8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765

Analysis

max time kernel
149s
max time network
149s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
16-11-2024 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf
Size

358KB
MD5

9afbecbbc29961b5b34baaa29b3c5f02
SHA1

1272e1eea25ab4a9d6b9bb764b3d87942b903716
SHA256

8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765
SHA512

c0f05e023211c492d942e1ddff7c9a51fd0c6cc86bc4e844319a9d7f0bd53af55c067848dc7fbbf8348a9a3b792477a4f817713c2f001d7f09de6742ed7bde53
SSDEEP

6144:YCWUWbbMK14mECiqWmOaC1ztPASfIOV68eU1fY5hEQrDh895BtLyhbkMOzqTFSAZ:jvqOyURY55PYOhbkMOGTc6z9FmiIuCYp

Score

7^/10

antivm defense_evasion discovery execution

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
715	sh
717	chmod
726	sh
727	chmod

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf

Command and Scripting Interpreter: Unix Shell 1 TTPs 7 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
738	sh
743	sh
748	sh
751	sh
718	sh
729	sh
734	sh

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf

/tmp/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf
/tmp/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf
1⤵
- Checks CPU configuration
- Reads runtime system information
PID:714
- /bin/sh
  /bin/sh -c "chmod +x /etc/rc.local"
  2⤵
  - File and Directory Permissions Modification
  PID:715
- - /bin/chmod
    chmod +x /etc/rc.local
    3⤵
    - File and Directory Permissions Modification
    PID:717
- /bin/sh
  /bin/sh -c "mv /tmp/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf /etc/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:718
- - /bin/mv
    mv /tmp/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf /etc/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf
    3⤵
    - Reads runtime system information
    PID:720
- /bin/sh
  /bin/sh -c "cd /etc;chmod 777 8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf"
  2⤵
  - File and Directory Permissions Modification
  PID:726
- - /bin/chmod
    chmod 777 8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf
    3⤵
    - File and Directory Permissions Modification
    PID:727
- /bin/sh
  /bin/sh -c "sed -i -e '/exit/d' /etc/rc.local"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:729
- - /bin/sed
    sed -i -e /exit/d /etc/rc.local
    3⤵
    - Reads runtime system information
    PID:731
- /bin/sh
  /bin/sh -c "sed -i -e '/^ | | \$/d' /etc/rc.local"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:734
- - /bin/sed
    sed -i -e "/^ | | \$/d" /etc/rc.local
    3⤵
    - Reads runtime system information
    PID:736
- /bin/sh
  /bin/sh -c "sed -i -e '/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf/d' /etc/rc.local"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:738
- - /bin/sed
    sed -i -e /8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf/d /etc/rc.local
    3⤵
    - Reads runtime system information
    PID:740
- /bin/sh
  /bin/sh -c "sed -i -e '2 i/etc/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf reboot' /etc/rc.local"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:743
- - /bin/sed
    sed -i -e "2 i/etc/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf reboot" /etc/rc.local
    3⤵
    - Reads runtime system information
    PID:745
- /bin/sh
  /bin/sh -c "sed -i -e '2 i/etc/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf start' /etc/rc.d/rc.local"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:748
- - /bin/sed
    sed -i -e "2 i/etc/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf start" /etc/rc.d/rc.local
    3⤵
    - Reads runtime system information
    PID:749
- /bin/sh
  /bin/sh -c "sed -i -e '2 i/etc/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf start' /etc/init.d/boot.local"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:751
- - /bin/sed
    sed -i -e "2 i/etc/8ee9e64a5483c47f828fa03ec358c8fee326ffc8c6848156687b77415f263765.elf start" /etc/init.d/boot.local
    3⤵
    - Reads runtime system information
    PID:752