Analysis Overview
SHA256
7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e
Threat Level: Likely benign
The file 7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Virtualization/Sandbox Evasion: Time Based Evasion
Reads system network configuration
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 02:34
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 02:34
Reported
2024-10-31 02:36
Platform
debian12-armhf-20240221-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Virtualization/Sandbox Evasion: Time Based Evasion
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/uptime | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/dev | /usr/bin/cat | N/A |
| File opened for reading | /proc/net/dev | /usr/bin/cat | N/A |
| File opened for reading | /proc/net/dev | /usr/bin/cat | N/A |
| File opened for reading | /proc/net/dev | /usr/bin/cat | N/A |
| File opened for reading | /proc/net/dev | /usr/bin/cat | N/A |
| File opened for reading | /proc/net/dev | /usr/bin/cat | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/uptime | /usr/bin/uptime | N/A |
| File opened for reading | /proc/loadavg | /usr/bin/uptime | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/exe | /tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/sys/net/core/somaxconn | /tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/stat | /tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
Processes
/tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf
[/tmp/7bcced6ebff1e1dba919581e6d253a914347c5d65dcf72587b162e193598189e.elf]
/bin/bash
[/bin/bash -c uptime]
/usr/bin/uptime
[uptime]
/usr/bin/bash
[bash -c cat /proc/net/dev |grep eth0 |awk '{print $2}']
/usr/bin/cat
[cat /proc/net/dev]
/usr/bin/grep
[grep eth0]
/usr/bin/awk
[awk {print $2}]
/usr/bin/bash
[bash -c cat /proc/net/dev |grep eth0 |awk '{print $10}']
/usr/bin/cat
[cat /proc/net/dev]
/usr/bin/grep
[grep eth0]
/usr/bin/awk
[awk {print $10}]
/usr/bin/bash
[bash -c cat /proc/net/dev |grep eth0 |awk '{print $2}']
/usr/bin/grep
[grep eth0]
/usr/bin/cat
[cat /proc/net/dev]
/usr/bin/awk
[awk {print $2}]
/usr/bin/bash
[bash -c cat /proc/net/dev |grep eth0 |awk '{print $10}']
/usr/bin/grep
[grep eth0]
/usr/bin/cat
[cat /proc/net/dev]
/usr/bin/awk
[awk {print $10}]
/usr/bin/bash
[bash -c cat /proc/net/dev |grep eth0 |awk '{print $2}']
/usr/bin/cat
[cat /proc/net/dev]
/usr/bin/grep
[grep eth0]
/usr/bin/awk
[awk {print $2}]
/usr/bin/bash
[bash -c cat /proc/net/dev |grep eth0 |awk '{print $10}']
/usr/bin/cat
[cat /proc/net/dev]
/usr/bin/grep
[grep eth0]
/usr/bin/awk
[awk {print $10}]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | column.mrbasic.com | udp |
| US | 1.1.1.1:53 | column.mrbasic.com | udp |
| RU | 38.60.221.32:80 | column.mrbasic.com | tcp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-5 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-5 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-5 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-5 | udp |
Files
memory/708-1-0x00010000-0x00e8f640-memory.dmp