Analysis
-
max time kernel
45s -
max time network
52s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
18-07-2024 15:45
Behavioral task
behavioral1
Sample
28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
Resource
debian12-armhf-20240221-en
General
-
Target
28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
-
Size
1.1MB
-
MD5
558f29ecf48e1e1643405823f228008a
-
SHA1
b869e8de1d5f511196b459abd061028cf5a05741
-
SHA256
28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
-
SHA512
e0928ab208c9987613afd61636a4e0b0ea0c3cc891446c06a1917d6083c1de53725bb1d1cab3ae59b2b9707451bc789e2d163889181114e336cc871917b292fa
-
SSDEEP
24576:XB0J/zGmU0briuSIxhh/HtYqTdjQeH0s8EWIkQpALmpKaKTY3:Az7pbriuFhh/HtYqTdjNUs6IkQpALmpz
Malware Config
Signatures
-
Contacts a large (38499) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
XMRig Miner payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/706-1-0xb6a00000-0xb6d5e3d4-memory.dmp xmrig -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.dh3rdn crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
Processes:
description ioc pid Changes the process name, possibly in an attempt to hide itself systemd 723 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6description ioc process File opened for reading /proc/cpuinfo 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 -
Reads CPU attributes 1 TTPs 20 IoCs
Processes:
28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6description ioc process File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/online 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/base_frequency 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 -
Enumerates kernel/hardware configuration 1 TTPs 15 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6description ioc process File opened for reading /sys/fs/cgroup/cpuset.mems.effective 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/cpu_atom/cpus 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/cpu_core/cpus 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/virtual/dmi/id 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/class/dmi/id 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/firmware/dmi/tables/smbios_entry_point 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/fs/cgroup/cgroup.controllers 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/fs/cgroup/cpuset.cpus.effective 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/cpu 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/firmware/efi/systab 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/kernel/mm/hugepages 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /sys/bus/soc/devices 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6description ioc process File opened for reading /proc/698/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/sys/vm/nr_hugepages 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/meminfo 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/15/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/16/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/21/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/33/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/324/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/18/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/24/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/323/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/25/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/143/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/705/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/13/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/3/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/19/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/189/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/666/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/802/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/805/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/self/exe 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/32/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/34/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/268/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/680/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/685/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/58/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/74/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/2/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/5/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/6/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/10/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/20/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/45/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/343/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/641/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/756/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/22/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/47/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/336/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/344/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/efi/systab 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/self/cpuset 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/31/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/35/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/144/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/201/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/301/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/mounts 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/11/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/17/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/350/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/14/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/7/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/28/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/43/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/213/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/648/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/1/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/4/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/9/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6 File opened for reading /proc/27/cmdline 28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6
Processes
-
/tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6/tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a61⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:706 -
/bin/shsh -c "command -v crontab >/dev/null 2>&1"2⤵PID:724
-
/bin/shsh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /tmp/28dc11bfe01f303a15c73150a9a7cdfda39828722c8ecb698147f78c500140a6\" | crontab -"2⤵PID:726
-
/usr/bin/crontabcrontab -r3⤵PID:728
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:733 -
/bin/shsh -c "iptables -I INPUT -p tcp --dport 57002 -j ACCEPT >/dev/null 2>&1"2⤵PID:739
-
/bin/shsh -c "command -v php >/dev/null 2>&1"2⤵PID:741
-
/bin/shsh -c "command -v nginx >/dev/null 2>&1"2⤵PID:743
-
/bin/shsh -c "which apache2"2⤵PID:745
-
/usr/bin/whichwhich apache23⤵PID:748
-
/bin/shsh -c "which httpd"2⤵PID:751
-
/usr/bin/whichwhich httpd3⤵PID:753
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253B
MD56879c3e8677c0570e342faf096c5740b
SHA1f9a46a263f7fee487a97da084cb95a721d0c9a26
SHA256a77a26d832b7a9a89e6cb4a7a2dc09ad2f6d3bb27b4dccca7440772e07d9e870
SHA5127cc3f271729cb06f0690cc8e604ec3e37c6fd4dd1e00564ddeb1316718f505b1607befa0673180fcd2c30749702f6a16f3384f2f804c69a036ab779a1b164969