Analysis Overview
SHA256
d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547
Threat Level: Likely benign
The file d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Virtualization/Sandbox Evasion: Time Based Evasion
Reads CPU attributes
Reads system network configuration
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 03:54
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 03:54
Reported
2024-10-31 03:57
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Virtualization/Sandbox Evasion: Time Based Evasion
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/uptime | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/dev | /usr/bin/cat | N/A |
| File opened for reading | /proc/net/dev | /usr/bin/cat | N/A |
| File opened for reading | /proc/net/dev | /usr/bin/cat | N/A |
| File opened for reading | /proc/net/dev | /usr/bin/cat | N/A |
| File opened for reading | /proc/net/dev | /usr/bin/cat | N/A |
| File opened for reading | /proc/net/dev | /usr/bin/cat | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/uptime | N/A |
| File opened for reading | /proc/uptime | /usr/bin/uptime | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/stat | /tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf | N/A |
| File opened for reading | /proc/loadavg | /usr/bin/uptime | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/exe | /tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /usr/bin/uptime | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
Processes
/tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf
[/tmp/d161fb13021a74017a2deaca8957a41f96adfd201f3bf653b9e3f50fffd5a547.elf]
/bin/bash
[/bin/bash -c uptime]
/usr/bin/uptime
[uptime]
/usr/bin/bash
[bash -c cat /proc/net/dev |grep ens3 |awk '{print $2}']
/usr/bin/awk
[awk {print $2}]
/usr/bin/grep
[grep ens3]
/usr/bin/cat
[cat /proc/net/dev]
/usr/bin/bash
[bash -c cat /proc/net/dev |grep ens3 |awk '{print $10}']
/usr/bin/awk
[awk {print $10}]
/usr/bin/grep
[grep ens3]
/usr/bin/cat
[cat /proc/net/dev]
/usr/bin/bash
[bash -c cat /proc/net/dev |grep ens3 |awk '{print $2}']
/usr/bin/awk
[awk {print $2}]
/usr/bin/grep
[grep ens3]
/usr/bin/cat
[cat /proc/net/dev]
/usr/bin/bash
[bash -c cat /proc/net/dev |grep ens3 |awk '{print $10}']
/usr/bin/awk
[awk {print $10}]
/usr/bin/grep
[grep ens3]
/usr/bin/cat
[cat /proc/net/dev]
/usr/bin/bash
[bash -c cat /proc/net/dev |grep ens3 |awk '{print $2}']
/usr/bin/awk
[awk {print $2}]
/usr/bin/grep
[grep ens3]
/usr/bin/cat
[cat /proc/net/dev]
/usr/bin/bash
[bash -c cat /proc/net/dev |grep ens3 |awk '{print $10}']
/usr/bin/awk
[awk {print $10}]
/usr/bin/grep
[grep ens3]
/usr/bin/cat
[cat /proc/net/dev]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | column.mrbasic.com | udp |
| US | 8.8.8.8:53 | column.mrbasic.com | udp |
| US | 1.1.1.1:53 | column.mrbasic.com | udp |
| US | 1.1.1.1:53 | column.mrbasic.com | udp |
| RU | 38.60.221.32:80 | column.mrbasic.com | tcp |
| US | 1.1.1.1:53 | column.mrbasic.com | udp |
| US | 1.1.1.1:53 | column.mrbasic.com | udp |
| RU | 38.60.221.32:80 | column.mrbasic.com | tcp |
Files
memory/1565-1-0x0000000000400000-0x000000000157f280-memory.dmp