6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194

Analysis

max time kernel
145s
max time network
172s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
21-11-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
Size

178KB
MD5

ddf40003ed182c63697acb8769776307
SHA1

e47b3349e348df2532798fec9ef5839363b83fa7
SHA256

6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194
SHA512

40d2e6698e86b00d900d28cdf3450b1ca117042a0f21da5b6c0b52dbcef65fc6a9efe93846c505d39d595adb48f40e0b986ff05fcc8027f00fe690ae5720f108
SSDEEP

3072:2DR+sU7Kl3IKScPxelSoAauHthDkJjYB71uGhLs5K5h0oXM/Rc9:2DR+Z7KlpScP0woAauHthDkhYHuMLs5w

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf

pid process

651 6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
Enumerates running processes
Discovers information about currently running processes on the system

pid	process
651	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf

Changes its process name 1 IoCs

Processes:

6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	httpd	650	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf

Reads CPU attributes 1 TTPs 1 IoCs
discovery

System Information Discovery
T1082

Processes:

ps

description ioc process

File opened for reading /sys/devices/system/cpu/online ps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

ps6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf

description	ioc	process
File opened for reading	/proc/652/stat	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/147/status	ps
File opened for reading	/proc/28/stat	ps
File opened for reading	/proc/137/cmdline	ps
File opened for reading	/proc/166/status	ps
File opened for reading	/proc/326/stat	ps
File opened for reading	/proc/111�"/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/222v�"/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/16/stat	ps
File opened for reading	/proc/1111�"/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/643/status	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/303/status	ps
File opened for reading	/proc/636/stat	ps
File opened for reading	/proc/1111�%/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/55550/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/55/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/222/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/1111�4/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/222s�"/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/287/stat	ps
File opened for reading	/proc/596/cmdline	ps
File opened for reading	/proc/636/status	ps
File opened for reading	/proc/642/status	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/598/status	ps
File opened for reading	/proc/647/stat	ps
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/42/cmdline	ps
File opened for reading	/proc/24/cmdline	ps
File opened for reading	/proc/76/stat	ps
File opened for reading	/proc/212/status	ps
File opened for reading	/proc/643/cmdline	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/303/cmdline	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/76/cmdline	ps
File opened for reading	/proc/286/cmdline	ps
File opened for reading	/proc/444s�"/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/25/stat	ps
File opened for reading	/proc/137/stat	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/137/status	ps
File opened for reading	/proc/643/stat	ps
File opened for reading	/proc/3333�,/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/14/status	ps
File opened for reading	/proc/111m�"/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/444/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/4/cmdline	ps
File opened for reading	/proc/105/status	ps
File opened for reading	/proc/138/status	ps
File opened for reading	/proc/111/cmdline	6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/42/status	ps

/tmp/6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
/tmp/6ba4368af53ef8ddecb7750e60b86495bc9649fdc5370fe5e70bb59e1dd32194.elf
1⤵
- Deletes itself
- Changes its process name
- Reads runtime system information
PID:650
- /bin/sh
  sh -c "ps -e -o pid,args="
  2⤵
  PID:653
- - /bin/ps
    ps -e -o "pid,args="
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:655

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads