General

  • Target

    3f0ec748d8a083529098aa9181deba63508bb1d5863ff01bb528ebf4f53642e5.elf

  • Size

    3.3MB

  • Sample

    241110-crhzvszpfm

  • MD5

    7211f88063c75dd428309e9ff15a4936

  • SHA1

    4a5355f479d89a00c2a5c06bdc81e544007393ae

  • SHA256

    3f0ec748d8a083529098aa9181deba63508bb1d5863ff01bb528ebf4f53642e5

  • SHA512

    fdf72207ef7aa2c96ef5644194b4d1c13a4fd2aa4d8ce648da40f77504f400f65e89920bb3b6febd013270c8924d8be962f77d72b9e3e648ba7eb9be2757c35e

  • SSDEEP

    49152:R67EwTFGfSierb/TSvO90d7HjmAFd4A64nsfJwp0tn6EHy4G/g9KkSM48Wy5D1an:dAt43VJGOTFiT38Oy

Malware Config

Targets

    • Target

      3f0ec748d8a083529098aa9181deba63508bb1d5863ff01bb528ebf4f53642e5.elf

    • Size

      3.3MB

    • MD5

      7211f88063c75dd428309e9ff15a4936

    • SHA1

      4a5355f479d89a00c2a5c06bdc81e544007393ae

    • SHA256

      3f0ec748d8a083529098aa9181deba63508bb1d5863ff01bb528ebf4f53642e5

    • SHA512

      fdf72207ef7aa2c96ef5644194b4d1c13a4fd2aa4d8ce648da40f77504f400f65e89920bb3b6febd013270c8924d8be962f77d72b9e3e648ba7eb9be2757c35e

    • SSDEEP

      49152:R67EwTFGfSierb/TSvO90d7HjmAFd4A64nsfJwp0tn6EHy4G/g9KkSM48Wy5D1an:dAt43VJGOTFiT38Oy

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Executes dropped EXE

    • OS Credential Dumping

      Adversaries may attempt to dump credentials to use it in password cracking.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Checks mountinfo of local process

      Checks mountinfo of running processes which indicate if it is running in chroot jail.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

    • Reads process memory

      Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

MITRE ATT&CK Enterprise v15

Tasks