a32e912bff92c2c482a129304633cfa55576b801868e90c0d9846fd49b2e3d4c

Analysis

max time kernel
148s
max time network
137s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
26-03-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a32e912bff92c2c482a129304633cfa55576b801868e90c0d9846fd49b2e3d4c.elf
Size

79KB
MD5

b11856b2a18ece2f2a4cffbdecac05de
SHA1

943a8ac9122942f16365323fe7b2955c2e30dc78
SHA256

a32e912bff92c2c482a129304633cfa55576b801868e90c0d9846fd49b2e3d4c
SHA512

bdcb41df10b219caea221449a5926a3b71d8e1b525ca9af497d15c6b625697ce105a7f6d1417a45bbcee11f238dbc605979e90c763536843e5cd7918dee1365d
SSDEEP

1536:pGVhhJkUqcEJiexWbsEmIx1E03VIYByxUa4XrclkDx3IjYQZ3yQ2K1Y:poktiznx1E03VjwxV4+kDpSZbD+

Score

7^/10

Malware Config

Signatures

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	b1kfsqa4ibcunjkmpww5	637	a32e912bff92c2c482a129304633cfa55576b801868e90c0d9846fd49b2e3d4c.elf

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.36.144.87

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc
File opened for reading	/proc/net/tcp

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/tcp

Reads runtime system information 21 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/88/cmdline	Process not Found
File opened for reading	/proc/99/cmdline	Process not Found
File opened for reading	/proc/999/cmdline	Process not Found
File opened for reading	/proc/44/cmdline	Process not Found
File opened for reading	/proc/33/cmdline	Process not Found
File opened for reading	/proc/55/cmdline	Process not Found
File opened for reading	/proc/66/cmdline	Process not Found
File opened for reading	/proc/2222/cmdline	Process not Found
File opened for reading	/proc/self/exe	a32e912bff92c2c482a129304633cfa55576b801868e90c0d9846fd49b2e3d4c.elf
File opened for reading	/proc/444/cmdline	Process not Found
File opened for reading	/proc/777/cmdline	Process not Found
File opened for reading	/proc/1111/cmdline	Process not Found
File opened for reading	/proc/3333/cmdline	Process not Found
File opened for reading	/proc/5555/cmdline	Process not Found
File opened for reading	/proc/6666/cmdline	Process not Found
File opened for reading	/proc/77/cmdline	Process not Found
File opened for reading	/proc/22/cmdline	Process not Found
File opened for reading	/proc/111/cmdline	Process not Found
File opened for reading	/proc/222/cmdline	Process not Found
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/11/cmdline	Process not Found

/tmp/a32e912bff92c2c482a129304633cfa55576b801868e90c0d9846fd49b2e3d4c.elf
/tmp/a32e912bff92c2c482a129304633cfa55576b801868e90c0d9846fd49b2e3d4c.elf
1⤵
- Changes its process name
- Reads runtime system information
PID:637

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
1⤵
PID:642
- /sbin/iptables
  iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  2⤵
  PID:644

/bin/sh
/bin/sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
1⤵
PID:652
- /bin/busybox
  /bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  2⤵
  PID:655

/bin/sh
/bin/sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
1⤵
PID:657
- /bin/iptables
  /bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  2⤵
  PID:659

/bin/sh
/bin/sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
1⤵
PID:660
- /usr/bin/iptables
  /usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  2⤵
  PID:662

/bin/sh
/bin/sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
1⤵
PID:663
- /bin/busybox
  busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  2⤵
  PID:665

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads