Analysis
-
max time kernel
149s -
max time network
146s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20250410-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20250410-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
15/04/2025, 01:19
Behavioral task
behavioral1
Sample
d65b61ef73105ac900d6d52bb1f853bbd72a661e09d77c7bcc215164393720da.elf
Resource
ubuntu2204-amd64-20250410-en
ubuntu-22.04-amd64
General
-
Target
d65b61ef73105ac900d6d52bb1f853bbd72a661e09d77c7bcc215164393720da.elf
-
Size
45KB
-
MD5
494ffb3555bcd10769c8f1a4c29421f2
-
SHA1
8d5d48be1cfc76778c252f639821aa9dd205f2a4
-
SHA256
d65b61ef73105ac900d6d52bb1f853bbd72a661e09d77c7bcc215164393720da
-
SHA512
8006a196dc9e0a0b1619ef77d2edf8ba725503cb4a8c79e45b3b3a2cc6a409735508f3572ef6ef94f87395a4f134002c74f670e77189a798696123a5507b3897
-
SSDEEP
768:JJRodX+EV2G0jX1lAUNW410Qg+TKIgMKdcB2aHvYN2pQfJWa6UbN:JJRodX+EV2G0jX1lb041nR8nSPq8WJWC
Malware Config
Signatures
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Renames itself 1 IoCs
pid 1579 -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 147.135.40.4 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
description ioc pid Changes the process name, possibly in an attempt to hide itself systemd-resolve 1579 -
description ioc File opened for reading /proc/1579/comm File opened for reading /proc/18/comm File opened for reading /proc/205/comm File opened for reading /proc/102/comm File opened for reading /proc/606/comm File opened for reading /proc/741/comm File opened for reading /proc/768/comm File opened for reading /proc/926/comm File opened for reading /proc/1322/comm File opened for reading /proc/12/comm File opened for reading /proc/98/comm File opened for reading /proc/195/comm File opened for reading /proc/201/comm File opened for reading /proc/207/comm File opened for reading /proc/1100/comm File opened for reading /proc/1515/comm File opened for reading /proc/4/comm File opened for reading /proc/114/comm File opened for reading /proc/413/comm File opened for reading /proc/773/comm File opened for reading /proc/951/comm File opened for reading /proc/1017/comm File opened for reading /proc/1103/comm File opened for reading /proc/1128/comm File opened for reading /proc/91/comm File opened for reading /proc/452/comm File opened for reading /proc/1099/comm File opened for reading /proc/1114/comm File opened for reading /proc/1464/comm File opened for reading /proc/1568/comm File opened for reading /proc/3/comm File opened for reading /proc/77/comm File opened for reading /proc/209/comm File opened for reading /proc/426/comm File opened for reading /proc/666/comm File opened for reading /proc/1096/comm File opened for reading /proc/1314/comm File opened for reading /proc/79/comm File opened for reading /proc/90/comm File opened for reading /proc/199/comm File opened for reading /proc/721/comm File opened for reading /proc/789/comm File opened for reading /proc/976/comm File opened for reading /proc/1215/comm File opened for reading /proc/10/comm File opened for reading /proc/78/comm File opened for reading /proc/82/comm File opened for reading /proc/92/comm File opened for reading /proc/97/comm File opened for reading /proc/203/comm File opened for reading /proc/411/comm File opened for reading /proc/895/comm File opened for reading /proc/20/comm File opened for reading /proc/215/comm File opened for reading /proc/682/comm File opened for reading /proc/918/comm File opened for reading /proc/925/comm File opened for reading /proc/991/comm File opened for reading /proc/1317/comm File opened for reading /proc/585/comm File opened for reading /proc/774/comm File opened for reading /proc/1097/comm File opened for reading /proc/1539/comm File opened for reading /proc/6/comm