Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    04-11-2024 02:32

General

  • Target

    78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf

  • Size

    127KB

  • MD5

    89077b7bd4bcafca7713be43635c4862

  • SHA1

    fc02edb8fba29ea8ee99e6157ef8560334530052

  • SHA256

    78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

  • SHA512

    1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

  • SSDEEP

    3072:fgO463guSRVw5OhgfgnoHOIcv6Gosjr7fxmxKjQVnaMk9H8p:4ZmgoHONvposj3fxmxKjQVnal9H8p

Malware Config

Signatures

  • Contacts a large (2119) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf
    /tmp/78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf
    1⤵
    • Renames itself
    • Reads runtime system information
    PID:674
    • /bin/sh
      sh -c "crontab -l"
      2⤵
        PID:676
        • /usr/bin/crontab
          crontab -l
          3⤵
            PID:677
        • /bin/sh
          sh -c "crontab -"
          2⤵
            PID:688
            • /usr/bin/crontab
              crontab -
              3⤵
              • Creates/modifies Cron job
              PID:690

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /var/spool/cron/crontabs/tmp.RN2c24

          Filesize

          210B

          MD5

          dfb563376e72a4961728da3c8758b164

          SHA1

          a6c34add1c158467346b9d06c1f9d509ad43fa52

          SHA256

          25c39fd368fd61d7010467f5444ec8588005cb3d5859a9416328da13bee7dd78

          SHA512

          06bf6d4509731396d1f723a786872bd3f04cbbeb46f689a2b8f0a8539f8b4a941de5620ca28a74b54a35b358d6f3f020a4a94878f543b54120cc9854a4e4df01