Malware Analysis Report

2024-11-30 17:35

Sample ID 241104-g67zravpct
Target x86_64
SHA256 4b0fdadca84b6edecce2ceda2a5ab2e19b257ef6662a972cdf1506c3c0ebc67f
Tags
upx discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4b0fdadca84b6edecce2ceda2a5ab2e19b257ef6662a972cdf1506c3c0ebc67f

Threat Level: Shows suspicious behavior

The file x86_64 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery execution persistence privilege_escalatio

Executes dropped EXE

Creates/modifies Cron job

Writes file to system bin folder

UPX packed file

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 06:26

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 06:26

Reported

2024-11-04 06:36

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

4s

Max time network

388s

Command Line

[/tmp/x86_64]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/filema7tYL /tmp/filema7tYL N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/cron.hourly/0 /tmp/x86_64 N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/ls /tmp/x86_64 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/x86_64 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/filema7tYL /tmp/x86_64 N/A

Processes

/tmp/x86_64

[/tmp/x86_64]

/tmp/filema7tYL

[/tmp/x86_64]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

memory/1584-1-0x00007f5565776000-0x00007f55659780e0-memory.dmp

/tmp/filema7tYL

MD5 0e0b15b035af0a628b1dc176b69c3139
SHA1 0283e00b988b979a5f333f6af1af0f04a0699033
SHA256 ab23560807e62cf1811c6f00d1a5c73bd6e3e0688d911a3c5c1c7927b3e4627e
SHA512 89795dcb9629a2a60cb02754b1e28e232e48415b5a7997b6175f30879e05c0de64efc4084e7a1404153fc171540ee558e047e235e7500891db49415f6df32f01

/etc/cron.hourly/0

MD5 3f006f7f81fc17be7f4a0d3da0fad5de
SHA1 97a94d3d0654c6551057af3809b52572bd7f9f5d
SHA256 982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf
SHA512 97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0