Analysis
-
max time kernel
0s -
max time network
152s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20221111-en -
resource tags
arch:mipselimage:debian9-mipsel-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
06-04-2023 07:00
Behavioral task
behavioral1
Sample
ef72909ce48b7aa09bea11c73194820a.elf
Resource
debian9-mipsel-20221111-en
General
-
Target
ef72909ce48b7aa09bea11c73194820a.elf
-
Size
358KB
-
MD5
ef72909ce48b7aa09bea11c73194820a
-
SHA1
405cb65139cf94b45b8e0922960e693da2ed09a9
-
SHA256
33defc4ecff8a0b40c66bb797cb127c4f3df647a50c2995bd7b9414ba05716b1
-
SHA512
fdf5b89bca9ac5824ec5a31bda028bd8c1afb37c621632897c1359b8004589912787d1b8641214d16452ff068548ca09ea12d13bdecb41010f2e6e16222a841f
-
SSDEEP
6144:YCWUWbbMK14mECiqWmOaC1ztPASfIOV68eU1fY5hEQrDh895BtLyhbkMOzqzFSAZ:jvqOyURY55PYOhbkMOGzc6z9FmiIuCYp
Malware Config
Signatures
-
Attempts to identify hypervisor via CPU configuration 1 TTPs 2 IoCs
Checks CPU information for indicators that the system is a virtual machine.
Processes:
ef72909ce48b7aa09bea11c73194820a.elfdescription ioc process /proc/cpuinfo /proc/cpuinfo ef72909ce48b7aa09bea11c73194820a.elf /proc/cpuinfo /proc/cpuinfo -
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
Processes:
description ioc /etc/hosts /etc/hosts -
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Processes:
seddescription ioc process /etc/init.d/boot.local /etc/init.d/boot.local sed -
Modifies rc script 1 TTPs 4 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
sedsedsedseddescription ioc process /etc/rc.local /etc/rc.local sed /etc/rc.local /etc/rc.local sed /etc/rc.d/rc.local /etc/rc.d/rc.local sed /etc/rc.local /etc/rc.local sed -
Reads runtime system information 8 IoCs
Reads data from /proc virtual filesystem.
Processes:
mvsedsedsedsedsedseddescription ioc process /proc/filesystems /proc/filesystems mv /proc/filesystems /proc/filesystems sed /proc/filesystems /proc/filesystems sed /proc/filesystems /proc/filesystems sed /proc/filesystems /proc/filesystems sed /proc/filesystems /proc/filesystems sed /proc/filesystems /proc/filesystems sed /proc/stat /proc/stat
Processes
-
/tmp/ef72909ce48b7aa09bea11c73194820a.elf/tmp/ef72909ce48b7aa09bea11c73194820a.elf1⤵
- Attempts to identify hypervisor via CPU configuration
-
/bin/sh/bin/sh -c "chmod +x /etc/rc.local"2⤵
-
/bin/chmodchmod +x /etc/rc.local3⤵
-
/bin/sh/bin/sh -c "mv /tmp/ef72909ce48b7aa09bea11c73194820a.elf /etc/ef72909ce48b7aa09bea11c73194820a.elf"2⤵
-
/bin/mvmv /tmp/ef72909ce48b7aa09bea11c73194820a.elf /etc/ef72909ce48b7aa09bea11c73194820a.elf3⤵
- Reads runtime system information
-
/bin/sh/bin/sh -c "cd /etc;chmod 777 ef72909ce48b7aa09bea11c73194820a.elf"2⤵
-
/bin/chmodchmod 777 ef72909ce48b7aa09bea11c73194820a.elf3⤵
-
/bin/sh/bin/sh -c "sed -i -e '/exit/d' /etc/rc.local"2⤵
-
/bin/sedsed -i -e /exit/d /etc/rc.local3⤵
- Modifies rc script
- Reads runtime system information
-
/bin/sh/bin/sh -c "sed -i -e '/^ | | \$/d' /etc/rc.local"2⤵
-
/bin/sedsed -i -e "/^ | | \$/d" /etc/rc.local3⤵
- Reads runtime system information
-
/bin/sh/bin/sh -c "sed -i -e '/ef72909ce48b7aa09bea11c73194820a.elf/d' /etc/rc.local"2⤵
-
/bin/sedsed -i -e /ef72909ce48b7aa09bea11c73194820a.elf/d /etc/rc.local3⤵
- Modifies rc script
- Reads runtime system information
-
/bin/sh/bin/sh -c "sed -i -e '2 i/etc/ef72909ce48b7aa09bea11c73194820a.elf reboot' /etc/rc.local"2⤵
-
/bin/sedsed -i -e "2 i/etc/ef72909ce48b7aa09bea11c73194820a.elf reboot" /etc/rc.local3⤵
- Modifies rc script
- Reads runtime system information
-
/bin/sh/bin/sh -c "sed -i -e '2 i/etc/ef72909ce48b7aa09bea11c73194820a.elf start' /etc/rc.d/rc.local"2⤵
-
/bin/sedsed -i -e "2 i/etc/ef72909ce48b7aa09bea11c73194820a.elf start" /etc/rc.d/rc.local3⤵
- Modifies rc script
- Reads runtime system information
-
/bin/sh/bin/sh -c "sed -i -e '2 i/etc/ef72909ce48b7aa09bea11c73194820a.elf start' /etc/init.d/boot.local"2⤵
-
/bin/sedsed -i -e "2 i/etc/ef72909ce48b7aa09bea11c73194820a.elf start" /etc/init.d/boot.local3⤵
- Modifies init.d
- Reads runtime system information