Malware Analysis Report

2025-08-06 02:46

Sample ID 241031-c1lr4swmh1
Target 7246fdc4743c4136d6f09ce465fed1e47865b982fcc9809939a9d47744ea01b9.elf
SHA256 7246fdc4743c4136d6f09ce465fed1e47865b982fcc9809939a9d47744ea01b9
Tags
upx defense_evasion discovery
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

7246fdc4743c4136d6f09ce465fed1e47865b982fcc9809939a9d47744ea01b9

Threat Level: Likely benign

The file 7246fdc4743c4136d6f09ce465fed1e47865b982fcc9809939a9d47744ea01b9.elf was found to be: Likely benign.

Malicious Activity Summary

upx defense_evasion discovery

UPX packed file

Virtualization/Sandbox Evasion: Time Based Evasion

Reads system network configuration

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 02:32

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 02:32

Reported

2024-10-31 02:36

Platform

debian12-armhf-20240221-en

Max time kernel

149s

Max time network

186s

Command Line

[/tmp/7246fdc4743c4136d6f09ce465fed1e47865b982fcc9809939a9d47744ea01b9.elf]

Signatures

Virtualization/Sandbox Evasion: Time Based Evasion

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/uptime N/A

Reads system network configuration

discovery
Description Indicator Process Target
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/7246fdc4743c4136d6f09ce465fed1e47865b982fcc9809939a9d47744ea01b9.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/stat /tmp/7246fdc4743c4136d6f09ce465fed1e47865b982fcc9809939a9d47744ea01b9.elf N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/sys/net/core/somaxconn /tmp/7246fdc4743c4136d6f09ce465fed1e47865b982fcc9809939a9d47744ea01b9.elf N/A
File opened for reading /proc/self/exe /tmp/7246fdc4743c4136d6f09ce465fed1e47865b982fcc9809939a9d47744ea01b9.elf N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A

Processes

/tmp/7246fdc4743c4136d6f09ce465fed1e47865b982fcc9809939a9d47744ea01b9.elf

[/tmp/7246fdc4743c4136d6f09ce465fed1e47865b982fcc9809939a9d47744ea01b9.elf]

/bin/bash

[/bin/bash -c uptime]

/usr/bin/uptime

[uptime]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep eth0 |awk '{print $2}']

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/grep

[grep eth0]

/usr/bin/awk

[awk {print $2}]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep eth0 |awk '{print $10}']

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/grep

[grep eth0]

/usr/bin/awk

[awk {print $10}]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep eth0 |awk '{print $2}']

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/grep

[grep eth0]

/usr/bin/awk

[awk {print $2}]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep eth0 |awk '{print $10}']

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/grep

[grep eth0]

/usr/bin/awk

[awk {print $10}]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep eth0 |awk '{print $2}']

/usr/bin/grep

[grep eth0]

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/awk

[awk {print $2}]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep eth0 |awk '{print $10}']

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/grep

[grep eth0]

/usr/bin/awk

[awk {print $10}]

Network

Country Destination Domain Proto
US 1.1.1.1:53 column.mrbasic.com udp
US 1.1.1.1:53 column.mrbasic.com udp
RU 38.60.221.32:80 column.mrbasic.com tcp
US 1.1.1.1:53 debian12-armhf-20240221-en-13 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-13 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-13 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-13 udp

Files

memory/715-1-0x00010000-0x00e8f640-memory.dmp