Analysis
-
max time kernel
125s -
max time network
155s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
-
submitted
12-10-2024 11:18
General
-
Target
220e1c910f9577a81be54290fb4751d009a1946026bd51990160bc506b2b68bd.elf
-
Size
5.1MB
-
MD5
a2dc807281d4e53d566e8a27b5caae6a
-
SHA1
d704c9516c33fde2b362e0584dc6bcdbb0484962
-
SHA256
220e1c910f9577a81be54290fb4751d009a1946026bd51990160bc506b2b68bd
-
SHA512
e1dffa9e29bcadd098ba390eda9da813567b7cb30efa6b9eb5879327c948acc4a886a7562240f899a810d112b90eed6aa785cd486cd4659f406bb59418bdf75b
-
SSDEEP
49152:PJzG9XxZPF773LVPN9GnMbaVZGNJru8cYWPAXq7nLYvVorzmpxUIU1F1:hzG9Xn53LtN9pbu0Jru8cYWPAXqi
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Enumerates kernel/hardware configuration 1 TTPs 4 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes
-
/tmp/220e1c910f9577a81be54290fb4751d009a1946026bd51990160bc506b2b68bd.elf/tmp/220e1c910f9577a81be54290fb4751d009a1946026bd51990160bc506b2b68bd.elf1⤵
- Enumerates kernel/hardware configuration
-
/usr/bin/shsh -c "/etc/32678&"2⤵
-
-
/usr/sbin/serviceservice crond start2⤵
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"3⤵
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"3⤵
-
-
-
/tmp/220e1c910f9577a81be54290fb4751d009a1946026bd51990160bc506b2b68bd.elf/tmp/220e1c910f9577a81be54290fb4751d009a1946026bd51990160bc506b2b68bd.elf " "2⤵
- Modifies Watchdog functionality
- Modifies init.d
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/sbin/update-rc.dupdate-rc.d linux_kill defaults3⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
-
-
-
-
/etc/32678/etc/326781⤵
- Executes dropped EXE
-
/usr/bin/sleepsleep 602⤵
-
-
/etc/id.services.conf/etc/id.services.conf2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
-
/usr/bin/pkillpkill -9 326783⤵
- Reads runtime system information
-
-
/usr/bin/shsh -c "/etc/32678&"3⤵
-
-
/usr/sbin/serviceservice crond start3⤵
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Reads runtime system information
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
-
-
-
/etc/id.services.conf/etc/id.services.conf " "3⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Modifies systemd
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/bin/shsh -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe --no-pager"4⤵
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl enable linux.service5⤵
-
-
/usr/bin/systemctlsystemctl start linux.service5⤵
-
-
/usr/bin/journalctljournalctl -xe --no-pager5⤵
-
-
-
-
-
/usr/local/sbin/systemctlsystemctl start crond.service1⤵
-
/usr/local/bin/systemctlsystemctl start crond.service1⤵
-
/usr/sbin/systemctlsystemctl start crond.service1⤵
-
/usr/bin/systemctlsystemctl start crond.service1⤵
-
/etc/32678/etc/326781⤵
- Executes dropped EXE
-
/usr/bin/sleepsleep 602⤵
-
-
/usr/local/sbin/systemctlsystemctl start crond.service1⤵
-
/usr/local/bin/systemctlsystemctl start crond.service1⤵
-
/usr/sbin/systemctlsystemctl start crond.service1⤵
-
/usr/bin/systemctlsystemctl start crond.service1⤵
- Reads runtime system information
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61B
MD5768eaf287796da19e1cf5e0b2fb1b161
SHA16a1ce2ee5ccc86d1f33806feb14547b35290df2a
SHA2561d22620dfb2a6715e5d745aed5cf841ede0e75e1747f12b9b925a2d346bc7ecb
SHA512e6af30c9df4f7f47696069511e64ecbc8e841629d692ee4056503df3533fb7a7a74960698826260355e1dba7b6c562482a27a39bb51a4237473ce4b68472d620
-
Filesize
189B
MD53909975f7cc0d1121c1819b800069f31
SHA13e68de708c2e6c40fab6794afdee3104e5590189
SHA2566876dac71f13a068afb863d257134275f2edba43b2acaf4924fabf97c079070b
SHA51250600cceeb03b05f45ae61d890caee9f51ff390b6776930866e527e071d65d08241fc66673fd9b99d62fbc77d3c00fc3de4d7378cbc42f5daba5d83072b0906e