Analysis
-
max time kernel
149s -
max time network
165s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
20-08-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4
Resource
debian9-armhf-20240611-en
General
-
Target
09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4
-
Size
158KB
-
MD5
7f71e02955f16589c2be4dc1a0887635
-
SHA1
d6463209a43522948baa41c98ea358e6a455ddb3
-
SHA256
09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4
-
SHA512
39aff5070f61f1b3b53a805d9d0834aecbc571b94f36f0fc0b488554cdb0bf0205efce501118c8fd670e09ad7755e6772a2992859fd9840acb4163958a89128f
-
SSDEEP
3072:qFs/AlUAk8mBJfaAnZY4b7rUb4jC7GkLy333fnZeM/9N5mmMFPwKi5qJY:qGaWZY4b7uiCLyn3fngM/9vmmMFPwKit
Malware Config
Signatures
-
Renames itself 1 IoCs
pid 657 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.MepP4q crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/15/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/680/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/702/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/745/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/769/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/107/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/652/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/706/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/710/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/754/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/272/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/273/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/730/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/137/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/338/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/662/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/791/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/797/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/19/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/131/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/743/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/773/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/1/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/9/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/22/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/23/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/298/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/681/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/765/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/784/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/787/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/7/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/20/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/598/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/682/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/694/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/793/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/649/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/667/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/698/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/filesystems crontab File opened for reading /proc/16/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/24/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/146/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/312/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/798/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/3/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/14/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/17/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/642/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/648/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/727/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/271/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/771/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/782/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/8/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/10/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/21/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/607/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/687/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/778/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/6/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/739/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4 File opened for reading /proc/772/cmdline 09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4
Processes
-
/tmp/09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f4/tmp/09c748901b748e91ae570a50c2194d46f17ee782f5833527087c3ac77d4c97f41⤵
- Reads runtime system information
PID:656 -
/bin/shsh -c "crontab -l"2⤵PID:658
-
/usr/bin/crontabcrontab -l3⤵PID:660
-
-
-
/bin/shsh -c "crontab -"2⤵PID:663
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:668
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD56ea0ae66d75d156f4929efbe5a97db31
SHA1d344bfd3cc89163e9c3083248c99d96a548daac1
SHA256b943fea461bb42de93dd07f294eaac4fa691ba4c7e8a503535548e32fcab5f45
SHA51283516f14cd4a734477b1208376a4880882aba59d1d4cda4afac9599c32192a0c8c7be499c37672305fdbf4f16540290f507d51e4da6a0ad12080bb1821a651e4