Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    04-11-2024 02:27

General

  • Target

    5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18.elf

  • Size

    177KB

  • MD5

    786d75a158fe731feca3880f436082c0

  • SHA1

    79ea2734e43d00cdeabed5586b2c1994d02aef3e

  • SHA256

    5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

  • SHA512

    7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

  • SSDEEP

    3072:PJtid2ng8w4YMrgUqqdaODUvI7UhTIyU2be6CXuVyZM/9h9XKvtZmmmLdwC7tuRD:BtiGGqaODUvI4hc2bvCXuVoM/9PXwPmK

Malware Config

Signatures

  • Contacts a large (2091) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18.elf
    /tmp/5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18.elf
    1⤵
    • Renames itself
    • Reads runtime system information
    PID:669
    • /bin/sh
      sh -c "crontab -l"
      2⤵
        PID:671
        • /usr/bin/crontab
          crontab -l
          3⤵
            PID:672
        • /bin/sh
          sh -c "crontab -"
          2⤵
            PID:681
            • /usr/bin/crontab
              crontab -
              3⤵
              • Creates/modifies Cron job
              • Reads runtime system information
              PID:682

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /var/spool/cron/crontabs/tmp.hNu9EA

          Filesize

          210B

          MD5

          1c13a495200a6c86903fdbc94d567493

          SHA1

          fa7c84c60697e5cdb32129fb86173d8d43357329

          SHA256

          a39970e5907b4e3abead62969de33fc83436ac71054cca8b343c132de62f1981

          SHA512

          f2bd6ad99c5c5917ad92aed71b9d7d398bf58b9ebce2ec4a45a2c60d71216d85a86db98c598286d7ffb4dfc7afc8c8ab6cbcb37cd81775d1715260fcf7f44fcc