1b5d46e827ac989be8cb2f99aa8ce3724a8f0d37cee9ff044abe66d74e0b884a

Analysis

max time kernel
0s
max time network
158s
platform
linux_armhf
resource
debian9-armhf-en-20211208
resource tags

arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
18-10-2022 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data/cowrie/downloads/fd5657061af78d879e64d780e5fada398258bc0f700068927e6e1fa992f58ae9
Size

1KB
MD5

a629b120ac58761ba9dc17d98bdd7308
SHA1

717dc325ea7c8020904a8cb79dbe2672057884b5
SHA256

fd5657061af78d879e64d780e5fada398258bc0f700068927e6e1fa992f58ae9
SHA512

34be4ea3750a9255d2c4a471d2608824863af5b1f8d09d3d16c5c892c69229aed9523855f32c44fe4082ca276ec5cdf12631de54de0d7208a88f6dbe18774dc3

Score

9^/10

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

cp

description ioc process

/bin/busybox /bin/busybox cp
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

cp

description ioc process

/proc/filesystems /proc/filesystems cp

description	ioc	process
/bin/busybox	/bin/busybox	cp

description	ioc	process
/proc/filesystems	/proc/filesystems	cp

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

Processes:

fd5657061af78d879e64d780e5fada398258bc0f700068927e6e1fa992f58ae9cp

description	ioc	process
/tmp/data/cowrie/downloads/fd5657061af78d879e64d780e5fada398258bc0f700068927e6e1fa992f58ae9	/tmp/data/cowrie/downloads/fd5657061af78d879e64d780e5fada398258bc0f700068927e6e1fa992f58ae9	fd5657061af78d879e64d780e5fada398258bc0f700068927e6e1fa992f58ae9
/tmp/busybox	/tmp/busybox	cp

/tmp/data/cowrie/downloads/fd5657061af78d879e64d780e5fada398258bc0f700068927e6e1fa992f58ae9
/tmp/data/cowrie/downloads/fd5657061af78d879e64d780e5fada398258bc0f700068927e6e1fa992f58ae9
1⤵
- Writes file to tmp directory
PID:355

/bin/cp
cp /bin/busybox /tmp/
2⤵
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:356

/bin/cat
cat phantom.x86
2⤵
PID:361

/bin/chmod
chmod +x busybox data robben systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:362

./robben
./robben Payload
2⤵
PID:363

/bin/cat
cat phantom.mips
2⤵
PID:366

/bin/chmod
chmod +x busybox data robben systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:367

./robben
./robben Payload
2⤵
PID:368

/bin/cat
cat phantom.mpsl
2⤵
PID:371

/bin/chmod
chmod +x busybox data robben systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:372

./robben
./robben Payload
2⤵
PID:373

/bin/cat
cat phantom.arm4
2⤵
PID:376

/bin/chmod
chmod +x busybox data robben systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:377

./robben
./robben Payload
2⤵
PID:378

/bin/cat
cat phantom.arm5
2⤵
PID:381

/bin/chmod
chmod +x busybox data robben systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:382

./robben
./robben Payload
2⤵
PID:383

/bin/cat
cat phantom.arm6
2⤵
PID:386

/bin/chmod
chmod +x busybox data robben systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:387

./robben
./robben Payload
2⤵
PID:388

/bin/cat
cat phantom.arm7
2⤵
PID:391

/bin/chmod
chmod +x busybox data robben systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:392

./robben
./robben Payload
2⤵
PID:393

/bin/cat
cat phantom.ppc
2⤵
PID:396

/bin/chmod
chmod +x busybox data robben systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:397

./robben
./robben Payload
2⤵
PID:398

/bin/cat
cat phantom.m68k
2⤵
PID:403

/bin/chmod
chmod +x busybox data robben systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:404

./robben
./robben Payload
2⤵
PID:405

/bin/cat
cat phantom.sh4
2⤵
PID:408

/bin/chmod
chmod +x busybox data robben systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:409

./robben
./robben Payload
2⤵
PID:410

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads