c300bcf277d247cc6db37e3aff2b9ca051118d160c8cf34757c28a8fd80a6693

Analysis

max time kernel
153s
max time network
156s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
09/05/2023, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e0dc423b6b275c1bef75d70ece28c26.elf
Size

151KB
MD5

2e0dc423b6b275c1bef75d70ece28c26
SHA1

b05db8c32a21c541eee28336a517bac3e99b00b1
SHA256

c300bcf277d247cc6db37e3aff2b9ca051118d160c8cf34757c28a8fd80a6693
SHA512

9183ec8bfc80238d4907c6105fd4b0f0d9b7428a652b229dcbd8db7f9a87bd326212ba9bd7e64661962ec6414d6e1eb172cd8c8efcf0b7aa8192ff3595f2017a
SSDEEP

3072:WUEAf3ViQGRk737hoarkC72VxRIABtpu1KA6XeYLbM/9qlBf21:WUEAfViLRkT9oarkC72VvIAgYA6XeYvO

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (34295) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/bin/busybox	423	2e0dc423b6b275c1bef75d70ece28c26.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/2/cmdline	Process not Found
File opened for reading	/proc/22/cmdline	Process not Found
File opened for reading	/proc/455/cmdline	Process not Found
File opened for reading	/proc/283/cmdline	Process not Found
File opened for reading	/proc/421/cmdline	Process not Found
File opened for reading	/proc/463/cmdline	Process not Found
File opened for reading	/proc/474/cmdline	Process not Found
File opened for reading	/proc/5/cmdline	Process not Found
File opened for reading	/proc/14/cmdline	Process not Found
File opened for reading	/proc/107/cmdline	Process not Found
File opened for reading	/proc/132/cmdline	Process not Found
File opened for reading	/proc/440/cmdline	Process not Found
File opened for reading	/proc/453/cmdline	Process not Found
File opened for reading	/proc/459/cmdline	Process not Found
File opened for reading	/proc/469/cmdline	Process not Found
File opened for reading	/proc/9/cmdline	Process not Found
File opened for reading	/proc/23/cmdline	Process not Found
File opened for reading	/proc/27/cmdline	Process not Found
File opened for reading	/proc/20/cmdline	Process not Found
File opened for reading	/proc/419/cmdline	Process not Found
File opened for reading	/proc/514/cmdline	Process not Found
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/3/cmdline	Process not Found
File opened for reading	/proc/19/cmdline	Process not Found
File opened for reading	/proc/521/cmdline	Process not Found
File opened for reading	/proc/226/cmdline	Process not Found
File opened for reading	/proc/389/cmdline	Process not Found
File opened for reading	/proc/428/cmdline	Process not Found
File opened for reading	/proc/42/cmdline	Process not Found
File opened for reading	/proc/237/cmdline	Process not Found
File opened for reading	/proc/457/cmdline	Process not Found
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/17/cmdline	Process not Found
File opened for reading	/proc/43/cmdline	Process not Found
File opened for reading	/proc/239/cmdline	Process not Found
File opened for reading	/proc/317/cmdline	Process not Found
File opened for reading	/proc/321/cmdline	Process not Found
File opened for reading	/proc/418/cmdline	Process not Found
File opened for reading	/proc/449/cmdline	Process not Found
File opened for reading	/proc/10/cmdline	Process not Found
File opened for reading	/proc/24/cmdline	Process not Found
File opened for reading	/proc/96/cmdline	Process not Found
File opened for reading	/proc/15/cmdline	Process not Found
File opened for reading	/proc/75/cmdline	Process not Found
File opened for reading	/proc/210/cmdline	Process not Found
File opened for reading	/proc/236/cmdline	Process not Found
File opened for reading	/proc/320/cmdline	Process not Found
File opened for reading	/proc/1/cmdline	Process not Found
File opened for reading	/proc/6/cmdline	Process not Found
File opened for reading	/proc/11/cmdline	Process not Found
File opened for reading	/proc/461/cmdline	Process not Found
File opened for reading	/proc/41/cmdline	Process not Found
File opened for reading	/proc/475/cmdline	Process not Found
File opened for reading	/proc/530/cmdline	Process not Found
File opened for reading	/proc/442/cmdline	Process not Found
File opened for reading	/proc/447/cmdline	Process not Found
File opened for reading	/proc/7/cmdline	Process not Found
File opened for reading	/proc/12/cmdline	Process not Found
File opened for reading	/proc/314/cmdline	Process not Found
File opened for reading	/proc/438/cmdline	Process not Found
File opened for reading	/proc/451/cmdline	Process not Found
File opened for reading	/proc/13/cmdline	Process not Found
File opened for reading	/proc/106/cmdline	Process not Found
File opened for reading	/proc/270/cmdline	Process not Found

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/bin/busybox	sh

/tmp/2e0dc423b6b275c1bef75d70ece28c26.elf
/tmp/2e0dc423b6b275c1bef75d70ece28c26.elf
1⤵
- Changes its process name
PID:423
- /bin/sh
  /bin/sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/2e0dc423b6b275c1bef75d70ece28c26.elf bin/busybox; chmod 777 �Ttbin/busybox,��"
  2⤵
  - Writes file to tmp directory
  PID:425
- - rm
    rm -rf bin/busybox
    3⤵
    PID:426
- - mkdir
    mkdir bin
    3⤵
    - Reads runtime system information
    PID:427
- - mv
    mv /tmp/2e0dc423b6b275c1bef75d70ece28c26.elf bin/busybox
    3⤵
    - Reads runtime system information
    PID:429
- - chmod
    chmod 777 "�Ttbin/busybox,��"
    3⤵
    PID:433

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...