Overview

overview

6

Static

static

1

bin.armv7l

debian-9-armhf

6

Resubmissions

23/01/2024, 17:33

240123-v4y6qadedp 6

23/01/2024, 16:54

240123-vehsfachdq 6

Analysis

  • max time kernel
    1802s
  • max time network
    1796s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20231215-en
  • resource tags

    arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    23/01/2024, 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bin.armv7l

  • Size

    117KB

  • MD5

    07d0a458830a52f9cf7556307f646cc7

  • SHA1

    262b5b82a457eb135a2bc572f0a9339aa8ef2d65

  • SHA256

    892419180ca9f9d352df45baf01daadc646ad03d248f1cf0feeffb28559a2447

  • SHA512

    f889dac08f0e800d2f5ce63ba2ab7d2c77922da1432178a1dce30879bb8eefc58cec0487a9821166681fd42433beb16d8d2a8132714c6aeef2bfa07ac03ba197

  • SSDEEP

    3072:ZyR1weNyv/nuyTyDNjouX/Ta06d1LPbyWGsb3wBH:Zy1wiSTuDNj/vTa06d1LPbvNwBH

Score
6/10
persistence

Malware Config

Signatures

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Modifies systemd 1 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

    persistence
  • Write file to user bin folder 1 TTPs 1 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/bin.armv7l
    /tmp/bin.armv7l
    1⤵
    • Modifies init.d
    • Modifies systemd
    PID:667
    • /bin/sh
      /bin/sh -c "cp '/tmp/bin.armv7l' '/usr/bin/21916faa'"
      2⤵
        PID:673
        • /bin/cp
          cp /tmp/bin.armv7l /usr/bin/21916faa
          3⤵
          • Write file to user bin folder
          PID:676
      • /bin/sh
        /bin/sh -c "(crontab -l 2>/dev/null; echo \"@reboot /usr/bin/21916faa\") | crontab -"
        2⤵
          PID:677
          • /usr/bin/crontab
            crontab -
            3⤵
            • Creates/modifies Cron job
            PID:679
        • /bin/sh
          /bin/sh -c "chmod +x '/etc/init.d/mushi_1706025258' && update-rc.d '/etc/init.d/mushi_1706025258' defaults"
          2⤵
            PID:684
            • /bin/chmod
              chmod +x /etc/init.d/mushi_1706025258
              3⤵
                PID:685
              • /usr/sbin/update-rc.d
                update-rc.d /etc/init.d/mushi_1706025258 defaults
                3⤵
                  PID:686
              • /bin/sh
                /bin/sh -c "systemctl daemon-reload && systemctl enable /etc/systemd/system/mushi1706025259.service"
                2⤵
                  PID:689
                  • /bin/systemctl
                    systemctl daemon-reload
                    3⤵
                    • Enumerates kernel/hardware configuration
                    PID:690
                  • /bin/systemctl
                    systemctl enable /etc/systemd/system/mushi1706025259.service
                    3⤵
                    • Enumerates kernel/hardware configuration
                    PID:705
              • /usr/bin/crontab
                crontab -l
                1⤵
                  PID:680

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /etc/init.d/mushi_1706025258
                  Filesize

                  588B

                  MD5

                  8dfe7306b1b13b6da64ccddbd1fd5054

                  SHA1

                  ad34dbd7cd65fe97fe87866378946087e831c0b3

                  SHA256

                  28fc6723905036ae654f7b8e005823ec776cf5d4a14724337cfe5b9f53090d84

                  SHA512

                  b7d338725386bfb2109b852c9bd8f5c3385915d191986781d094bc23de9bb511f22f769c085415983ea3b03cdf8f0ecfbaafda5aea4d7d578a3ff682b986ac49

                  Download Submit

                • /etc/systemd/system/mushi1706025259.service
                  Filesize

                  119B

                  MD5

                  c327ed72fccbf6787cfc9b90ac4b45c1

                  SHA1

                  9ebab098a2c1dd5197570ac637939c180302ec9f

                  SHA256

                  2fd56b570f30dbc4cbe0c07b0d4799d16875b37db62d116d6a096e5c3cb77d76

                  SHA512

                  1749c048a90659e3a8eb3c0862f61c430ebc182136ef0902f3a8de09531a255b64cde71b058dd27e77c2d0906b57c1500091cfa612857b388936c627e71e6e8d

                  Download Submit

                • /usr/bin/21916faa
                  Filesize

                  117KB

                  MD5

                  07d0a458830a52f9cf7556307f646cc7

                  SHA1

                  262b5b82a457eb135a2bc572f0a9339aa8ef2d65

                  SHA256

                  892419180ca9f9d352df45baf01daadc646ad03d248f1cf0feeffb28559a2447

                  SHA512

                  f889dac08f0e800d2f5ce63ba2ab7d2c77922da1432178a1dce30879bb8eefc58cec0487a9821166681fd42433beb16d8d2a8132714c6aeef2bfa07ac03ba197

                  Download Submit

                • /var/spool/cron/crontabs/tmp.X0zywk
                  Filesize

                  201B

                  MD5

                  41dc921fbf1f945e7ff8028070c119fc

                  SHA1

                  51832d58e9cdade393fab36e0ff48d67c48e5a08

                  SHA256

                  73a6d282d64b24509728704f6d55bfc750eedb59f23934e16fc06e1a1585e9d4

                  SHA512

                  913d81a6ba0b2ba605440f0a2743381692dc7de91db3ae80691a7650b52442b7989f32519c3c0813f591b56b799ed17b1ddac8b43be7e7662baad2b2f1ad9b54

                  Download Submit