b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
07/03/2025, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
Size

66KB
MD5

28a59802532da38031a5a1babbd9f5fd
SHA1

02edeb32f260de518faf9457e7c5f50c93493d48
SHA256

b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa
SHA512

97929aa058f160a573f78566af065519004317cf5608094a7aecafcc5a57940705bae5101d9d8cfa3bb0c3d9e8d042d196ac7583177b311a11d643b9f4ded9f3
SSDEEP

1536:Tfu73WGGE0DUm8lquk502eGdkmM1b0748/yUV:6Z10DU3lqVcCkmMB074HUV

Score

9^/10

credential_access defense_evasion discovery

Malware Config

Signatures

Contacts a large (23993) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for modification	/dev/watchdog	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf

Enumerates running processes
Discovers information about currently running processes on the system

Reads process memory 1 TTPs 58 IoCs

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

credential_access

Proc Filesystem

T1003.007

description	ioc	Process
File opened for reading	/proc/440/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/453/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/534/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/580/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/585/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/666/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/968/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/456/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/683/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/915/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/441/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/636/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/490/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/498/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/503/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/806/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/992/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/455/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/500/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/904/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/925/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/439/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/664/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/958/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/993/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/481/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/617/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/797/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/443/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/538/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/773/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/897/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/952/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/980/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/570/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/633/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/947/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/496/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/501/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/827/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/901/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/484/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/634/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/591/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/616/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/519/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/679/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/768/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/800/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/872/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/895/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/454/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/582/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/751/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/965/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/660/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/792/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/573/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	a	1403	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf

Reads runtime system information 42 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1090/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1098/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1106/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1131/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1153/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1172/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1207/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1027/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1125/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1240/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1402/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1063/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1071/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1223/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1128/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1040/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1070/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1075/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1022/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1044/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1053/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1074/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1104/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1394/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1411/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1076/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1081/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1092/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1319/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1407/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1036/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1123/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1310/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1401/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1405/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1408/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1005/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1032/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1072/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1073/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1100/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
File opened for reading	/proc/1085/maps	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp//dev/FTWDT101_watchdog	b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf

/tmp/b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
/tmp/b63e65c3c64ffc05d83407c492a572d9ace298c60a482ae32b1414d89b5864fa.elf
1⤵
- Modifies Watchdog functionality
- Reads process memory
- Changes its process name
- Reads runtime system information
- Writes file to tmp directory
PID:1403

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

OS Credential Dumping

T1003

Proc Filesystem

T1003.007

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads