Overview

overview

10

Static

static

18a4352b21...02.elf

debian-9-mips

10

Analysis

  • max time kernel
    0s
  • max time network
    153s
  • platform
    linux_mips
  • resource
    debian9-mipsbe-en-20211208
  • resource tags

    arch:mipsimage:debian9-mipsbe-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    12-10-2022 16:02

Sharing

Copy URL
Twitter E-mail

General

  • Target

    18a4352b2101b4fa81652d5fce34b08ed7def8bd40e413cebf991ede97692a02.elf

  • Size

    1MB

  • MD5

    ae5592bdb0464f06c88f665282991b82

  • SHA1

    be5bf9dfec7fae911666060f584b4ffd0b04185f

  • SHA256

    18a4352b2101b4fa81652d5fce34b08ed7def8bd40e413cebf991ede97692a02

  • SHA512

    4c57878362b342a0928c8ddcb3fccff79be1ee0164e4f16c2d5169d14ea8ce322ac37693f965e8584fa950d733b70fe3d084cce4cf3675d62104482404b870a0

  • SSDEEP

    49152:Um7vtBcWDjchCCpjy3WT/N7SExRtmbj2mEE5MBn:U67cWDoggmrExRtmbHEE2Bn

Score
10/10
stealthworkerantivmbotnet

Malware Config

Signatures

  • StealthWorker

    StealthWorker is golang-based brute force malware.

    botnetstealthworker
  • Attempts to identify hypervisor via CPU configuration ⋅ 1 TTPs 2 IoCs

    Checks CPU information for indicators that the system is a virtual machine.

    antivm
  • Modifies hosts file ⋅ 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration ⋅ 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Reads runtime system information ⋅ 7 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory ⋅ 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/18a4352b2101b4fa81652d5fce34b08ed7def8bd40e413cebf991ede97692a02.elf
    /tmp/18a4352b2101b4fa81652d5fce34b08ed7def8bd40e413cebf991ede97692a02.elf
    Reads runtime system information
    PID:320
    • /bin/cat
      cat /proc/version
      Reads runtime system information
      PID:328
  • /bin/cat
    cat /proc/cpuinfo
    Attempts to identify hypervisor via CPU configuration
    PID:330
  • /bin/uname
    uname -a
    PID:331
  • /usr/bin/getconf
    getconf LONG_BIT
    PID:332
  • /tmp/18a4352b2101b4fa81652d5fce34b08ed7def8bd40e413cebf991ede97692a02.elf
    "[stealth]"
    Modifies hosts file
    Reads runtime system information
    PID:333
    • /bin/cat
      cat /proc/version
      Reads runtime system information
      PID:337
  • /bin/cat
    cat /proc/cpuinfo
    Attempts to identify hypervisor via CPU configuration
    PID:339
  • /bin/uname
    uname -a
    PID:340
  • /usr/bin/getconf
    getconf LONG_BIT
    PID:341
  • /usr/bin/crontab
    /usr/bin/crontab /tmp/nip9iNeiph5chee
    Reads runtime system information
    Writes file to tmp directory
    PID:342

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads