Analysis Overview
score
7/10
SHA256
953b92b8fd0fe5949dfd02dee4a660068d5ee40accb192508624cd0fa06f036f
Threat Level: Shows suspicious behavior
The file rondo.armv6l was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Renames itself
Creates/modifies Cron job
Modifies init.d
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 14:36
Signatures
N/A
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 14:36
Reported
2024-11-03 15:07
Platform
debian12-armhf-20240729-en
Max time kernel
1800s
Max time network
1803s
Command Line
[/tmp/rondo.armv6l multi.armv6l]
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/rondo.armv6l | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/rondo.armv6l | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/crontab | /tmp/rondo.armv6l | N/A |
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/rondo | /tmp/rondo.armv6l | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | yycspltu | /tmp/rondo.armv6l | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/status | /tmp/rondo.armv6l | N/A |
| File opened for reading | /proc/self/exe | /tmp/rondo.armv6l | N/A |
| File opened for reading | /proc/stat | /tmp/rondo.armv6l | N/A |
Processes
/tmp/rondo.armv6l
[/tmp/rondo.armv6l multi.armv6l]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240729-en-3 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240729-en-3 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240729-en-3 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240729-en-3 | udp |
| RU | 194.87.69.237:65534 | tcp | |
| US | 1.1.1.1:53 | 0.debian.pool.ntp.org | udp |
| US | 66.226.226.94:50005 | udp | |
| US | 66.22.226.94:50005 | udp | |
| US | 66.22.226.71:50003 | udp | |
| US | 66.22.226.61:50005 | udp | |
| US | 1.1.1.1:53 | debian12-armhf-20240729-en-3 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240729-en-3 | udp |
Files
/etc/rondo/rondo
| MD5 | 8e7dd4f2b8dbe08bcb48c6f2549cd889 |
| SHA1 | dd4fcccb6d4c57b5ba0219b25d56f33c863bb435 |
| SHA256 | 953b92b8fd0fe5949dfd02dee4a660068d5ee40accb192508624cd0fa06f036f |
| SHA512 | 6f90f2df0e53aa69d53c960fb6543d7085f9756d2a93b8c134f45e877316b0bd684e1a3662c7e03099f3f66c712f626860cf32be00d4ff46e6fa2a3904cd03ed |
/etc/init.d/rondo
| MD5 | 8f06eb1cae9eceac1873d3a960e5244c |
| SHA1 | 6a836e98386b6e6fa4e8332490d3754c192730ca |
| SHA256 | 12732a31eee6a0fd3d55eb116f8c2bec4cc0e15be30ff94c7bdd3307a2d6393a |
| SHA512 | c392d30b6a8cf7b63071de55b1e21bbe856a1f14afb05aa1fa3ba40afe9dba507c2c13700c1ed3e0f3b9109a0d75cc686c2ea43bc96f31d26a3aa19f760fd9c9 |