Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

270f415807...db.elf

debian-9-mipsel

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20231221-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20231221-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    20/02/2024, 05:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    270f4158074793fe2f0fe45d5606e23fd722be7b41317e9ff0e0b4a4edb667db.elf

  • Size

    2.2MB

  • MD5

    597834b74b86439ee9902c3601fa08ae

  • SHA1

    25ecdcace82fed5abe4ce550c80607189d55b794

  • SHA256

    270f4158074793fe2f0fe45d5606e23fd722be7b41317e9ff0e0b4a4edb667db

  • SHA512

    56723ea9cc3c39d8b57e85a69f9fe5f0087f6f2287eaf80cca5350d7a2487836e2da2ef377661c06ccb29933a99352a4b93bdec35c870d519db00bbde15c9109

  • SSDEEP

    24576:kO+PuaNFZRml7/I1n0oOakVXFYd+lCQYWz1v:9eNnxd+lCWz1

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Enumerates kernel/hardware configuration 1 TTPs 37 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/270f4158074793fe2f0fe45d5606e23fd722be7b41317e9ff0e0b4a4edb667db.elf
    /tmp/270f4158074793fe2f0fe45d5606e23fd722be7b41317e9ff0e0b4a4edb667db.elf
    1⤵
    • Enumerates kernel/hardware configuration
    PID:698
    • /tmp/270f4158074793fe2f0fe45d5606e23fd722be7b41317e9ff0e0b4a4edb667db.elf
      /tmp/270f4158074793fe2f0fe45d5606e23fd722be7b41317e9ff0e0b4a4edb667db.elf " "
      2⤵
      • Enumerates kernel/hardware configuration
      PID:707
  • /bin/sh
    /bin/sh -c "/etc/32676&"
    1⤵
      PID:715
      • /etc/32676
        /etc/32676
        2⤵
        • Executes dropped EXE
        PID:717
        • /bin/sleep
          sleep 60
          3⤵
            PID:721
          • /etc/opt.services.cfg
            /etc/opt.services.cfg
            3⤵
            • Executes dropped EXE
            • Enumerates kernel/hardware configuration
            PID:869
            • /etc/opt.services.cfg
              /etc/opt.services.cfg " "
              4⤵
              • Executes dropped EXE
              • Enumerates kernel/hardware configuration
              PID:873
          • /bin/sleep
            sleep 60
            3⤵
              PID:874
            • /etc/opt.services.cfg
              /etc/opt.services.cfg
              3⤵
              • Executes dropped EXE
              • Enumerates kernel/hardware configuration
              PID:888
              • /etc/opt.services.cfg
                /etc/opt.services.cfg " "
                4⤵
                • Executes dropped EXE
                • Enumerates kernel/hardware configuration
                PID:892
            • /bin/sleep
              sleep 60
              3⤵
                PID:893
          • /usr/sbin/service
            service crond start
            1⤵
              PID:718
              • /usr/bin/basename
                basename /usr/sbin/service
                2⤵
                  PID:720
                • /usr/bin/basename
                  basename /usr/sbin/service
                  2⤵
                    PID:723
                  • /bin/systemctl
                    systemctl --quiet is-active multi-user.target
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:725
                  • /bin/systemctl
                    systemctl -p Triggers show dbus.socket
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:738
                  • /bin/systemctl
                    systemctl -p Triggers show ssh.socket
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:740
                  • /bin/systemctl
                    systemctl -p Triggers show syslog.socket
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:742
                  • /bin/systemctl
                    systemctl -p Triggers show systemd-fsckd.socket
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:745
                  • /bin/systemctl
                    systemctl -p Triggers show systemd-initctl.socket
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:746
                  • /bin/systemctl
                    systemctl -p Triggers show systemd-journald-audit.socket
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:748
                  • /bin/systemctl
                    systemctl -p Triggers show systemd-journald-dev-log.socket
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:749
                  • /bin/systemctl
                    systemctl -p Triggers show systemd-journald.socket
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:751
                  • /bin/systemctl
                    systemctl -p Triggers show systemd-networkd.socket
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:752
                  • /bin/systemctl
                    systemctl -p Triggers show systemd-rfkill.socket
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:753
                  • /bin/systemctl
                    systemctl -p Triggers show systemd-udevd-control.socket
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:754
                  • /bin/systemctl
                    systemctl -p Triggers show systemd-udevd-kernel.socket
                    2⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:755
                • /bin/sed
                  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                  1⤵
                    PID:731
                  • /bin/systemctl
                    systemctl list-unit-files --full "--type=socket"
                    1⤵
                    • Enumerates kernel/hardware configuration
                    • Reads runtime system information
                    PID:730
                  • /usr/local/sbin/systemctl
                    systemctl start crond.service
                    1⤵
                      PID:718
                    • /usr/local/bin/systemctl
                      systemctl start crond.service
                      1⤵
                        PID:718
                      • /usr/sbin/systemctl
                        systemctl start crond.service
                        1⤵
                          PID:718
                        • /usr/bin/systemctl
                          systemctl start crond.service
                          1⤵
                            PID:718
                          • /sbin/systemctl
                            systemctl start crond.service
                            1⤵
                              PID:718
                            • /bin/systemctl
                              systemctl start crond.service
                              1⤵
                              • Enumerates kernel/hardware configuration
                              • Reads runtime system information
                              PID:718
                            • /bin/sh
                              /bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"
                              1⤵
                              • Creates/modifies Cron job
                              PID:756
                            • /usr/bin/renice
                              renice -20 707
                              1⤵
                                PID:767
                              • /bin/mount
                                mount -o bind /tmp/ /proc/707
                                1⤵
                                • Reads runtime system information
                                PID:769
                              • /usr/sbin/service
                                service cron start
                                1⤵
                                  PID:771
                                  • /usr/bin/basename
                                    basename /usr/sbin/service
                                    2⤵
                                      PID:773
                                    • /usr/bin/basename
                                      basename /usr/sbin/service
                                      2⤵
                                        PID:774
                                      • /bin/systemctl
                                        systemctl --quiet is-active multi-user.target
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:775
                                      • /bin/systemctl
                                        systemctl -p Triggers show dbus.socket
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:783
                                      • /bin/systemctl
                                        systemctl -p Triggers show ssh.socket
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:785
                                      • /bin/systemctl
                                        systemctl -p Triggers show syslog.socket
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:788
                                      • /bin/systemctl
                                        systemctl -p Triggers show systemd-fsckd.socket
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:789
                                      • /bin/systemctl
                                        systemctl -p Triggers show systemd-initctl.socket
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:791
                                      • /bin/systemctl
                                        systemctl -p Triggers show systemd-journald-audit.socket
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        PID:793
                                      • /bin/systemctl
                                        systemctl -p Triggers show systemd-journald-dev-log.socket
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:795
                                      • /bin/systemctl
                                        systemctl -p Triggers show systemd-journald.socket
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:797
                                      • /bin/systemctl
                                        systemctl -p Triggers show systemd-networkd.socket
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:799
                                      • /bin/systemctl
                                        systemctl -p Triggers show systemd-rfkill.socket
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:802
                                      • /bin/systemctl
                                        systemctl -p Triggers show systemd-udevd-control.socket
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:804
                                      • /bin/systemctl
                                        systemctl -p Triggers show systemd-udevd-kernel.socket
                                        2⤵
                                        • Enumerates kernel/hardware configuration
                                        • Reads runtime system information
                                        PID:806
                                    • /bin/sed
                                      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                                      1⤵
                                      • Reads runtime system information
                                      PID:781
                                    • /bin/systemctl
                                      systemctl list-unit-files --full "--type=socket"
                                      1⤵
                                      • Enumerates kernel/hardware configuration
                                      • Reads runtime system information
                                      PID:780
                                    • /usr/local/sbin/systemctl
                                      systemctl start cron.service
                                      1⤵
                                        PID:771
                                      • /usr/local/bin/systemctl
                                        systemctl start cron.service
                                        1⤵
                                          PID:771
                                        • /usr/sbin/systemctl
                                          systemctl start cron.service
                                          1⤵
                                            PID:771
                                          • /usr/bin/systemctl
                                            systemctl start cron.service
                                            1⤵
                                              PID:771
                                            • /sbin/systemctl
                                              systemctl start cron.service
                                              1⤵
                                                PID:771
                                              • /bin/systemctl
                                                systemctl start cron.service
                                                1⤵
                                                • Enumerates kernel/hardware configuration
                                                • Reads runtime system information
                                                PID:771
                                              • /bin/systemctl
                                                systemctl start crond.service
                                                1⤵
                                                • Enumerates kernel/hardware configuration
                                                • Reads runtime system information
                                                PID:810

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • /.mod
                                                Filesize

                                                34B

                                                MD5

                                                f5a3713282e43c200f30342f5ff5e2ea

                                                SHA1

                                                2b2ce1a207e2b691a074c6f78f71c4785aae426a

                                                SHA256

                                                6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511

                                                SHA512

                                                5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

                                                Download Submit

                                              • /etc/.walk
                                                Filesize

                                                41B

                                                MD5

                                                a77d52193da304b67ef13e5a97e9d784

                                                SHA1

                                                62065b2aa435e93918ca9475d331ebff687f31aa

                                                SHA256

                                                20f5245f40192dbd876cd694b5487f156b537fb6427e0399dae6b887839a2cc9

                                                SHA512

                                                82fe6d15143a1372d1a1b5df14ff4fac2e8237fb865e52a6a3c12df586ece450dcf75b9e3f051c7d282e0e821567f7980df1f7a6b01166f8a0bbe22c96a3a2fd

                                                Download Submit

                                              • /etc/.walk
                                                Filesize

                                                90B

                                                MD5

                                                e7dcb27aa9438fd7a36003c524aa474b

                                                SHA1

                                                6c15c4b0821196075611ac30b68093e339e0f864

                                                SHA256

                                                1cbdaf00ff0cd80bd0594b0309aafdfb86ca24a8c140b90635566951542c3196

                                                SHA512

                                                20b66abb2b0368520095c627a659c63ddba3743ad9bac90416b47d49326ade1eb4fa9891c3e3fa893a7b7211d4dcb3765890cc1afa3a656cf57cf11e501e3a3f

                                                Download Submit

                                              • /etc/32676
                                                Filesize

                                                61B

                                                MD5

                                                47684525bfdf26f49fd1cf742b17c015

                                                SHA1

                                                c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa

                                                SHA256

                                                b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b

                                                SHA512

                                                948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621

                                                Download Submit

                                              • /etc/opt.services.cfg
                                                Filesize

                                                2.2MB

                                                MD5

                                                597834b74b86439ee9902c3601fa08ae

                                                SHA1

                                                25ecdcace82fed5abe4ce550c80607189d55b794

                                                SHA256

                                                270f4158074793fe2f0fe45d5606e23fd722be7b41317e9ff0e0b4a4edb667db

                                                SHA512

                                                56723ea9cc3c39d8b57e85a69f9fe5f0087f6f2287eaf80cca5350d7a2487836e2da2ef377661c06ccb29933a99352a4b93bdec35c870d519db00bbde15c9109

                                                Download Submit

                                              • /etc/profile.d/gateway.sh
                                                Filesize

                                                969B

                                                MD5

                                                606894c36d72bb541565c14db20572d8

                                                SHA1

                                                952463498e96a9a69be175e69e3e8f35093295b7

                                                SHA256

                                                236eaff4468086cb0f084a7bfab5d9714403a3f59663a58e0cdf149b7ab98a91

                                                SHA512

                                                c2799226df08bdf016d9393ed594c63c320924689ddcd240f1e0b7bc7c8766616c14038efe307d9adef8fab285d386a07ec2bd2a06f6a7c8f53b2f8a91152586

                                                Download Submit

                                              • /usr/bin/include/find
                                                Filesize

                                                240KB

                                                MD5

                                                bb4edcad76062a76284c69f5fe4e50ea

                                                SHA1

                                                86055be4ce94fa3cffa9924e7b511e95df636606

                                                SHA256

                                                b7e25e128c130473f33c5135c78f591f35d7c4a7c5e1246c12eaa298db453474

                                                SHA512

                                                254acc62d2f83f5a4686adcf3fe6ad4697f392c288c5baa323830bb6f2466c303fd7bc9f237e98b2ca76bc3abb6b4c264e042be8c4291ae5cc21b2189d996521

                                                Download Submit