Malware Analysis Report

2024-11-30 18:28

Sample ID 241103-rwzkqsweqd
Target rondo.armv6l
SHA256 953b92b8fd0fe5949dfd02dee4a660068d5ee40accb192508624cd0fa06f036f
Tags
discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

953b92b8fd0fe5949dfd02dee4a660068d5ee40accb192508624cd0fa06f036f

Threat Level: Shows suspicious behavior

The file rondo.armv6l was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery execution persistence privilege_escalatio

Deletes itself

Renames itself

Creates/modifies Cron job

Modifies init.d

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 14:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 14:33

Reported

2024-11-03 14:36

Platform

debian12-armhf-20240729-en

Max time kernel

149s

Max time network

143s

Command Line

[/tmp/rondo.armv6l multi.armv6l]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/rondo.armv6l N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/rondo.armv6l N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /tmp/rondo.armv6l N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/rondo /tmp/rondo.armv6l N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself fyxkempws /tmp/rondo.armv6l N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/stat /tmp/rondo.armv6l N/A
File opened for reading /proc/self/status /tmp/rondo.armv6l N/A
File opened for reading /proc/self/exe /tmp/rondo.armv6l N/A

Processes

/tmp/rondo.armv6l

[/tmp/rondo.armv6l multi.armv6l]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240729-en-8 udp
US 1.1.1.1:53 debian12-armhf-20240729-en-8 udp
US 1.1.1.1:53 debian12-armhf-20240729-en-8 udp
US 1.1.1.1:53 debian12-armhf-20240729-en-8 udp
RU 194.87.69.237:65534 tcp
US 1.1.1.1:53 0.debian.pool.ntp.org udp

Files

/etc/rondo/rondo

MD5 8e7dd4f2b8dbe08bcb48c6f2549cd889
SHA1 dd4fcccb6d4c57b5ba0219b25d56f33c863bb435
SHA256 953b92b8fd0fe5949dfd02dee4a660068d5ee40accb192508624cd0fa06f036f
SHA512 6f90f2df0e53aa69d53c960fb6543d7085f9756d2a93b8c134f45e877316b0bd684e1a3662c7e03099f3f66c712f626860cf32be00d4ff46e6fa2a3904cd03ed

/etc/init.d/rondo

MD5 8f06eb1cae9eceac1873d3a960e5244c
SHA1 6a836e98386b6e6fa4e8332490d3754c192730ca
SHA256 12732a31eee6a0fd3d55eb116f8c2bec4cc0e15be30ff94c7bdd3307a2d6393a
SHA512 c392d30b6a8cf7b63071de55b1e21bbe856a1f14afb05aa1fa3ba40afe9dba507c2c13700c1ed3e0f3b9109a0d75cc686c2ea43bc96f31d26a3aa19f760fd9c9