Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
28/03/2025, 00:26
Behavioral task
behavioral1
Sample
g4za.x86
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
g4za.x86
Resource
ubuntu2004-amd64-20240611-en
ubuntu-20.04-amd64
9 signatures
150 seconds
Behavioral task
behavioral3
Sample
g4za.x86
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
9 signatures
150 seconds
General
-
Target
g4za.x86
-
Size
73KB
-
MD5
6e6e1cb80bda1d51af6f8d328ce42660
-
SHA1
bf3dfdded3080eed20c455899c52c2f042d7b63b
-
SHA256
1c7ec27edb1e1b5bce7ce676777a0dd9e0bf709db0acaf7053b12b38ec03fb6c
-
SHA512
f694618767a0b01cf0fe84474b1ba8a0cb3074857b05fcab2095bf283d1899b9d3f3b3b4403d53b464361e6398bf35da82694e606d358934a3608b0598d086e8
-
SSDEEP
1536:GD8VBnK13Rg74kwVJStv0qkxAOHItu9ApGZp8GXPTbVhid/Sb:G0BKRRg74kWS90q9k4uGsj8G7ZUdc
Score
9/10
Malware Config
Signatures
-
Contacts a large (125531) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 58 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc File opened for reading /proc/585/maps File opened for reading /proc/791/maps File opened for reading /proc/451/maps File opened for reading /proc/452/maps File opened for reading /proc/496/maps File opened for reading /proc/970/maps File opened for reading /proc/586/maps File opened for reading /proc/606/maps File opened for reading /proc/634/maps File opened for reading /proc/568/maps File opened for reading /proc/964/maps File opened for reading /proc/441/maps File opened for reading /proc/772/maps File opened for reading /proc/782/maps File opened for reading /proc/444/maps File opened for reading /proc/578/maps File opened for reading /proc/816/maps File opened for reading /proc/946/maps File opened for reading /proc/538/maps File opened for reading /proc/663/maps File opened for reading /proc/750/maps File opened for reading /proc/923/maps File opened for reading /proc/927/maps File opened for reading /proc/999/maps File opened for reading /proc/450/maps File opened for reading /proc/508/maps File opened for reading /proc/666/maps File opened for reading /proc/789/maps File opened for reading /proc/922/maps File opened for reading /proc/659/maps File opened for reading /proc/682/maps File opened for reading /proc/989/maps File opened for reading /proc/449/maps File opened for reading /proc/480/maps File opened for reading /proc/930/maps File opened for reading /proc/951/maps File opened for reading /proc/478/maps File opened for reading /proc/497/maps File opened for reading /proc/515/maps File opened for reading /proc/633/maps File opened for reading /proc/942/maps File opened for reading /proc/498/maps File opened for reading /proc/520/maps File opened for reading /proc/896/maps File opened for reading /proc/957/maps File opened for reading /proc/979/maps File opened for reading /proc/477/maps File opened for reading /proc/502/maps File opened for reading /proc/605/maps File opened for reading /proc/767/maps File opened for reading /proc/536/maps File opened for reading /proc/636/maps File opened for reading /proc/918/maps File opened for reading /proc/442/maps File opened for reading /proc/678/maps File opened for reading /proc/797/maps File opened for reading /proc/994/maps File opened for reading /proc/583/maps -
Changes its process name 1 IoCs
description pid Changes the process name, possibly in an attempt to hide itself 1403 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc File opened for reading /proc/net/tcp -
description ioc File opened for reading /proc/1073/maps File opened for reading /proc/1155/maps File opened for reading /proc/1402/maps File opened for reading /proc/1583/maps File opened for reading /proc/1605/maps File opened for reading /proc/1026/maps File opened for reading /proc/1075/maps File opened for reading /proc/1099/maps File opened for reading /proc/1464/maps File opened for reading /proc/1497/maps File opened for reading /proc/1507/maps File opened for reading /proc/1508/maps File opened for reading /proc/1760/maps File opened for reading /proc/1080/maps File opened for reading /proc/1245/maps File opened for reading /proc/1504/maps File opened for reading /proc/1671/maps File opened for reading /proc/1031/maps File opened for reading /proc/1039/maps File opened for reading /proc/1052/maps File opened for reading /proc/1501/maps File opened for reading /proc/1085/maps File opened for reading /proc/1088/maps File opened for reading /proc/1106/maps File opened for reading /proc/1124/maps File opened for reading /proc/1499/maps File opened for reading /proc/1035/maps File opened for reading /proc/1126/maps File opened for reading /proc/1406/maps File opened for reading /proc/1533/maps File opened for reading /proc/1076/maps File opened for reading /proc/1404/maps File opened for reading /proc/1083/maps File opened for reading /proc/1094/maps File opened for reading /proc/1183/maps File opened for reading /proc/1226/maps File opened for reading /proc/1072/maps File opened for reading /proc/1324/maps File opened for reading /proc/1495/maps File opened for reading /proc/1498/maps File opened for reading /proc/1649/maps File opened for reading /proc/1091/maps File opened for reading /proc/1104/maps File opened for reading /proc/1401/maps File opened for reading /proc/1408/maps File opened for reading /proc/1693/maps File opened for reading /proc/1715/maps File opened for reading /proc/1125/maps File opened for reading /proc/1134/maps File opened for reading /proc/1487/maps File opened for reading /proc/1494/maps File opened for reading /proc/1555/maps File opened for reading /proc/1317/maps File opened for reading /proc/1496/maps File opened for reading /proc/1505/maps File opened for reading /proc/1506/maps File opened for reading /proc/1511/maps File opened for reading /proc/1627/maps File opened for reading /proc/1021/maps File opened for reading /proc/1043/maps File opened for reading /proc/1117/maps File opened for reading /proc/1341/maps File opened for reading /proc/1738/maps File opened for reading /proc/1074/maps