Analysis
-
max time kernel
109s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04-01-2025 03:08
Static task
static1
General
-
Target
5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf
-
Size
206KB
-
MD5
ae4dbc2886c3b1e8426fcee0ae79ecfe
-
SHA1
54d0ec17a3bdf39a9d0351f84e62df17fc605cb7
-
SHA256
5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac
-
SHA512
c1749c3565ab0b3a349c3f42ccf63075defb13ee57aa6f75f4e462ba0ed6d83f124cd5578d9f4fb3163f17d9ef2b259077506cb9f728a397952d14021b26aad6
-
SSDEEP
3072:50EUfecN2T7bg3tG78TBVBFuUrdzPvSRpLLJ1i9BZDLX0/:nYAfc3tGYTLu6nopLLTifZH0
Malware Config
Signatures
-
Contacts a large (168482) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
pid Process 645 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 80.80.80.80 Destination IP 217.160.70.42 -
Reads MAC address of network interface 2 TTPs 1 IoCs
Fetches the MAC address of active network interfaces. May be used to detect known values for hypervisors.
description ioc Process File opened for reading /sys/class/net/eth0/address 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf -
Reads network interface configuration 2 TTPs 2 IoCs
Fetches information about one or more active network interfaces.
description ioc Process File opened for reading /sys/class/net/eth0/flags 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf File opened for reading /sys/class/net/eth0/carrier 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf -
Changes its process name 64 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself daemon 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself daemon 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself watchdog 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself watchdog 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself watchdog 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself daemon 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself daemon 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself watchdog 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself daemon 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself daemon 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself -sh 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself watchdog 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself daemon 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself watchdog 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself watchdog 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself watchdog 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself kswapd0 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf Changes the process name, possibly in an attempt to hide itself daemon 647 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/unix 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf -
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/class/watchdog 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf File opened for reading /sys/class/net 5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf
Processes
-
/tmp/5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf/tmp/5c33d55d1c67e3d6475754ce42b1a448eb5284046b77cde3bdf3f1656d745dac.elf1⤵
- Deletes itself
- Reads MAC address of network interface
- Reads network interface configuration
- Changes its process name
- Reads system network configuration
- Enumerates kernel/hardware configuration
PID:645