Analysis
-
max time kernel
150s -
max time network
176s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
04-11-2024 02:59
Static task
static1
Behavioral task
behavioral1
Sample
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf
Resource
debian12-armhf-20240221-en
General
-
Target
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf
-
Size
141KB
-
MD5
3ca8decdb1e52c423c521bfff02ac200
-
SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48
-
SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
-
SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a
-
SSDEEP
3072:h2mQRJQqJ3OuMP2Q72katWmUd4jEJ/SL06gO0NmmytHHQRkLCalY:h2Y17zaPnEJ/SL16mmytHHQRkLplY
Malware Config
Signatures
-
Contacts a large (2130) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Renames itself 1 IoCs
Processes:
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elfpid Process 705 dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.nNbS88 crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elfdescription ioc Process File opened for reading /proc/750/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/879/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/946/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/956/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/249/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/745/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/998/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/922/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/988/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/724/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/800/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/850/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/863/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/889/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/219/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/697/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/768/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/874/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/916/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/1/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/308/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/886/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/754/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/802/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/871/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/885/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/894/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/912/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/1020/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/763/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/838/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/786/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/797/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/810/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/904/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/983/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/1011/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/16/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/769/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/779/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/353/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/708/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/867/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/958/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/1019/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/9/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/732/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/853/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/862/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/908/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/807/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/816/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/936/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/1016/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/3/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/960/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/849/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/875/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/914/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/930/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/937/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/815/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/839/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf File opened for reading /proc/931/cmdline dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf
Processes
-
/tmp/dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf/tmp/dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f.elf1⤵
- Renames itself
- Reads runtime system information
PID:704 -
/bin/shsh -c "crontab -l"2⤵PID:706
-
/usr/bin/crontabcrontab -l3⤵PID:709
-
-
-
/bin/shsh -c "crontab -"2⤵PID:718
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:727
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5ddcafd51f95171e0e3a780914bd4d7c6
SHA12f0559c9964ab0618d3ae8aaf5449a4f6bd9a258
SHA2563f3d591292b2d20a7d93c296c752a83434440c13a8cda1f16d879d30258b08a6
SHA512bbe8e691a51257e01c7535c12ae8d9a3e9395c79f7a67af812f3c2fa194a76aad601ea9dd544316b5e479175f357a23e85b614664da19601babed6d292253422