cd77b109e45ef08f0b25ae4e211b4134bd7c349cbdf2ecde6425ec267a6a3a0d

Analysis

max time kernel
153s
max time network
155s
platform
debian-9_armhf
resource
debian9-armhf-20231026-en
resource tags

arch:armhfimage:debian9-armhf-20231026-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
06-12-2023 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf
Size

61KB
MD5

fa9bbf55033f574c2b4cbd81da5ed433
SHA1

6cb40777e153a9e4028e5c30c5af86b0f56f768e
SHA256

ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4
SHA512

08c39d6214ce0ffa7a6030daa5f45a7774730c2a5599c8213bd40f38b5538a71f9e87e8345d379e642506405924fe2b194e395b354d5cba79b876478bcbb72b6
SSDEEP

1536:1aoa3nfdgN5ceyp3row6V1R75T5Ix/yEvSmY:1aoGnfW2pbyV1R7krA

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (76773) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Changes its process name 1 IoCs

Processes:

ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	[telnetd]	671	ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf

Deletes itself 1 IoCs

Processes:

ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf

pid process

671 ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf

Renames itself 2 IoCs

Processes:

ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf

pid	process
671	ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf
671	ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf

Unexpected DNS network traffic destination 35 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	4.2.2.2
Destination IP	4.2.2.2
Destination IP	4.2.2.2
Destination IP	9.9.9.9
Destination IP	4.2.2.2
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	4.2.2.2
Destination IP	9.9.9.9
Destination IP	4.2.2.2
Destination IP	9.9.9.9
Destination IP	4.2.2.2
Destination IP	9.9.9.9
Destination IP	4.2.2.2
Destination IP	4.2.2.2
Destination IP	4.2.2.2
Destination IP	4.2.2.2
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	4.2.2.2
Destination IP	4.2.2.2
Destination IP	4.2.2.2
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	4.2.2.2
Destination IP	9.9.9.9
Destination IP	4.2.2.2
Destination IP	4.2.2.2
Destination IP	4.2.2.2
Destination IP	4.2.2.2
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	4.2.2.2
Destination IP	9.9.9.9

/tmp/ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf
/tmp/ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf
1⤵
- Changes its process name
- Deletes itself
- Renames itself
PID:671

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads