3f509a48bfb5cf1a5da35c861c70b5777e61a5dbf250331e5e731a912a148672

Analysis

max time kernel
149s
max time network
146s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
03-07-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133562f29886fc8c85ce7083d4ff53fb.elf
Size

57KB
MD5

133562f29886fc8c85ce7083d4ff53fb
SHA1

56a063ff06fbfdc55444ab9cd47b5e54a8ba50fd
SHA256

3f509a48bfb5cf1a5da35c861c70b5777e61a5dbf250331e5e731a912a148672
SHA512

1c5965dc03cd2ae2403aa1079d006ebdaa9e7a9daa548d5df6588a5c5c75a6e4c75c62065927bc51f5860ad394733c89d73b04017c7bc482ae35ee68f3ef9212
SSDEEP

768:kbvzoZ2MvVVIXXz86kV+VT84keDpgfpZ/Lsx5JCvB53+LQOpZM5qikqs:SvzoTVIXDDkV+97pEZ/LOJUBJVe2qids

Score

7^/10

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

133562f29886fc8c85ce7083d4ff53fb.elf

description ioc process

File opened for modification /dev/watchdog 133562f29886fc8c85ce7083d4ff53fb.elf
File opened for modification /dev/misc/watchdog 133562f29886fc8c85ce7083d4ff53fb.elf
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 195.10.195.195
Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

133562f29886fc8c85ce7083d4ff53fb.elf

description ioc process

File opened for modification /sbin/watchdog 133562f29886fc8c85ce7083d4ff53fb.elf
Changes its process name 1 IoCs

Processes:

133562f29886fc8c85ce7083d4ff53fb.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself [kswapd0] 1564 133562f29886fc8c85ce7083d4ff53fb.elf

description	ioc	process
File opened for modification	/dev/watchdog	133562f29886fc8c85ce7083d4ff53fb.elf
File opened for modification	/dev/misc/watchdog	133562f29886fc8c85ce7083d4ff53fb.elf

description	ioc
Destination IP	195.10.195.195

description	ioc	process
File opened for modification	/sbin/watchdog	133562f29886fc8c85ce7083d4ff53fb.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	[kswapd0]	1564	133562f29886fc8c85ce7083d4ff53fb.elf

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

133562f29886fc8c85ce7083d4ff53fb.elf

description	ioc	process
File opened for reading	/sys/devices/virtual/misc/watchdog	133562f29886fc8c85ce7083d4ff53fb.elf
File opened for reading	/sys/class/misc/watchdog	133562f29886fc8c85ce7083d4ff53fb.elf
File opened for reading	/sys/class/watchdog	133562f29886fc8c85ce7083d4ff53fb.elf

/tmp/133562f29886fc8c85ce7083d4ff53fb.elf
/tmp/133562f29886fc8c85ce7083d4ff53fb.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Enumerates kernel/hardware configuration
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1564-1-0x0000000000400000-0x000000000052bda0-memory.dmp

Download