Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240226-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    06/03/2024, 02:08

General

  • Target

    15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b.elf

  • Size

    2.4MB

  • MD5

    9044d7e0ac4cab8917829cc22df9abda

  • SHA1

    e3076668487ccb1091f8d02fbfed62627d3bfe55

  • SHA256

    15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b

  • SHA512

    412d6456de87e3656446c0e096667b3d0c3a8bcc7088adc7f0622b6f563cc04e66932c09a0a165c50d57b22523bf70110e73ed830ea5ed8b055c6bd49243a487

  • SSDEEP

    49152:I22aCIjTfiH8LnLf61ayqpTj0lB4ykrrpUymAI:zCsD1pTj0l+FGyO

Malware Config

Signatures

  • StealthWorker

    StealthWorker is golang-based brute force malware.

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 5 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b.elf
    /tmp/15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b.elf
    1⤵
    • Reads runtime system information
    PID:709
    • /bin/cat
      cat /proc/version
      2⤵
      • Reads runtime system information
      PID:725
    • /bin/cat
      cat /proc/cpuinfo
      2⤵
      • Checks CPU configuration
      PID:728
    • /bin/uname
      uname -a
      2⤵
        PID:730
      • /usr/bin/getconf
        getconf LONG_BIT
        2⤵
          PID:732
        • /tmp/15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b.elf
          "[stealth]"
          2⤵
          • Reads runtime system information
          PID:743
          • /bin/cat
            cat /proc/version
            3⤵
            • Reads runtime system information
            PID:748
      • /bin/cat
        cat /proc/cpuinfo
        1⤵
        • Checks CPU configuration
        PID:750
      • /bin/uname
        uname -a
        1⤵
          PID:751
        • /usr/bin/getconf
          getconf LONG_BIT
          1⤵
            PID:752
          • /usr/bin/crontab
            /usr/bin/crontab /tmp/nip9iNeiph5chee
            1⤵
            • Creates/modifies Cron job
            • Reads runtime system information
            PID:754

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/.pid

            Filesize

            3B

            MD5

            5c572eca050594c7bc3c36e7e8ab9550

            SHA1

            f032e58930733b4d76fabb3398e75d86d881b245

            SHA256

            0df5486b7bca884d5f00c502e216f734b2865b202397f24bca25ac9b8a95ab4a

            SHA512

            e123b36abe204842ee829186f2de9e604f66f634322e3678af903e9d06d03dccdf5accc4d5cd612c2ff75f4c64a283e9500c466e235d7031f77a6329f8be56b9

          • /tmp/nip9iNeiph5chee

            Filesize

            102B

            MD5

            bfcddd8e98f8e3f1eebd6b58b115a318

            SHA1

            2b1b1e9ac3b6361c63e18d5d7d89f41b41e46e51

            SHA256

            c01426f38518b1ebf0be9108b6e6cb8f4dea2dcfaa54068e0afca69163c7f734

            SHA512

            b2b452b198ece9b2d23f75919c8d310d38846afb5d852dd46d2acecf41ae65011995f64e0c1918ed081fbf1c75941b8d7b22a91c69127aff361e3235c9dcfe75

          • /var/spool/cron/crontabs/tmp.s1p2Xg

            Filesize

            296B

            MD5

            661eb8495ff413b7b98afeb8cff2b506

            SHA1

            dec2a10d03dbc290fc868e7be8bcbe1a629f8c9c

            SHA256

            0d45ffc872e2d241cbb60c00fd7afd2b427f4b2857deff12257d8c00d75b51fd

            SHA512

            7e98f970f475e1bbdc55f4dc12c651c16c17a6dbcd295a73ada836c24214b8789d3f466572ec9b12fad775c18dda3ad985f28565099dc5ffb0ab9c98c71fd144