46a66c57317b516f78db488c34431f25d7d2bd950a2f8fd7666f5c4be9d30a6c

Analysis

max time kernel
150s
max time network
153s
platform
linux_mipsel
resource
debian9-mipsel-en-20211208
resource tags

arch:mipselimage:debian9-mipsel-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
21/05/2023, 18:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8be71b34ef9577904ba7f5ec51ce4352.elf
Size

78KB
MD5

8be71b34ef9577904ba7f5ec51ce4352
SHA1

4d38ed69abdcae4d3f909c38afd67dea5b1cfef1
SHA256

46a66c57317b516f78db488c34431f25d7d2bd950a2f8fd7666f5c4be9d30a6c
SHA512

47fd48028da574e7bb2dba49492be0e87f719382aa3b730185d4c4b9d6114b51c42c19c8ef83758c077c7914aa48d237206726090a0e69b9e41e188bf6a57a16
SSDEEP

1536:iroIzx14qekYxVlU2xD8QIevbQStgVAvRgGTI:iroIdzo3U6D88C9GTI

Score

7^/10

Malware Config

Signatures

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/var/condibot	326	8be71b34ef9577904ba7f5ec51ce4352.elf

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	145.40.93.33

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/23/status
File opened for reading	/proc/212/status
File opened for reading	/proc/279/status
File opened for reading	/proc/338/status
File opened for reading	/proc/37/status
File opened for reading	/proc/294/status
File opened for reading	/proc/295/status
File opened for reading	/proc/345/status
File opened for reading	/proc/359/status
File opened for reading	/proc/17/status
File opened for reading	/proc/322/status
File opened for reading	/proc/348/status
File opened for reading	/proc/9/status
File opened for reading	/proc/77/status
File opened for reading	/proc/78/status
File opened for reading	/proc/81/status
File opened for reading	/proc/115/status
File opened for reading	/proc/156/status
File opened for reading	/proc/227/status
File opened for reading	/proc/282/status
File opened for reading	/proc/8/status
File opened for reading	/proc/70/status
File opened for reading	/proc/204/status
File opened for reading	/proc/321/status
File opened for reading	/proc/336/status
File opened for reading	/proc/6/status
File opened for reading	/proc/246/status
File opened for reading	/proc/341/status
File opened for reading	/proc/351/status
File opened for reading	/proc/5/status
File opened for reading	/proc/215/status
File opened for reading	/proc/325/status
File opened for reading	/proc/377/status
File opened for reading	/proc/1/status
File opened for reading	/proc/2/status
File opened for reading	/proc/71/status
File opened for reading	/proc/74/status
File opened for reading	/proc/76/status
File opened for reading	/proc/105/status
File opened for reading	/proc/216/status
File opened for reading	/proc/339/status
File opened for reading	/proc/352/status
File opened for reading	/proc/358/status
File opened for reading	/proc/368/status
File opened for reading	/proc/4/status
File opened for reading	/proc/7/status
File opened for reading	/proc/11/status
File opened for reading	/proc/15/status
File opened for reading	/proc/20/status
File opened for reading	/proc/24/status
File opened for reading	/proc/138/status
File opened for reading	/proc/324/status
File opened for reading	/proc/354/status
File opened for reading	/proc/355/status
File opened for reading	/proc/12/status
File opened for reading	/proc/18/status
File opened for reading	/proc/36/status
File opened for reading	/proc/346/status
File opened for reading	/proc/369/status
File opened for reading	/proc/376/status
File opened for reading	/proc/10/status
File opened for reading	/proc/16/status
File opened for reading	/proc/75/status
File opened for reading	/proc/244/status

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/var/condibot	sh

/tmp/8be71b34ef9577904ba7f5ec51ce4352.elf
/tmp/8be71b34ef9577904ba7f5ec51ce4352.elf
1⤵
- Changes its process name
PID:326
- /bin/sh
  sh -c "rm -rf var/condibot && mkdir var; >var/condibot && mv /tmp/8be71b34ef9577904ba7f5ec51ce4352.elf var/condibot; chmod 777 var/condibot"
  2⤵
  - Writes file to tmp directory
  PID:327
- - /bin/rm
    rm -rf var/condibot
    3⤵
    PID:329
- - /bin/mkdir
    mkdir var
    3⤵
    PID:330
- - /bin/mv
    mv /tmp/8be71b34ef9577904ba7f5ec51ce4352.elf var/condibot
    3⤵
    PID:331
- - /bin/chmod
    chmod 777 var/condibot
    3⤵
    PID:332

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads