Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240226-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    05/03/2024, 22:48

General

  • Target

    9044d7e0ac4cab8917829cc22df9abda.elf

  • Size

    2.4MB

  • MD5

    9044d7e0ac4cab8917829cc22df9abda

  • SHA1

    e3076668487ccb1091f8d02fbfed62627d3bfe55

  • SHA256

    15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b

  • SHA512

    412d6456de87e3656446c0e096667b3d0c3a8bcc7088adc7f0622b6f563cc04e66932c09a0a165c50d57b22523bf70110e73ed830ea5ed8b055c6bd49243a487

  • SSDEEP

    49152:I22aCIjTfiH8LnLf61ayqpTj0lB4ykrrpUymAI:zCsD1pTj0l+FGyO

Malware Config

Signatures

  • StealthWorker

    StealthWorker is golang-based brute force malware.

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 5 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/9044d7e0ac4cab8917829cc22df9abda.elf
    /tmp/9044d7e0ac4cab8917829cc22df9abda.elf
    1⤵
    • Reads runtime system information
    PID:705
    • /bin/cat
      cat /proc/version
      2⤵
      • Reads runtime system information
      PID:720
    • /bin/cat
      cat /proc/cpuinfo
      2⤵
      • Checks CPU configuration
      PID:722
    • /bin/uname
      uname -a
      2⤵
        PID:725
      • /usr/bin/getconf
        getconf LONG_BIT
        2⤵
          PID:727
        • /tmp/9044d7e0ac4cab8917829cc22df9abda.elf
          "[stealth]"
          2⤵
          • Reads runtime system information
          PID:729
          • /bin/cat
            cat /proc/version
            3⤵
            • Reads runtime system information
            PID:739
          • /bin/cat
            cat /proc/cpuinfo
            3⤵
            • Checks CPU configuration
            PID:740
          • /bin/uname
            uname -a
            3⤵
              PID:742
            • /usr/bin/getconf
              getconf LONG_BIT
              3⤵
                PID:743
              • /usr/bin/crontab
                /usr/bin/crontab /tmp/nip9iNeiph5chee
                3⤵
                • Creates/modifies Cron job
                • Reads runtime system information
                PID:745

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/.pid

            Filesize

            3B

            MD5

            5751ec3e9a4feab575962e78e006250d

            SHA1

            baa924ce1ee3617f30a87ca26b2aeb62911af478

            SHA256

            509694b0a010c6431900e71b8210521af57d39ce8e64deb365f0a5c6c9a2ef6d

            SHA512

            47ccc6b01d9b2b8f27bac167d1fa138ad0f76d377637d4676c4496aa58300a393713a7188d0effd3973a7a16cce2a690e8060689286b171b12bd1cb3d33da536

          • /tmp/nip9iNeiph5chee

            Filesize

            70B

            MD5

            f8c66737a5a1d0fa12f393e973728935

            SHA1

            a6155b82a9124e9502043ca7f1d9f953ed281595

            SHA256

            b1a91d53a00a377760ef6624e7f48858777fac647af44cc6b782e19d08a44f46

            SHA512

            5c677e9e8af688e21914e5d4a3c5b42b47af063844dec9c2febcd3a6d1545616c552c7002897e7ebf39d30acdcb37e2ff2a7a29c55e59e2e8822219266f1104e

          • /var/spool/cron/crontabs/tmp.gI1P78

            Filesize

            264B

            MD5

            59da7e33ee2478dade6cdb5690884229

            SHA1

            32e67f0265b6f4dcfd8a015802f86323f77aaf56

            SHA256

            bc90fcc38db716a2703a2f6e4276887522106ea8cd1e5297e1d87040464b7674

            SHA512

            c6f2f94c9cd39ea5442321d61507c080c7493f85d39cf0cb3a7434df676f75dbf0eae7e8c12d3f12985e0caa68730087fad435aaea3c061b4423246d93baf399