33defc4ecff8a0b40c66bb797cb127c4f3df647a50c2995bd7b9414ba05716b1

Analysis

max time kernel
0s
max time network
152s
platform
debian-9_mipsel
resource
debian9-mipsel-20221111-en
resource tags

arch:mipselimage:debian9-mipsel-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
06-04-2023 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef72909ce48b7aa09bea11c73194820a.elf
Size

358KB
MD5

ef72909ce48b7aa09bea11c73194820a
SHA1

405cb65139cf94b45b8e0922960e693da2ed09a9
SHA256

33defc4ecff8a0b40c66bb797cb127c4f3df647a50c2995bd7b9414ba05716b1
SHA512

fdf5b89bca9ac5824ec5a31bda028bd8c1afb37c621632897c1359b8004589912787d1b8641214d16452ff068548ca09ea12d13bdecb41010f2e6e16222a841f
SSDEEP

6144:YCWUWbbMK14mECiqWmOaC1ztPASfIOV68eU1fY5hEQrDh895BtLyhbkMOzqzFSAZ:jvqOyURY55PYOhbkMOGzc6z9FmiIuCYp

Score

9^/10

antivm persistence

Malware Config

Signatures

Attempts to identify hypervisor via CPU configuration 1 TTPs 2 IoCs
Checks CPU information for indicators that the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

ef72909ce48b7aa09bea11c73194820a.elf

description ioc process

/proc/cpuinfo /proc/cpuinfo ef72909ce48b7aa09bea11c73194820a.elf
/proc/cpuinfo /proc/cpuinfo
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

description ioc

/etc/hosts /etc/hosts
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

description ioc

/etc/resolv.conf /etc/resolv.conf
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

sed

description ioc process

/etc/init.d/boot.local /etc/init.d/boot.local sed
Modifies rc script 1 TTPs 4 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

sedsedsedsed

description ioc process

/etc/rc.local /etc/rc.local sed
/etc/rc.local /etc/rc.local sed
/etc/rc.d/rc.local /etc/rc.d/rc.local sed
/etc/rc.local /etc/rc.local sed

description	ioc	process
/proc/cpuinfo	/proc/cpuinfo	ef72909ce48b7aa09bea11c73194820a.elf
/proc/cpuinfo	/proc/cpuinfo

description	ioc
/etc/hosts	/etc/hosts

description	ioc
/etc/resolv.conf	/etc/resolv.conf

description	ioc	process
/etc/init.d/boot.local	/etc/init.d/boot.local	sed

description	ioc	process
/etc/rc.local	/etc/rc.local	sed
/etc/rc.local	/etc/rc.local	sed
/etc/rc.d/rc.local	/etc/rc.d/rc.local	sed
/etc/rc.local	/etc/rc.local	sed

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

Processes:

mvsedsedsedsedsedsed

description	ioc	process
/proc/filesystems	/proc/filesystems	mv
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/stat	/proc/stat

/tmp/ef72909ce48b7aa09bea11c73194820a.elf
/tmp/ef72909ce48b7aa09bea11c73194820a.elf
1⤵
- Attempts to identify hypervisor via CPU configuration
PID:324

/bin/sh
/bin/sh -c "chmod +x /etc/rc.local"
2⤵
PID:325

/bin/chmod
chmod +x /etc/rc.local
3⤵
PID:326

/bin/sh
/bin/sh -c "mv /tmp/ef72909ce48b7aa09bea11c73194820a.elf /etc/ef72909ce48b7aa09bea11c73194820a.elf"
2⤵
PID:327

/bin/mv
mv /tmp/ef72909ce48b7aa09bea11c73194820a.elf /etc/ef72909ce48b7aa09bea11c73194820a.elf
3⤵
- Reads runtime system information
PID:328

/bin/sh
/bin/sh -c "cd /etc;chmod 777 ef72909ce48b7aa09bea11c73194820a.elf"
2⤵
PID:329

/bin/chmod
chmod 777 ef72909ce48b7aa09bea11c73194820a.elf
3⤵
PID:330

/bin/sh
/bin/sh -c "sed -i -e '/exit/d' /etc/rc.local"
2⤵
PID:332

/bin/sed
sed -i -e /exit/d /etc/rc.local
3⤵
- Modifies rc script
- Reads runtime system information
PID:333

/bin/sh
/bin/sh -c "sed -i -e '/^ | | \$/d' /etc/rc.local"
2⤵
PID:336

/bin/sed
sed -i -e "/^ | | \$/d" /etc/rc.local
3⤵
- Reads runtime system information
PID:337

/bin/sh
/bin/sh -c "sed -i -e '/ef72909ce48b7aa09bea11c73194820a.elf/d' /etc/rc.local"
2⤵
PID:338

/bin/sed
sed -i -e /ef72909ce48b7aa09bea11c73194820a.elf/d /etc/rc.local
3⤵
- Modifies rc script
- Reads runtime system information
PID:339

/bin/sh
/bin/sh -c "sed -i -e '2 i/etc/ef72909ce48b7aa09bea11c73194820a.elf reboot' /etc/rc.local"
2⤵
PID:340

/bin/sed
sed -i -e "2 i/etc/ef72909ce48b7aa09bea11c73194820a.elf reboot" /etc/rc.local
3⤵
- Modifies rc script
- Reads runtime system information
PID:341

/bin/sh
/bin/sh -c "sed -i -e '2 i/etc/ef72909ce48b7aa09bea11c73194820a.elf start' /etc/rc.d/rc.local"
2⤵
PID:342

/bin/sed
sed -i -e "2 i/etc/ef72909ce48b7aa09bea11c73194820a.elf start" /etc/rc.d/rc.local
3⤵
- Modifies rc script
- Reads runtime system information
PID:343

/bin/sh
/bin/sh -c "sed -i -e '2 i/etc/ef72909ce48b7aa09bea11c73194820a.elf start' /etc/init.d/boot.local"
2⤵
PID:344

/bin/sed
sed -i -e "2 i/etc/ef72909ce48b7aa09bea11c73194820a.elf start" /etc/init.d/boot.local
3⤵
- Modifies init.d
- Reads runtime system information
PID:345

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

T1568

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads