Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240226-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    06/03/2024, 02:41

General

  • Target

    f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf

  • Size

    2.4MB

  • MD5

    da12ead92069e02db3b88d15ac2c2823

  • SHA1

    297bf4ce9a344d6c27eba64bf1ddf2707567a2ef

  • SHA256

    f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a

  • SHA512

    5769feee3276dbacae7a6711a7a5b7ddae425f689aa5655cb1bfb7dd4046a28ac075c807a8436a191542f97103c60ef42bcfd9110bb68a82891a2ab9b04cdd25

  • SSDEEP

    49152:e5R845g7EfVpclzm6XRkQfqFWWrO7dE2UlFHuOqrJPLWziHTHpDj:eDqUpuzmiRFiXrWa2UlwrJWzGFj

Malware Config

Signatures

  • StealthWorker

    StealthWorker is golang-based brute force malware.

  • Deletes itself 1 IoCs
  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 7 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf
    /tmp/f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf
    1⤵
    • Reads runtime system information
    PID:660
    • /bin/cat
      cat /proc/version
      2⤵
      • Reads runtime system information
      PID:679
  • /bin/cat
    cat /proc/cpuinfo
    1⤵
    • Checks CPU configuration
    PID:682
  • /bin/uname
    uname -a
    1⤵
      PID:684
    • /usr/bin/getconf
      getconf LONG_BIT
      1⤵
        PID:687
      • /tmp/f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf
        "[stealth]"
        1⤵
        • Reads runtime system information
        PID:689
        • /bin/cat
          cat /proc/version
          2⤵
          • Reads runtime system information
          PID:699
      • /bin/cat
        cat /proc/cpuinfo
        1⤵
        • Checks CPU configuration
        PID:702
      • /bin/uname
        uname -a
        1⤵
          PID:704
        • /usr/bin/getconf
          getconf LONG_BIT
          1⤵
            PID:706
          • /usr/bin/crontab
            /usr/bin/crontab /tmp/nip9iNeiph5chee
            1⤵
            • Creates/modifies Cron job
            • Reads runtime system information
            PID:707

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/.pid

            Filesize

            3B

            MD5

            07a96b1f61097ccb54be14d6a47439b0

            SHA1

            53c53c5d2b630c0d912264bb9edf8cf6f0afa260

            SHA256

            fc4fb94d36f45aa9d13358022455e55db4b6f0eb536a1b2897c90dfd3df9eb9b

            SHA512

            affb35d9483f4468ac879d5279b64f1d57a9754061b47beafc877e92874610cea38d3200499a59cb6927b568871dcf4e80ec7984e680db64198be72a75aa6d51

          • /tmp/nip9iNeiph5chee

            Filesize

            102B

            MD5

            5beb64e696f167cf70c565db95086bb6

            SHA1

            1d014c3aca2ff129a7a9ca32e48cffa0824c483c

            SHA256

            abf2f9adb0147db9430e7154be77b00c13c0ddb374d7eb73dff629d582c39b38

            SHA512

            18d37229734ebeeaad876144ee2b0351c28aab501b8d83252dc074be91c2456cb92ed6ddb4c0a841c5f140985ca7e4a47a81f2e8932c33f16288bc22fbff0e05

          • /var/spool/cron/crontabs/tmp.AiTPTz

            Filesize

            296B

            MD5

            19f8a018f9446613ede02c8d22096d66

            SHA1

            34a2665bcd418e5677e165e425f4948972e1bb78

            SHA256

            0d0440d2480a67ae31ba86513bf8bbc1bc0d3cbe152d8dc1356754e9ba60fb3c

            SHA512

            36fb1472bd853af9bd71ce6b1cc8902e87eb5a540fbb9b92313bb7e20079b2eba8f9fdf8f72a86ad5e21632634bc30e46c65fb7dd3dbc17ccac869f75b86fcab