Analysis Overview
SHA256
61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc
Threat Level: Likely benign
The file 61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Virtualization/Sandbox Evasion: Time Based Evasion
Reads system network configuration
Reads CPU attributes
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 02:29
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 02:29
Reported
2024-10-31 02:39
Platform
debian9-armhf-20240611-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Virtualization/Sandbox Evasion: Time Based Evasion
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/uptime | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/dev | /bin/cat | N/A |
| File opened for reading | /proc/net/dev | /bin/cat | N/A |
| File opened for reading | /proc/net/dev | /bin/cat | N/A |
| File opened for reading | /proc/net/dev | /bin/cat | N/A |
| File opened for reading | /proc/net/dev | /bin/cat | N/A |
| File opened for reading | /proc/net/dev | /bin/cat | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/kernel/osrelease | /usr/bin/uptime | N/A |
| File opened for reading | /proc/sys/net/core/somaxconn | /tmp/61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/exe | /tmp/61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf | N/A |
| File opened for reading | /proc/stat | /tmp/61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/uptime | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/uptime | /usr/bin/uptime | N/A |
| File opened for reading | /proc/loadavg | /usr/bin/uptime | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
Processes
/tmp/61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf
[/tmp/61ba334fece8115debc5170dfeb680881a93d1cd3610cac61e59c912fc63a7fc.elf]
/bin/bash
[/bin/bash -c uptime]
/usr/bin/uptime
[uptime]
/bin/bash
[bash -c cat /proc/net/dev |grep eth0 |awk '{print $2}']
/bin/cat
[cat /proc/net/dev]
/bin/grep
[grep eth0]
/usr/bin/awk
[awk {print $2}]
/bin/bash
[bash -c cat /proc/net/dev |grep eth0 |awk '{print $10}']
/bin/cat
[cat /proc/net/dev]
/bin/grep
[grep eth0]
/usr/bin/awk
[awk {print $10}]
/bin/bash
[bash -c cat /proc/net/dev |grep eth0 |awk '{print $2}']
/bin/cat
[cat /proc/net/dev]
/bin/grep
[grep eth0]
/usr/bin/awk
[awk {print $2}]
/bin/bash
[bash -c cat /proc/net/dev |grep eth0 |awk '{print $10}']
/bin/cat
[cat /proc/net/dev]
/bin/grep
[grep eth0]
/usr/bin/awk
[awk {print $10}]
/bin/bash
[bash -c cat /proc/net/dev |grep eth0 |awk '{print $2}']
/bin/cat
[cat /proc/net/dev]
/bin/grep
[grep eth0]
/usr/bin/awk
[awk {print $2}]
/bin/bash
[bash -c cat /proc/net/dev |grep eth0 |awk '{print $10}']
/bin/cat
[cat /proc/net/dev]
/bin/grep
[grep eth0]
/usr/bin/awk
[awk {print $10}]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | column.mrbasic.com | udp |
| US | 1.1.1.1:53 | column.mrbasic.com | udp |
| RU | 38.60.221.32:80 | column.mrbasic.com | tcp |
Files
memory/647-1-0x00010000-0x00e8f640-memory.dmp