Analysis
-
max time kernel
149s -
max time network
142s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
31/10/2024, 02:29
Behavioral task
behavioral1
Sample
61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf
Resource
debian9-armhf-20240611-en
General
-
Target
61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf
-
Size
2.8MB
-
MD5
a77c391a6e462618ccbbbf1aa4e326af
-
SHA1
ffbc08f31c24c57d44f6e081443ec2d1d75607f5
-
SHA256
61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc
-
SHA512
3cb4abad617b2748c16143fea055ee3455eaca672e224be90398fda8b0bd0846f3e0415b65c52806e46d4f93a8c59c0921632d3f086623ce7fe5d629527d7dfd
-
SSDEEP
49152:VEqogX7kJRMT310OfID0ZwI5XdqwgLCHsgsdDZcP0zvvkS+w6scJUqYSYyvdQHWR:9okk3kaOfIgZwnVpgsdDc0vvjQsc2Vi9
Malware Config
Signatures
-
Virtualization/Sandbox Evasion: Time Based Evasion 1 TTPs 1 IoCs
Adversaries may detect and evade virtualized environments and sandboxes.
pid Process 682 uptime -
Reads CPU attributes 1 TTPs 1 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online uptime -
Reads system network configuration 1 TTPs 6 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/dev cat File opened for reading /proc/net/dev cat File opened for reading /proc/net/dev cat File opened for reading /proc/net/dev cat File opened for reading /proc/net/dev cat File opened for reading /proc/net/dev cat -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size 61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf -
description ioc Process File opened for reading /proc/sys/kernel/osrelease uptime File opened for reading /proc/sys/net/core/somaxconn 61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/exe 61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf File opened for reading /proc/stat 61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf File opened for reading /proc/filesystems uptime File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/uptime uptime File opened for reading /proc/loadavg uptime File opened for reading /proc/self/maps awk
Processes
-
/tmp/61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf/tmp/61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:647 -
/bin/bash/bin/bash -c uptime2⤵PID:682
-
-
/usr/bin/uptimeuptime2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
- Reads CPU attributes
- Reads runtime system information
PID:682
-
-
/bin/bashbash -c "cat /proc/net/dev |grep eth0 |awk '{print \$2}'"2⤵PID:684
-
/bin/catcat /proc/net/dev3⤵
- Reads system network configuration
PID:685
-
-
/bin/grepgrep eth03⤵PID:686
-
-
/usr/bin/awkawk "{print \$2}"3⤵
- Reads runtime system information
PID:687
-
-
-
/bin/bashbash -c "cat /proc/net/dev |grep eth0 |awk '{print \$10}'"2⤵PID:688
-
/bin/catcat /proc/net/dev3⤵
- Reads system network configuration
PID:690
-
-
/bin/grepgrep eth03⤵PID:691
-
-
/usr/bin/awkawk "{print \$10}"3⤵
- Reads runtime system information
PID:692
-
-
-
/bin/bashbash -c "cat /proc/net/dev |grep eth0 |awk '{print \$2}'"2⤵PID:781
-
/bin/catcat /proc/net/dev3⤵
- Reads system network configuration
PID:782
-
-
/bin/grepgrep eth03⤵PID:783
-
-
/usr/bin/awkawk "{print \$2}"3⤵
- Reads runtime system information
PID:784
-
-
-
/bin/bashbash -c "cat /proc/net/dev |grep eth0 |awk '{print \$10}'"2⤵PID:785
-
/bin/catcat /proc/net/dev3⤵
- Reads system network configuration
PID:786
-
-
/bin/grepgrep eth03⤵PID:787
-
-
/usr/bin/awkawk "{print \$10}"3⤵
- Reads runtime system information
PID:788
-
-
-
/bin/bashbash -c "cat /proc/net/dev |grep eth0 |awk '{print \$2}'"2⤵PID:801
-
/bin/catcat /proc/net/dev3⤵
- Reads system network configuration
PID:802
-
-
/bin/grepgrep eth03⤵PID:803
-
-
/usr/bin/awkawk "{print \$2}"3⤵
- Reads runtime system information
PID:804
-
-
-
/bin/bashbash -c "cat /proc/net/dev |grep eth0 |awk '{print \$10}'"2⤵PID:805
-
/bin/catcat /proc/net/dev3⤵
- Reads system network configuration
PID:806
-
-
/bin/grepgrep eth03⤵PID:807
-
-
/usr/bin/awkawk "{print \$10}"3⤵
- Reads runtime system information
PID:808
-
-