Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
debian-9_armhf -
resource
debian9-armhf-20240226-en -
resource tags
arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
06/03/2024, 02:41
Behavioral task
behavioral1
Sample
f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf
Resource
debian9-armhf-20240226-en
General
-
Target
f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf
-
Size
2.4MB
-
MD5
da12ead92069e02db3b88d15ac2c2823
-
SHA1
297bf4ce9a344d6c27eba64bf1ddf2707567a2ef
-
SHA256
f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a
-
SHA512
5769feee3276dbacae7a6711a7a5b7ddae425f689aa5655cb1bfb7dd4046a28ac075c807a8436a191542f97103c60ef42bcfd9110bb68a82891a2ab9b04cdd25
-
SSDEEP
49152:e5R845g7EfVpclzm6XRkQfqFWWrO7dE2UlFHuOqrJPLWziHTHpDj:eDqUpuzmiRFiXrWa2UlwrJWzGFj
Malware Config
Signatures
-
StealthWorker
StealthWorker is golang-based brute force malware.
-
Deletes itself 1 IoCs
pid 659 -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.AiTPTz crontab -
Reads runtime system information 7 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/sys/net/core/somaxconn f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf File opened for reading /proc/version cat File opened for reading /proc/filesystems crontab File opened for reading /proc/self/exe f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf File opened for reading /proc/sys/net/core/somaxconn f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf File opened for reading /proc/version cat File opened for reading /proc/self/exe f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc File opened for modification /tmp/.pid File opened for modification /tmp/nip9iNeiph5chee File opened for modification /tmp/[stealth].pid
Processes
-
/tmp/f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf/tmp/f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf1⤵
- Reads runtime system information
PID:660 -
/bin/catcat /proc/version2⤵
- Reads runtime system information
PID:679
-
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
PID:682
-
/bin/unameuname -a1⤵PID:684
-
/usr/bin/getconfgetconf LONG_BIT1⤵PID:687
-
/tmp/f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf"[stealth]"1⤵
- Reads runtime system information
PID:689 -
/bin/catcat /proc/version2⤵
- Reads runtime system information
PID:699
-
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
PID:702
-
/bin/unameuname -a1⤵PID:704
-
/usr/bin/getconfgetconf LONG_BIT1⤵PID:706
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:707
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3B
MD507a96b1f61097ccb54be14d6a47439b0
SHA153c53c5d2b630c0d912264bb9edf8cf6f0afa260
SHA256fc4fb94d36f45aa9d13358022455e55db4b6f0eb536a1b2897c90dfd3df9eb9b
SHA512affb35d9483f4468ac879d5279b64f1d57a9754061b47beafc877e92874610cea38d3200499a59cb6927b568871dcf4e80ec7984e680db64198be72a75aa6d51
-
Filesize
102B
MD55beb64e696f167cf70c565db95086bb6
SHA11d014c3aca2ff129a7a9ca32e48cffa0824c483c
SHA256abf2f9adb0147db9430e7154be77b00c13c0ddb374d7eb73dff629d582c39b38
SHA51218d37229734ebeeaad876144ee2b0351c28aab501b8d83252dc074be91c2456cb92ed6ddb4c0a841c5f140985ca7e4a47a81f2e8932c33f16288bc22fbff0e05
-
Filesize
296B
MD519f8a018f9446613ede02c8d22096d66
SHA134a2665bcd418e5677e165e425f4948972e1bb78
SHA2560d0440d2480a67ae31ba86513bf8bbc1bc0d3cbe152d8dc1356754e9ba60fb3c
SHA51236fb1472bd853af9bd71ce6b1cc8902e87eb5a540fbb9b92313bb7e20079b2eba8f9fdf8f72a86ad5e21632634bc30e46c65fb7dd3dbc17ccac869f75b86fcab