Overview

overview

10

Static

static

10

c3cf87c1cc...ea.elf

debian-9-armhf

7

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    27/07/2024, 01:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c3cf87c1ccc3b6c8fb6fb1487f1ab8ea.elf

  • Size

    135KB

  • MD5

    c3cf87c1ccc3b6c8fb6fb1487f1ab8ea

  • SHA1

    2225668f88b7708e7ec34cf894b1cab0baad58d3

  • SHA256

    e5bdf6a3a8231817ab7b78932dcf2314cfff4bfcea3ff0df37f93fc7ee03be36

  • SHA512

    024d39d79b8628e5aa754bd4ba2678344fd0f825db099eed6b24e46202f48e0574e29b78285c80275cbea3b95db2d29f6a081cd001193bae34b8a9b535c1c909

  • SSDEEP

    3072:6P2pM0YkxftPZJp1Nl/zOj16wLVJP7FQjaOroWFaS/dUJZX7uTkYWk9my3QCYeAq:F6FQjaOroZJ9iTB9my3QCYeAgY8

Score
7/10
evasion

Malware Config

Signatures

  • Deletes Audit logs 1 TTPs 1 IoCs

    Deletes logs related to the Linux Audit framework.

    evasion
  • Deletes system logs 1 TTPs 2 IoCs

    Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    evasion
  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Deletes log files 1 TTPs 29 IoCs

    Deletes log files on the system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 1 IoCs
  • Reads CPU attributes 1 TTPs 1 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/c3cf87c1ccc3b6c8fb6fb1487f1ab8ea.elf
    /tmp/c3cf87c1ccc3b6c8fb6fb1487f1ab8ea.elf
    1⤵
    • Writes DNS configuration
    • Changes its process name
    PID:660
    • /bin/sh
      sh -c "pkill -9 busybox"
      2⤵
        PID:665
        • /usr/bin/pkill
          pkill -9 busybox
          3⤵
          • Reads CPU attributes
          • Reads runtime system information
          PID:667
      • /bin/sh
        sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
        2⤵
          PID:673
          • /bin/rm
            rm -rf /tmp/c3cf87c1ccc3b6c8fb6fb1487f1ab8ea.elf /tmp/systemd-private-5b6547f890144853b40523591e89f894-systemd-timedated.service-8Sxkaq /var/backups /var/cache /var/lib /var/local /var/lock /var/log /var/mail /var/opt /var/run /var/spool /var/tmp /var/run/atd.pid /var/run/auditd.pid /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/dbus /var/run/dhclient.eth0.pid /var/run/exim4 /var/run/initctl /var/run/initramfs /var/run/lock /var/run/log /var/run/motd.dynamic /var/run/mount /var/run/network /var/run/rsyslogd.pid /var/run/sendsigs.omit.d /var/run/shm /var/run/sshd /var/run/sshd.pid /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/user /var/run/utmp /var/tmp/systemd-private-5b6547f890144853b40523591e89f894-systemd-timedated.service-OsjdB5
            3⤵
            • Deletes Audit logs
            • Deletes system logs
            • Deletes log files
            PID:675
        • /bin/sh
          sh -c "rm -rf /var/log/wtmp"
          2⤵
            PID:693
            • /bin/rm
              rm -rf /var/log/wtmp
              3⤵
              • Deletes log files
              PID:694
          • /bin/sh
            sh -c "rm -rf ~/.bash_history"
            2⤵
              PID:695
              • /bin/rm
                rm -rf "~/.bash_history"
                3⤵
                  PID:696
              • /bin/sh
                sh -c "history -c;history -w"
                2⤵
                  PID:697

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads