Malware Analysis Report

2025-08-06 02:47

Sample ID 241031-c2fmgsxhpr
Target 7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf
SHA256 7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e
Tags
defense_evasion discovery upx
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e

Threat Level: Likely benign

The file 7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf was found to be: Likely benign.

Malicious Activity Summary

defense_evasion discovery upx

UPX packed file

Virtualization/Sandbox Evasion: Time Based Evasion

Reads system network configuration

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 02:34

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 02:34

Reported

2024-10-31 02:36

Platform

debian12-armhf-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

[/tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf]

Signatures

Virtualization/Sandbox Evasion: Time Based Evasion

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/uptime N/A

Reads system network configuration

discovery
Description Indicator Process Target
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/exe /tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/sys/net/core/somaxconn /tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/stat /tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A

Processes

/tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf

[/tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf]

/bin/bash

[/bin/bash -c uptime]

/usr/bin/uptime

[uptime]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep eth0 |awk '{print $2}']

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/grep

[grep eth0]

/usr/bin/awk

[awk {print $2}]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep eth0 |awk '{print $10}']

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/grep

[grep eth0]

/usr/bin/awk

[awk {print $10}]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep eth0 |awk '{print $2}']

/usr/bin/grep

[grep eth0]

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/awk

[awk {print $2}]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep eth0 |awk '{print $10}']

/usr/bin/grep

[grep eth0]

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/awk

[awk {print $10}]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep eth0 |awk '{print $2}']

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/grep

[grep eth0]

/usr/bin/awk

[awk {print $2}]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep eth0 |awk '{print $10}']

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/grep

[grep eth0]

/usr/bin/awk

[awk {print $10}]

Network

Country Destination Domain Proto
US 1.1.1.1:53 column.mrbasic.com udp
US 1.1.1.1:53 column.mrbasic.com udp
RU 38.60.221.32:80 column.mrbasic.com tcp
US 1.1.1.1:53 debian12-armhf-20240221-en-5 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-5 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-5 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-5 udp

Files

memory/708-1-0x00010000-0x00e8f640-memory.dmp