Overview

overview

10

Static

static

18a4352b21...02.elf

debian-9-mips

10

Analysis

  • max time kernel
    0s
  • max time network
    153s
  • platform
    linux_mips
  • resource
    debian9-mipsbe-en-20211208
  • resource tags

    arch:mipsimage:debian9-mipsbe-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    12-10-2022 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18a4352b2101b4fa81652d5fce34b08ed7def8bd40e413cebf991ede97692a02.elf

  • Size

    1.9MB

  • MD5

    ae5592bdb0464f06c88f665282991b82

  • SHA1

    be5bf9dfec7fae911666060f584b4ffd0b04185f

  • SHA256

    18a4352b2101b4fa81652d5fce34b08ed7def8bd40e413cebf991ede97692a02

  • SHA512

    4c57878362b342a0928c8ddcb3fccff79be1ee0164e4f16c2d5169d14ea8ce322ac37693f965e8584fa950d733b70fe3d084cce4cf3675d62104482404b870a0

  • SSDEEP

    49152:Um7vtBcWDjchCCpjy3WT/N7SExRtmbj2mEE5MBn:U67cWDoggmrExRtmbHEE2Bn

Score
10/10
stealthworkerantivmbotnet

Malware Config

Signatures

  • StealthWorker

    StealthWorker is golang-based brute force malware.

    botnetstealthworker
  • Attempts to identify hypervisor via CPU configuration 1 TTPs 2 IoCs

    Checks CPU information for indicators that the system is a virtual machine.

    antivm
  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Reads runtime system information 7 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/18a4352b2101b4fa81652d5fce34b08ed7def8bd40e413cebf991ede97692a02.elf
    /tmp/18a4352b2101b4fa81652d5fce34b08ed7def8bd40e413cebf991ede97692a02.elf
    1⤵
    • Reads runtime system information
    PID:320
    • /bin/cat
      cat /proc/version
      2⤵
      • Reads runtime system information
      PID:328
  • /bin/cat
    cat /proc/cpuinfo
    1⤵
    • Attempts to identify hypervisor via CPU configuration
    PID:330
  • /bin/uname
    uname -a
    1⤵
      PID:331
    • /usr/bin/getconf
      getconf LONG_BIT
      1⤵
        PID:332
      • /tmp/18a4352b2101b4fa81652d5fce34b08ed7def8bd40e413cebf991ede97692a02.elf
        "[stealth]"
        1⤵
        • Modifies hosts file
        • Reads runtime system information
        PID:333
        • /bin/cat
          cat /proc/version
          2⤵
          • Reads runtime system information
          PID:337
      • /bin/cat
        cat /proc/cpuinfo
        1⤵
        • Attempts to identify hypervisor via CPU configuration
        PID:339
      • /bin/uname
        uname -a
        1⤵
          PID:340
        • /usr/bin/getconf
          getconf LONG_BIT
          1⤵
            PID:341
          • /usr/bin/crontab
            /usr/bin/crontab /tmp/nip9iNeiph5chee
            1⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:342

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Virtualization/Sandbox Evasion

          1
          T1497

          Credential Access

          Discovery

          Virtualization/Sandbox Evasion

          1
          T1497

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Dynamic Resolution

          1
          T1568

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads