Malware Analysis Report

2025-04-03 09:55

Sample ID 220708-amnnfacag2
Target 5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9
SHA256 5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9
Tags
enemybot persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9

Threat Level: Known bad

The file 5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 was found to be: Known bad.

Malicious Activity Summary

enemybot persistence

Enemybot family

family_enemybot

Creates/modifies Cron job

Modifies rc script

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-08 00:19

Signatures

Enemybot family

enemybot

family_enemybot

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-08 00:19

Reported

2022-07-08 02:05

Platform

debian9-armhf-en-20211208

Max time kernel

0s

Max time network

156s

Command Line

[./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9]

Signatures

Creates/modifies Cron job

persistence
Description Indicator Process Target
/etc/crontab /etc/crontab ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A

Modifies rc script

persistence
Description Indicator Process Target
/etc/rc.local /etc/rc.local ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A

Reads runtime system information

Description Indicator Process Target
/proc/2/cmdline /proc/2/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/8/cmdline /proc/8/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/20/cmdline /proc/20/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/28/cmdline /proc/28/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/13/cmdline /proc/13/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/18/cmdline /proc/18/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/22/cmdline /proc/22/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/25/cmdline /proc/25/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/43/cmdline /proc/43/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/106/cmdline /proc/106/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/129/cmdline /proc/129/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/282/cmdline /proc/282/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/19/cmdline /proc/19/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/23/cmdline /proc/23/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/162/cmdline /proc/162/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/234/cmdline /proc/234/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/15/cmdline /proc/15/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/41/cmdline /proc/41/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/105/cmdline /proc/105/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/305/cmdline /proc/305/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/29/cmdline /proc/29/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/231/cmdline /proc/231/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/1/cmdline /proc/1/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/27/cmdline /proc/27/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/218/cmdline /proc/218/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/350/cmdline /proc/350/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/6/cmdline /proc/6/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/94/cmdline /proc/94/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/103/cmdline /proc/103/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/244/cmdline /proc/244/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/276/cmdline /proc/276/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/3/cmdline /proc/3/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/11/cmdline /proc/11/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/16/cmdline /proc/16/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/21/cmdline /proc/21/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/347/cmdline /proc/347/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/351/cmdline /proc/351/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/4/cmdline /proc/4/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/9/cmdline /proc/9/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/24/cmdline /proc/24/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/272/cmdline /proc/272/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/7/cmdline /proc/7/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/26/cmdline /proc/26/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/42/cmdline /proc/42/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/137/cmdline /proc/137/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/145/cmdline /proc/145/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/309/cmdline /proc/309/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/10/cmdline /proc/10/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/73/cmdline /proc/73/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/233/cmdline /proc/233/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/310/cmdline /proc/310/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/5/cmdline /proc/5/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/12/cmdline /proc/12/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/307/cmdline /proc/307/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/14/cmdline /proc/14/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/17/cmdline /proc/17/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/151/cmdline /proc/151/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A
/proc/275/cmdline /proc/275/cmdline ./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9 N/A

Writes file to tmp directory

Description Indicator Process Target
/tmp/.pwned /tmp/.pwned /bin/sh N/A

Processes

./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9

[./5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9]

/bin/sh

[sh -c echo ENEMEYBOT V3.1-ALCAPONE hail KEKSEC > /tmp/.pwned]

Network

Files

N/A