Overview

overview

10

Static

static

10

fc449e7ed4...02.elf

debian-12-mipsel

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    debian-12_mipsel
  • resource
    debian12-mipsel-20240729-en
  • resource tags

    arch:mipselimage:debian12-mipsel-20240729-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
  • submitted
    13-02-2025 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc449e7ed4c667a93339d2a23bf422547048bb5905afc23d947fb5f5581f2802.elf

  • Size

    5.6MB

  • MD5

    cfa76444048616e814928a88af3a27e9

  • SHA1

    04bf106b0437f00c26ccc8d6cec67af0e426ef00

  • SHA256

    fc449e7ed4c667a93339d2a23bf422547048bb5905afc23d947fb5f5581f2802

  • SHA512

    d78f8311eb3403ee1d763a52c7adb77e8cb1c70c4a0efe5575402c478417102465e4ae7b93a9d539f4e8a961efdeb6659edfcc7321b3579d3c873c4c25e2bf6f

  • SSDEEP

    98304:yC91hAFxvW6WGVqq7g3JDCg76dAuE8iW5ay5mIOX+aaNcc8pNkxXkz8xBs3K4HUk:yC91hAFxvW6WGVqq7g3JDCg76dAuE8ib

Score
7/10
defense_evasiondiscoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 2 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

    persistenceprivilege_escalation
  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

Processes

  • /tmp/fc449e7ed4c667a93339d2a23bf422547048bb5905afc23d947fb5f5581f2802.elf
    /tmp/fc449e7ed4c667a93339d2a23bf422547048bb5905afc23d947fb5f5581f2802.elf
    1⤵
    • Enumerates kernel/hardware configuration
    PID:742
    • /usr/bin/sh
      sh -c "/etc/32678&"
      2⤵
      • Executes dropped EXE
      PID:762
    • /usr/sbin/service
      service crond start
      2⤵
        PID:763
        • /usr/bin/basename
          basename /usr/sbin/service
          3⤵
            PID:768
          • /usr/bin/basename
            basename /usr/sbin/service
            3⤵
              PID:775
            • /usr/bin/sed
              sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
              3⤵
              • Reads runtime system information
              PID:780
            • /usr/bin/systemctl
              systemctl list-unit-files --full "--type=socket"
              3⤵
                PID:779
            • /tmp/fc449e7ed4c667a93339d2a23bf422547048bb5905afc23d947fb5f5581f2802.elf
              /tmp/fc449e7ed4c667a93339d2a23bf422547048bb5905afc23d947fb5f5581f2802.elf " "
              2⤵
              • Modifies Watchdog functionality
              • Modifies init.d
              • Modifies systemd
              • Enumerates kernel/hardware configuration
              • Reads runtime system information
              PID:764
              • /usr/sbin/update-rc.d
                update-rc.d linux_kill defaults
                3⤵
                  PID:788
                  • /usr/local/sbin/systemctl
                    systemctl daemon-reload
                    4⤵
                      PID:801
                    • /usr/local/bin/systemctl
                      systemctl daemon-reload
                      4⤵
                        PID:801
                      • /usr/sbin/systemctl
                        systemctl daemon-reload
                        4⤵
                          PID:801
                        • /usr/bin/systemctl
                          systemctl daemon-reload
                          4⤵
                          • Reads runtime system information
                          PID:801
                      • /usr/bin/sh
                        sh -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe --no-pager"
                        3⤵
                          PID:822
                          • /usr/bin/systemctl
                            systemctl daemon-reload
                            4⤵
                            • Reads runtime system information
                            PID:823
                          • /usr/bin/systemctl
                            systemctl enable linux.service
                            4⤵
                            • Reads runtime system information
                            PID:841
                          • /usr/bin/systemctl
                            systemctl start linux.service
                            4⤵
                            • Reads runtime system information
                            PID:859
                          • /usr/bin/journalctl
                            journalctl -xe --no-pager
                            4⤵
                            • Reads runtime system information
                            PID:874
                        • /usr/bin/sh
                          sh -c "cd /boot;ausearch -c 'System.img.conf' --raw | audit2allow -M my-Systemimgconf;semodule -X 300 -i my-Systemimgconf.pp"
                          3⤵
                            PID:881
                            • /usr/sbin/ausearch
                              ausearch -c System.img.conf --raw
                              4⤵
                                PID:882
                              • /usr/bin/audit2allow
                                audit2allow -M my-Systemimgconf
                                4⤵
                                • Reads runtime system information
                                PID:883
                        • /etc/32678
                          /etc/32678
                          1⤵
                            PID:767
                            • /usr/bin/sleep
                              sleep 60
                              2⤵
                                PID:774
                            • /usr/local/sbin/systemctl
                              systemctl start crond.service
                              1⤵
                                PID:763
                              • /usr/local/bin/systemctl
                                systemctl start crond.service
                                1⤵
                                  PID:763
                                • /usr/sbin/systemctl
                                  systemctl start crond.service
                                  1⤵
                                    PID:763
                                  • /usr/bin/systemctl
                                    systemctl start crond.service
                                    1⤵
                                    • Reads runtime system information
                                    PID:763

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • /etc/32678
                                    Filesize

                                    61B

                                    MD5

                                    768eaf287796da19e1cf5e0b2fb1b161

                                    SHA1

                                    6a1ce2ee5ccc86d1f33806feb14547b35290df2a

                                    SHA256

                                    1d22620dfb2a6715e5d745aed5cf841ede0e75e1747f12b9b925a2d346bc7ecb

                                    SHA512

                                    e6af30c9df4f7f47696069511e64ecbc8e841629d692ee4056503df3533fb7a7a74960698826260355e1dba7b6c562482a27a39bb51a4237473ce4b68472d620

                                    Download Submit

                                  • /etc/init.d/linux_kill
                                    Filesize

                                    189B

                                    MD5

                                    3909975f7cc0d1121c1819b800069f31

                                    SHA1

                                    3e68de708c2e6c40fab6794afdee3104e5590189

                                    SHA256

                                    6876dac71f13a068afb863d257134275f2edba43b2acaf4924fabf97c079070b

                                    SHA512

                                    50600cceeb03b05f45ae61d890caee9f51ff390b6776930866e527e071d65d08241fc66673fd9b99d62fbc77d3c00fc3de4d7378cbc42f5daba5d83072b0906e

                                    Download Submit