Malware Analysis Report

2025-08-05 11:48

Sample ID 241031-ef91bazclp
Target d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf
SHA256 d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547
Tags
upx defense_evasion discovery
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547

Threat Level: Likely benign

The file d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf was found to be: Likely benign.

Malicious Activity Summary

upx defense_evasion discovery

UPX packed file

Virtualization/Sandbox Evasion: Time Based Evasion

Reads CPU attributes

Reads system network configuration

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 03:54

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 03:54

Reported

2024-10-31 03:57

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf]

Signatures

Virtualization/Sandbox Evasion: Time Based Evasion

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/uptime N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A

Reads system network configuration

discovery
Description Indicator Process Target
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A
File opened for reading /proc/net/dev /usr/bin/cat N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/stat /tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/exe /tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A

Processes

/tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf

[/tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf]

/bin/bash

[/bin/bash -c uptime]

/usr/bin/uptime

[uptime]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep ens3 |awk '{print $2}']

/usr/bin/awk

[awk {print $2}]

/usr/bin/grep

[grep ens3]

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep ens3 |awk '{print $10}']

/usr/bin/awk

[awk {print $10}]

/usr/bin/grep

[grep ens3]

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep ens3 |awk '{print $2}']

/usr/bin/awk

[awk {print $2}]

/usr/bin/grep

[grep ens3]

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep ens3 |awk '{print $10}']

/usr/bin/awk

[awk {print $10}]

/usr/bin/grep

[grep ens3]

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep ens3 |awk '{print $2}']

/usr/bin/awk

[awk {print $2}]

/usr/bin/grep

[grep ens3]

/usr/bin/cat

[cat /proc/net/dev]

/usr/bin/bash

[bash -c cat /proc/net/dev |grep ens3 |awk '{print $10}']

/usr/bin/awk

[awk {print $10}]

/usr/bin/grep

[grep ens3]

/usr/bin/cat

[cat /proc/net/dev]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 column.mrbasic.com udp
US 8.8.8.8:53 column.mrbasic.com udp
US 1.1.1.1:53 column.mrbasic.com udp
US 1.1.1.1:53 column.mrbasic.com udp
RU 38.60.221.32:80 column.mrbasic.com tcp
US 1.1.1.1:53 column.mrbasic.com udp
US 1.1.1.1:53 column.mrbasic.com udp
RU 38.60.221.32:80 column.mrbasic.com tcp

Files

memory/1565-1-0x0000000000400000-0x000000000157f280-memory.dmp