2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
23/07/2024, 01:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
Size

158KB
MD5

c59c3b69f5e89d414dac775e51a9d36e
SHA1

b77c681b11d217af0591eeeb4b49e22bc3df638c
SHA256

2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214
SHA512

3003dacef71f39d7e565871add425bd1f551d44cb4cc39a4f73a8b11640c701175822693d6f815f317d19e0d9d8537c7732449322113d707f129e1b31c2a2714
SSDEEP

3072:MFs/AlUAk8mBJfaAnZY4b7rUb4jC7GkLy3L3fnZeM/9N5mmMFPwKi5qJY:MGaWZY4b7uiCLyb3fngM/9vmmMFPwKit

Score

7^/10

persistence

Malware Config

Signatures

Renames itself 1 IoCs

pid
669

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.VQ1WPa	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/10/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/16/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/19/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/667/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/688/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/710/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/5/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/9/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/767/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/804/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/138/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/659/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/25/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/97/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/660/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/661/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/794/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/795/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/811/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/753/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/769/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/141/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/280/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/278/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/669/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/682/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/684/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/23/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/105/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/448/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/800/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/712/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/802/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/805/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/219/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/708/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/732/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/774/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/15/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/20/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/41/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/761/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/7/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/678/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/681/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/699/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/724/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/755/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/337/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/622/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/692/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/744/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/793/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/801/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/11/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/136/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/760/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/727/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/680/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/711/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/713/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/733/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
File opened for reading	/proc/771/cmdline	2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf

/tmp/2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
/tmp/2b4823fc3fddb835d23128f41c99a235164b82f9da1fcf380d11b29f1960c214.elf
1⤵
- Reads runtime system information
PID:668
- /bin/sh
  sh -c "crontab -l"
  2⤵
  PID:670
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:671
- /bin/sh
  sh -c "crontab -"
  2⤵
  PID:677
- - /usr/bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    - Reads runtime system information
    PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.VQ1WPa

Filesize
210B

MD5
941b6668b05429449aa68511dcaa8539

SHA1
d290f9026a676e73f19968d260022f29089c4e67

SHA256
983b96d675f1305b4cd9c069a259b27c2e9649d4af3364ba15e0b468b30444a9

SHA512
52826e2a535239361a0a5aaa80cf58de7e0f57919140a3ec761c1381cb2d2f6bd6adaa025c87c3f6eb526801381972bda5264d073896c23d055207b286fb95d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads