Resubmissions
06/09/2024, 16:39
240906-t6bb1awhpk 1006/09/2024, 16:01
240906-tgps4avfmq 1005/09/2024, 17:38
240905-v7qnrawdlj 1005/09/2024, 17:34
240905-v5j37awhkd 1005/09/2024, 17:29
240905-v2xj4swckr 10Analysis
-
max time kernel
149s -
max time network
181s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
05/09/2024, 17:38
Behavioral task
behavioral1
Sample
e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
Resource
debian12-armhf-20240221-en
General
-
Target
e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
-
Size
117KB
-
MD5
4a562992cfe96cca14e9ae680caf1064
-
SHA1
8b50ff3f0f4f77431f083d1f527361ced31e228f
-
SHA256
e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c
-
SHA512
1e606c5d99fa9958da72a80d2e182b596819a98d0a8852514a3fee01e907a526a7300c10837342535051e72082b029b3f33bd32b81bc45c805f8be3c9f83a6b3
-
SSDEEP
3072:AVDvu7a0GkH8XcaUJrfhZVNFNITaKW7lJwY7:Ac7axkHYcaUJrfhZLFNbKylOY7
Malware Config
Extracted
mirai
www.india-scam-call-center.pw
Signatures
-
Creates/modifies Cron job 1 TTPs 3 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.xMHSuA crontab File opened for modification /var/spool/cron/crontabs/tmp.R4BP4g crontab File opened for modification /var/spool/cron/crontabs/root e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf -
Writes file to system bin folder 1 IoCs
description ioc Process File opened for modification /bin/wzzyc e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf -
Changes its process name 1 IoCs
description pid Process Changes the process name, possibly in an attempt to hide itself 706 e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf -
Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs
Execute scripts via Unix Shell.
pid Process 717 sh 718 sh -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/allah_is_prick.html e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
Processes
-
/tmp/e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf/tmp/e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf arm71⤵
- Creates/modifies Cron job
- Writes file to system bin folder
- Changes its process name
- Writes file to tmp directory
PID:706 -
/bin/sh/bin/sh -c "crontab /var/spool/cron/crontabs/root"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:717 -
/usr/bin/crontabcrontab /var/spool/cron/crontabs/root3⤵
- Creates/modifies Cron job
PID:724
-
-
-
/bin/sh/bin/sh -c "crontab /var/spool/cron/crontabs/root"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:718 -
/usr/bin/crontabcrontab /var/spool/cron/crontabs/root3⤵
- Creates/modifies Cron job
PID:723
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10B
MD5708dbfc6a84de873443d951456cd26f6
SHA1902d30744c9c92cfc1d1182afd56399a62d87278
SHA256b9ade1c3063c9715ba78870f7c81a4cff77a2af70c8ee08e71c1d0d0fbafdda9
SHA51244f0ef03157be72c17a17c19bdf026add4dedaf558d7318e0928559ab43b0da1a3d7c09bc2e490fb0f1f082837baef98e8ed95e0669788f8c28f680fbd9b54bc
-
Filesize
20B
MD591762d4431a566d3fd28be9a6dd2327e
SHA148d8c2f48e6f652b32129dba2ae943d559df5722
SHA256739d345fefe9f9f5bd37e537909581841b1c4639a47d92b658026cc3ef48d71d
SHA5122a32e10fa69b57a3a32ff3a156ca586bb21a0b06e25e8072f5519eda34fb376de69779bc3e83611fab3af17f9b96679885b0d0f03eb3d5f54de741f9edffd1f6
-
Filesize
30B
MD571326ec3e3baca5e4eba5219d4aeca13
SHA1cad70dcf934467cc79772d37c217f633d4ecbaaa
SHA2567fb63fff4048e93cad55b81eef13ad3638d6326a5548afde904e00f4ed70ebf7
SHA5123469a3e81c951ef715942fdfea80f7d386750fb474f166be692242609a0e6912037aecb0093236cf0291394a0e577c9f676b419e68132815c40f80d7baec37b8
-
Filesize
40B
MD58b8bb3ce64523dfc992ed1739cea50ba
SHA1f0e1faa7a9b25755c93465a8c3b1cc1faec04a39
SHA2566e3b35397ded0ab90ff0bf8f327dd6d7930d444314e74ad14c88f1ec662fb89f
SHA512bc2e9ab9bc7f9d47aa5ba5e3abe02d60c74f5998fce337bcc3c10cca64ad13be7f15a1b60078a1b20730a0c12d2c869b8703aa284e95d789f78303841e131b1c
-
Filesize
360B
MD53a2d9ee3d20a76ed6af3f066be482b64
SHA18ee4338df17d6dbbd7cfec1aa0abbd6a7b8081f6
SHA2569d542210472a30c5142df1f1ac2a25d72a453c5dfad27b09f805691a2e936082
SHA512715e81e95217eb0d10c1fb3518a589782c2f67bc100e349582cccb5ab5706c4ec931879e3c03717a099d475f8dbec58082cee306c74cd264bd733b5b98aa0b25
-
Filesize
117KB
MD54a562992cfe96cca14e9ae680caf1064
SHA18b50ff3f0f4f77431f083d1f527361ced31e228f
SHA256e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c
SHA5121e606c5d99fa9958da72a80d2e182b596819a98d0a8852514a3fee01e907a526a7300c10837342535051e72082b029b3f33bd32b81bc45c805f8be3c9f83a6b3
-
Filesize
21B
MD5cba20dbbbb9853c4c439c91dad16d27c
SHA1afefeb2ef1cacb87bedefc2a66fd32c0a5150f65
SHA256707fafdacb09f4b16358f8c910979f60b1cc8134f7bfe2cdd4c76dd6d75dcea7
SHA5120187840ec0943348e355967a5633de7318e3b5ea80712af7bef1c5b3f8b2cf5670451058894f7f0befaa92199c4486f31d6f7d1eea214a794de4466582017918
-
Filesize
42B
MD5174064461de21bc2ffd126fa0d9d0ce5
SHA15dcad49ee9d7efbe78c5f4d949432c216d99ecfa
SHA25654a99f0299bfdebac064284aaa04807890ac9b8fefa9795a5c2c868e54571b96
SHA512bb9b3dfe5c006a26e0b850ef648b5bb2191bfc756118757d51283fa5a919ce6a5d14d31c13aa2d9bef5f7c28eba5260d579f54b08bffd464e41600d11fd7ec80
-
Filesize
245B
MD5c6a5afecd3e7795011049030db65ac1f
SHA1422e630884e875c9ff5f67aaa8f5cc2586e886d8
SHA256a4a174b43d713fa43cb33428f8e821e4b07ac6047673f5e915bc5e661c5948a7
SHA512cf6e3f348f87738c878a7bae6d8007d46d8ba4eae6a3e7e4304ebc37ec2e669226caf2a879afb3a7f99188629e8c3ff8aa1a8391126bc320e012a2f6fdc59b4b