bbb53c572a1a01eb7c910d59e362fa68d2b0a6e005065453b044bc22f80c6107

Analysis

max time kernel
149s
max time network
160s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
13-12-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

elitebotnet.arm7.elf
Size

157KB
MD5

039cc3f6c287db74271633fceb099529
SHA1

eff890d71b3b2b0a63cda8150aa44f7523a680c2
SHA256

bbb53c572a1a01eb7c910d59e362fa68d2b0a6e005065453b044bc22f80c6107
SHA512

aec5d87f1ac8bcc098f4bf20781b3dcab6939ff04bff37762f088fee1fd35a1ed9fa6f665534d5795c75669838ad01211fc26e3e23b9a2137e5cefd746c172bf
SSDEEP

3072:GkFWblVIqaNZNPCBATmI9ZeSxiwZdwbZn5uOMpfM/93Lke:G6gOqaNZNPCBk9ZIawR5uOMZM/93Lke

Score

9^/10

defense_evasion discovery persistence

Malware Config

Signatures

Contacts a large (23830) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
642	sh
653	chmod

Modifies rc script 2 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/rc.local	elitebotnet.arm7.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/bin/systemd	641	elitebotnet.arm7.elf

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mv

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/bin/systemd	sh

/tmp/elitebotnet.arm7.elf
/tmp/elitebotnet.arm7.elf
1⤵
- Modifies rc script
- Changes its process name
PID:641
- /bin/sh
  /bin/sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/elitebotnet.arm7.elf bin/systemd; chmod 777 bin/systemd"
  2⤵
  - File and Directory Permissions Modification
  - Writes file to tmp directory
  PID:642
- - /bin/rm
    rm -rf bin/systemd
    3⤵
    PID:644
- - /bin/mkdir
    mkdir bin
    3⤵
    - Reads runtime system information
    PID:645
- - /bin/mv
    mv /tmp/elitebotnet.arm7.elf bin/systemd
    3⤵
    - Reads runtime system information
    PID:651
- - /bin/chmod
    chmod 777 bin/systemd
    3⤵
    - File and Directory Permissions Modification
    PID:653

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/rc.local

Filesize
96B

MD5
693b25352a9477882662df0d08eac50c

SHA1
1af94224492224d7a136fd8c5f769a8af7e55b68

SHA256
df474ba7a706f81221a7ef57df00a94c47676c481dc1a689e8df80451aa05e06

SHA512
4ebf9251bcdb6cf694e69ecec3ab669e30afe5fa14af4a80db0b44bf05264a336a6292302955c044ed299a8085fea3163c7d7bbb27e03ddd3c49e213e2b3721d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads