Analysis
-
max time kernel
149s -
max time network
154s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04-11-2024 02:32
Static task
static1
Behavioral task
behavioral1
Sample
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf
Resource
debian9-armhf-20240611-en
General
-
Target
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf
-
Size
127KB
-
MD5
89077b7bd4bcafca7713be43635c4862
-
SHA1
fc02edb8fba29ea8ee99e6157ef8560334530052
-
SHA256
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d
-
SHA512
1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1
-
SSDEEP
3072:fgO463guSRVw5OhgfgnoHOIcv6Gosjr7fxmxKjQVnaMk9H8p:4ZmgoHONvposj3fxmxKjQVnal9H8p
Malware Config
Signatures
-
Contacts a large (2119) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Renames itself 1 IoCs
Processes:
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elfpid Process 675 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.RN2c24 crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elfdescription ioc Process File opened for reading /proc/693/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/838/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/919/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/997/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/1015/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/145/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/744/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/847/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/1018/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/737/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/767/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/885/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/900/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/686/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/710/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/773/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/886/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/967/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/1035/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/20/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/834/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/975/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/1020/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/11/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/23/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/803/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/906/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/941/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/690/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/725/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/765/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/896/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/1038/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/745/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/908/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/972/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/2/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/19/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/672/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/805/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/849/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/916/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/946/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/950/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/1000/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/10/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/42/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/750/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/904/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/918/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/959/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/1001/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/8/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/697/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/703/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/732/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/764/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/799/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/295/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/677/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/708/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/818/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/843/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf File opened for reading /proc/858/cmdline 78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf
Processes
-
/tmp/78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf/tmp/78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d.elf1⤵
- Renames itself
- Reads runtime system information
PID:674 -
/bin/shsh -c "crontab -l"2⤵PID:676
-
/usr/bin/crontabcrontab -l3⤵PID:677
-
-
-
/bin/shsh -c "crontab -"2⤵PID:688
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:690
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5dfb563376e72a4961728da3c8758b164
SHA1a6c34add1c158467346b9d06c1f9d509ad43fa52
SHA25625c39fd368fd61d7010467f5444ec8588005cb3d5859a9416328da13bee7dd78
SHA51206bf6d4509731396d1f723a786872bd3f04cbbeb46f689a2b8f0a8539f8b4a941de5620ca28a74b54a35b358d6f3f020a4a94878f543b54120cc9854a4e4df01