleted	/var/log/apt/term.log	rm
File deleted	/var/log/cups-browsed	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/installer/curtin-install/subiquity-curthooks.conf	rm
File deleted	/var/log/apt/eipp.log.xz	rm
File deleted	/var/log/apt	rm
File deleted	/var/log/journal	rm
File deleted	/var/log/audit	rm
File deleted	/var/log/installer/media-info	rm
File deleted	/var/log/gdm3	rm
File deleted	/var/log/hp	rm
File deleted	/var/log/installer/block/probe-data.json	rm
File deleted	/var/log/lastlog	rm
File deleted	/var/log/hp/tmp	rm
File deleted	/var/log/cups	rm

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 3 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/2263/status	pkill
File opened for reading	/proc/6/status	pkill
File opened for reading	/proc/193/cgroup	pkill
File opened for reading	/proc/1975/status	pkill
File opened for reading	/proc/258/status	pkill
File opened for reading	/proc/2177/cmdline	pkill
File opened for reading	/proc/3/stat	pkill
File opened for reading	/proc/769/ctty	pkill
File opened for reading	/proc/191/stat	pkill
File opened for reading	/proc/1954/stat	pkill
File opened for reading	/proc/9/cmdline	pkill
File opened for reading	/proc/199/cgroup	pkill
File opened for reading	/proc/2284/status	pkill
File opened for reading	/proc/48/cgroup	pkill
File opened for reading	/proc/818/cmdline	pkill
File opened for reading	/proc/1578/cmdline	pkill
File opened for reading	/proc/1988/cmdline	pkill
File opened for reading	/proc/2171/cmdline	pkill
File opened for reading	/proc/65/stat	pkill
File opened for reading	/proc/442/stat	pkill
File opened for reading	/proc/824/cgroup	pkill
File opened for reading	/proc/1960/cmdline	pkill
File opened for reading	/proc/2215/cgroup	pkill
File opened for reading	/proc/10/status	pkill
File opened for reading	/proc/27/ctty	pkill
File opened for reading	/proc/191/cmdline	pkill
File opened for reading	/proc/196/cgroup	pkill
File opened for reading	/proc/196/ctty	pkill
File opened for reading	/proc/358/status	pkill
File opened for reading	/proc/201/status	pkill
File opened for reading	/proc/759/status	pkill
File opened for reading	/proc/2465/cmdline	pkill
File opened for reading	/proc/759/cmdline	pkill
File opened for reading	/proc/1672/cmdline	pkill
File opened for reading	/proc/2288/ctty	pkill
File opened for reading	/proc/14/status	pkill
File opened for reading	/proc/44/ctty	pkill
File opened for reading	/proc/181/stat	pkill
File opened for reading	/proc/1062/cgroup	pkill
File opened for reading	/proc/2132/status	pkill
File opened for reading	/proc/1068/stat	pkill
File opened for reading	/proc/1677/ctty	pkill
File opened for reading	/proc/2074/stat	pkill
File opened for reading	/proc/2405/cmdline	pkill
File opened for reading	/proc/40/ctty	pkill
File opened for reading	/proc/1059/ctty	pkill
File opened for reading	/proc/23/stat	pkill
File opened for reading	/proc/1757/stat	pkill
File opened for reading	/proc/23/ctty	pkill
File opened for reading	/proc/189/stat	pkill
File opened for reading	/proc/780/cmdline	pkill
File opened for reading	/proc/27/cgroup	pkill
File opened for reading	/proc/32/cmdline	pkill
File opened for reading	/proc/39/status	pkill
File opened for reading	/proc/40/stat	pkill
File opened for reading	/proc/7/ctty	pkill
File opened for reading	/proc/51/cmdline	pkill
File opened for reading	/proc/136/cgroup	pkill
File opened for reading	/proc/1791/ctty	pkill
File opened for reading	/proc/197/cgroup	pkill
File opened for reading	/proc/824/ctty	pkill
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/194/stat	pkill
File opened for reading	/proc/1975/cgroup	pkill

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
2499	service

/tmp/hoodlum.i586.elf
/tmp/hoodlum.i586.elf
1⤵
- Loads a kernel module
PID:2467
- /usr/bin/rm
  rm -rf /tmp/gdm3-config-err-CXsH5k /tmp/gdm3-config-err-rITj3R /tmp/snap-private-tmp /tmp/systemd-private-6a9240c088b84719a5d3980390340998-ModemManager.service-e0LCxN /tmp/systemd-private-6a9240c088b84719a5d3980390340998-colord.service-3AZrc8 /tmp/systemd-private-6a9240c088b84719a5d3980390340998-polkit.service-xhM5DJ /tmp/systemd-private-6a9240c088b84719a5d3980390340998-power-profiles-daemon.service-CSj4Ft /tmp/systemd-private-6a9240c088b84719a5d3980390340998-switcheroo-control.service-t9aJeD /tmp/systemd-private-6a9240c088b84719a5d3980390340998-systemd-logind.service-ZIHKX9 /tmp/systemd-private-6a9240c088b84719a5d3980390340998-systemd-oomd.service-sVt3MQ /tmp/systemd-private-6a9240c088b84719a5d3980390340998-systemd-resolved.service-8LdBEO /tmp/systemd-private-6a9240c088b84719a5d3980390340998-systemd-timedated.service-AuBIdY /tmp/systemd-private-6a9240c088b84719a5d3980390340998-upower.service-t1T5ZR /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/agetty.reload /var/run/apport.lock /var/run/atd.pid /var/run/auditd.pid /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/credentials /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/fsck /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/lock /var/run/log /var/run/lvm /var/run/lxd-installer.socket /var/run/mount /var/run/multipath /var/run/multipathd.pid /var/run/openvpn /var/run/openvpn-client /var/run/openvpn-server /var/run/sendsigs.omit.d /var/run/setrans /var/run/shm /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/user /var/run/utmp /var/run/wpa_supplicant /var/tmp/systemd-private-6a9240c088b84719a5d3980390340998-ModemManager.service-hKfVPS /var/tmp/systemd-private-6a9240c088b84719a5d3980390340998-colord.service-LCuiBT /var/tmp/systemd-private-6a9240c088b84719a5d3980390340998-polkit.service-yZcrW0 /var/tmp/systemd-private-6a9240c088b84719a5d3980390340998-power-profiles-daemon.service-Sj3sZW /var/tmp/systemd-private-6a9240c088b84719a5d3980390340998-switcheroo-control.service-Ihp91V /var/tmp/systemd-private-6a9240c088b84719a5d3980390340998-systemd-logind.service-qmyExX /var/tmp/systemd-private-6a9240c088b84719a5d3980390340998-systemd-oomd.service-ug5qb4 /var/tmp/systemd-private-6a9240c088b84719a5d3980390340998-systemd-resolved.service-8UEZrE /var/tmp/systemd-private-6a9240c088b84719a5d3980390340998-systemd-timedated.service-kK5zMm /var/tmp/systemd-private-6a9240c088b84719a5d3980390340998-upower.service-CwbJcJ
  2⤵
  - Deletes Audit logs
  - Deletes journal logs
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Deletes log files
  PID:2472
- /usr/bin/rm
  rm -rf /var/log/wtmp
  2⤵
  - Deletes log files
  PID:2486
- /usr/bin/rm
  rm -rf "/tmp/*"
  2⤵
  PID:2488
- /usr/bin/rm
  rm -rf /bin/netstat
  2⤵
  PID:2490
- /usr/bin/pkill
  pkill -9 busybox
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2493
- /usr/bin/pkill
  pkill -9 perl
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2495
- /usr/bin/pkill
  pkill -9 python
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2497
- /usr/sbin/service
  service iptables stop
  2⤵
  - System Network Configuration Discovery
  PID:2499
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:2500
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:2501
- - /usr/bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    PID:2503
- - /usr/bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:2504
- /usr/local/sbin/systemctl
  systemctl stop iptables.service
  2⤵
  PID:2499
- /usr/local/bin/systemctl
  systemctl stop iptables.service
  2⤵
  PID:2499
- /usr/sbin/systemctl
  systemctl stop iptables.service
  2⤵
  PID:2499
- /usr/bin/systemctl
  systemctl stop iptables.service
  2⤵
  PID:2499
- /sbin/iptables
  /sbin/iptables -F
  2⤵
  - Flushes firewall rules
  PID:2506
- /sbin/iptables
  /sbin/iptables -X
  2⤵
  - Flushes firewall rules
  PID:2507
- /usr/sbin/service
  service firewalld stop
  2⤵
  PID:2509
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:2510
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:2511
- - /usr/bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    PID:2513
- - /usr/bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:2514
- /usr/local/sbin/systemctl
  systemctl stop firewalld.service
  2⤵
  - Flushes firewall rules
  PID:2509
- /usr/local/bin/systemctl
  systemctl stop firewalld.service
  2⤵
  - Flushes firewall rules
  PID:2509
- /usr/sbin/systemctl
  systemctl stop firewalld.service
  2⤵
  - Flushes firewall rules
  PID:2509
- /usr/bin/systemctl
  systemctl stop firewalld.service
  2⤵
  - Flushes firewall rules
  PID:2509
- /usr/bin/rm
  rm -rf "~/.bash_history"
  2⤵
  PID:2516