828b9b632c0e6c0acb17e9bae701f879a2b5947a316bd0ab87a386d099fe5452

Analysis

max time kernel
149s
max time network
152s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
02-11-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

828b9b632c0e6c0acb17e9bae701f879a2b5947a316bd0ab87a386d099fe5452.elf
Size

2.8MB
MD5

9bdc0cf05686760142c05352d886b740
SHA1

bae56a018e0b38f881294e4f5357dba446d41efa
SHA256

828b9b632c0e6c0acb17e9bae701f879a2b5947a316bd0ab87a386d099fe5452
SHA512

088e4bac5904944eb32e4ff566124755d1afe6f42b4388b937d1dcc824f023a61883ec0caa5811d1fd78c76ab65573c7496ca77be9e796fd75e173cf986efb6a
SSDEEP

49152:zZHs8MAwWha98dWXo4nKrINv/4VvvJttKu7T3sVNS1srHa7loSBhaHZ2OwDS2VYQ:9M8MgGXFnIIN4tKu7TcVNHkeuaHZUDVr

Score

5^/10

defense_evasion discovery

Malware Config

Signatures

Virtualization/Sandbox Evasion: Time Based Evasion 1 TTPs 1 IoCs
Adversaries may detect and evade virtualized environments and sandboxes.
defense_evasion

Time Based Evasion
T1497.003

Processes:

uptime

pid process

689 uptime
Reads CPU attributes 1 TTPs 1 IoCs
discovery

System Information Discovery
T1082

Processes:

uptime

description ioc process

File opened for reading /sys/devices/system/cpu/online uptime

pid	process
689	uptime

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	uptime

Reads system network configuration 1 TTPs 6 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

catcatcatcatcatcat

description	ioc	process
File opened for reading	/proc/net/dev	cat
File opened for reading	/proc/net/dev	cat
File opened for reading	/proc/net/dev	cat
File opened for reading	/proc/net/dev	cat
File opened for reading	/proc/net/dev	cat
File opened for reading	/proc/net/dev	cat

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

828b9b632c0e6c0acb17e9bae701f879a2b5947a316bd0ab87a386d099fe5452.elf

description	ioc	process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	828b9b632c0e6c0acb17e9bae701f879a2b5947a316bd0ab87a386d099fe5452.elf

Reads runtime system information 12 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

828b9b632c0e6c0acb17e9bae701f879a2b5947a316bd0ab87a386d099fe5452.elfuptimeawkawkawkawkawkawk

description	ioc	process
File opened for reading	/proc/self/exe	828b9b632c0e6c0acb17e9bae701f879a2b5947a316bd0ab87a386d099fe5452.elf
File opened for reading	/proc/stat	828b9b632c0e6c0acb17e9bae701f879a2b5947a316bd0ab87a386d099fe5452.elf
File opened for reading	/proc/filesystems	uptime
File opened for reading	/proc/sys/kernel/osrelease	uptime
File opened for reading	/proc/uptime	uptime
File opened for reading	/proc/loadavg	uptime
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk

/tmp/828b9b632c0e6c0acb17e9bae701f879a2b5947a316bd0ab87a386d099fe5452.elf
/tmp/828b9b632c0e6c0acb17e9bae701f879a2b5947a316bd0ab87a386d099fe5452.elf
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:658

/bin/bash
/bin/bash -c uptime
2⤵
PID:689

/usr/bin/uptime
uptime
2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
- Reads CPU attributes
- Reads runtime system information
PID:689

/bin/bash
bash -c "cat /proc/net/dev |grep eth0 |awk '{print \$2}'"
2⤵
PID:693

/bin/cat
cat /proc/net/dev
3⤵
- Reads system network configuration
PID:694

/bin/grep
grep eth0
3⤵
PID:695

/usr/bin/awk
awk "{print \$2}"
3⤵
- Reads runtime system information
PID:696

/bin/bash
bash -c "cat /proc/net/dev |grep eth0 |awk '{print \$10}'"
2⤵
PID:698

/bin/grep
grep eth0
3⤵
PID:700

/bin/cat
cat /proc/net/dev
3⤵
- Reads system network configuration
PID:699

/usr/bin/awk
awk "{print \$10}"
3⤵
- Reads runtime system information
PID:701

/bin/bash
bash -c "cat /proc/net/dev |grep eth0 |awk '{print \$2}'"
2⤵
PID:791

/bin/cat
cat /proc/net/dev
3⤵
- Reads system network configuration
PID:792

/bin/grep
grep eth0
3⤵
PID:793

/usr/bin/awk
awk "{print \$2}"
3⤵
- Reads runtime system information
PID:794

/bin/bash
bash -c "cat /proc/net/dev |grep eth0 |awk '{print \$10}'"
2⤵
PID:795

/bin/cat
cat /proc/net/dev
3⤵
- Reads system network configuration
PID:796

/bin/grep
grep eth0
3⤵
PID:797

/usr/bin/awk
awk "{print \$10}"
3⤵
- Reads runtime system information
PID:798

/bin/bash
bash -c "cat /proc/net/dev |grep eth0 |awk '{print \$2}'"
2⤵
PID:880

/bin/cat
cat /proc/net/dev
3⤵
- Reads system network configuration
PID:881

/bin/grep
grep eth0
3⤵
PID:882

/usr/bin/awk
awk "{print \$2}"
3⤵
- Reads runtime system information
PID:883

/bin/bash
bash -c "cat /proc/net/dev |grep eth0 |awk '{print \$10}'"
2⤵
PID:884

/bin/cat
cat /proc/net/dev
3⤵
- Reads system network configuration
PID:885

/bin/grep
grep eth0
3⤵
PID:886

/usr/bin/awk
awk "{print \$10}"
3⤵
- Reads runtime system information
PID:887

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Time Based Evasion

T1497.003

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Time Based Evasion

T1497.003

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/658-1-0x00010000-0x00e8f5f8-memory.dmp

Download