10962293ec817a48997b8d2c9e4a43610373a35fe7360937f261e5d278fdef7e

Analysis

max time kernel
98s
max time network
153s
platform
debian-12_armhf
resource
debian12-armhf-20240221-en
resource tags

arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
22/02/2025, 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hoodlum.arm5.elf
Size

176KB
MD5

2b53d328406f21f18f0930ce47556dca
SHA1

becfbb4b3a4c072f51e0080922de28aebeb3ef71
SHA256

10962293ec817a48997b8d2c9e4a43610373a35fe7360937f261e5d278fdef7e
SHA512

81107e7c660809fde0c6740412a2570b9275d0024cef2766fe2f730d4391c709fcf76e5d06aa8162bd6a43eb9dd8700de09151610147037a75443bf75bb6db0e
SSDEEP

3072:NBx2mxpI1Tzhm4yjeBaHX2b+/h81pNV2OnZW5hBL22WJV70+w2mowhbRWz3e:NJCBaHX2bE81sOng5hBL22WJV70p2mo8

Score

7^/10

defense_evasion discovery execution privilege_escalation

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/audit/audit.log	rm

Deletes itself 1 IoCs

pid	Process
703	hoodlum.arm5.elf

Deletes journal logs 1 TTPs 4 IoCs

Deletes systemd journal logs. Likely to evade detection.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/journal/65779e181e584f059cb9deb1099989c3/system.journal	rm
File deleted	/var/log/journal/65779e181e584f059cb9deb1099989c3/[email protected]~	rm
File deleted	/var/log/journal/65779e181e584f059cb9deb1099989c3/system@a0c3e34424be4b6c8d58984d0e1a7645-000000000000040e-000611df97316acc.journal	rm
File deleted	/var/log/journal/65779e181e584f059cb9deb1099989c3	rm

Flushes firewall rules 1 TTPs 6 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
773	systemctl
773	systemctl
770	iptables
771	iptables
773	systemctl
773	systemctl

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Adversary-in-the-Middle

T1557

description	ioc	Process
File opened for modification	/etc/resolv.conf	hoodlum.arm5.elf

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
712	rm

Deletes log files 1 TTPs 30 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/README	rm
File deleted	/var/log/apt/history.log	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/btmp	rm
File deleted	/var/log/installer/cdebconf/questions.dat	rm
File deleted	/var/log/installer/firmware-summary	rm
File deleted	/var/log/installer/status	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/runit	rm
File deleted	/var/log/installer/hardware-summary	rm
File deleted	/var/log/installer/syslog	rm
File deleted	/var/log/installer/lsb-release	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/journal	rm
File deleted	/var/log/lastlog	rm
File deleted	/var/log/runit/ssh	rm
File deleted	/var/log/installer/cdebconf/templates.dat	rm
File deleted	/var/log/apt/term.log	rm
File deleted	/var/log/installer/cdebconf	rm
File deleted	/var/log/apt	rm
File deleted	/var/log/installer/partman	rm
File deleted	/var/log/installer	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/apt/eipp.log.xz	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/audit	rm
File deleted	/var/log/private	rm
File deleted	/var/log/exim4/mainlog	rm
File deleted	/var/log/exim4	rm

Enumerates running processes
Discovers information about currently running processes on the system

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	hoodlum.arm5.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	xxskqcskduddkkqskduo	703	hoodlum.arm5.elf

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	hoodlum.arm5.elf

Command and Scripting Interpreter: Unix Shell 1 TTPs 13 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
752	sh
757	sh
785	sh
710	sh
749	sh
754	sh
769	sh
772	sh
783	sh
743	sh
745	sh
747	sh
750	sh

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/9/cgroup	pkill
File opened for reading	/proc/742/cmdline	pkill
File opened for reading	/proc/5/ctty	pkill
File opened for reading	/proc/12/cmdline	pkill
File opened for reading	/proc/36/cgroup	pkill
File opened for reading	/proc/342/ctty	pkill
File opened for reading	/proc/14/stat	pkill
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/47/ctty	pkill
File opened for reading	/proc/21/stat	pkill
File opened for reading	/proc/23/cmdline	pkill
File opened for reading	/proc/34/status	pkill
File opened for reading	/proc/665/cgroup	pkill
File opened for reading	/proc/7/cmdline	pkill
File opened for reading	/proc/13/cmdline	pkill
File opened for reading	/proc/23/cgroup	pkill
File opened for reading	/proc/488/stat	pkill
File opened for reading	/proc/679/cmdline	pkill
File opened for reading	/proc/346/status	pkill
File opened for reading	/proc/1/cgroup	pkill
File opened for reading	/proc/9/cgroup	pkill
File opened for reading	/proc/24/cgroup	pkill
File opened for reading	/proc/46/cmdline	pkill
File opened for reading	/proc/35/cmdline	pkill
File opened for reading	/proc/36/stat	pkill
File opened for reading	/proc/26/ctty	pkill
File opened for reading	/proc/45/stat	pkill
File opened for reading	/proc/8/ctty	pkill
File opened for reading	/proc/34/ctty	pkill
File opened for reading	/proc/9/status	pkill
File opened for reading	/proc/199/cgroup	pkill
File opened for reading	/proc/32/stat	pkill
File opened for reading	/proc/33/status	pkill
File opened for reading	/proc/711/stat	pkill
File opened for reading	/proc/26/status	pkill
File opened for reading	/proc/339/ctty	pkill
File opened for reading	/proc/741/status	pkill
File opened for reading	/proc/316/status	pkill
File opened for reading	/proc/752/ctty	pkill
File opened for reading	/proc/18/cgroup	pkill
File opened for reading	/proc/188/cmdline	pkill
File opened for reading	/proc/6/stat	pkill
File opened for reading	/proc/11/cgroup	pkill
File opened for reading	/proc/38/status	pkill
File opened for reading	/proc/25/stat	pkill
File opened for reading	/proc/22/stat	pkill
File opened for reading	/proc/740/ctty	pkill
File opened for reading	/proc/18/status	pkill
File opened for reading	/proc/33/status	pkill
File opened for reading	/proc/33/cmdline	pkill
File opened for reading	/proc/74/stat	pkill
File opened for reading	/proc/199/ctty	pkill
File opened for reading	/proc/742/status	pkill
File opened for reading	/proc/7/cmdline	pkill
File opened for reading	/proc/11/cmdline	pkill
File opened for reading	/proc/31/status	pkill
File opened for reading	/proc/143/stat	pkill
File opened for reading	/proc/26/cmdline	pkill
File opened for reading	/proc/31/cmdline	pkill
File opened for reading	/proc/144/status	pkill
File opened for reading	/proc/32/status	pkill
File opened for reading	/proc/143/cgroup	pkill
File opened for reading	/proc/339/cgroup	pkill
File opened for reading	/proc/3/status	pkill

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
749	sh
757	sh
758	service
769	sh

/tmp/hoodlum.arm5.elf
/tmp/hoodlum.arm5.elf
1⤵
- Deletes itself
- Writes DNS configuration
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:703
- /bin/sh
  /bin/sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:710
- - /usr/bin/rm
    rm -rf /tmp/systemd-private-378ec7a853c645de8921f9b515d61efa-ntpsec.service-uLjd9k /tmp/systemd-private-378ec7a853c645de8921f9b515d61efa-systemd-logind.service-q3Do3s /tmp/systemd-private-378ec7a853c645de8921f9b515d61efa-systemd-timedated.service-M484rk /var/backups /var/cache /var/lib /var/local /var/lock /var/log /var/mail /var/opt /var/run /var/spool /var/tmp /var/run/atd.pid /var/run/auditd.pid /var/run/console-setup /var/run/credentials /var/run/crond.pid /var/run/crond.reboot /var/run/dbus /var/run/dhclient.eth0.pid /var/run/exim4 /var/run/initctl /var/run/initramfs /var/run/lock /var/run/log /var/run/motd.dynamic /var/run/mount /var/run/network /var/run/ntpd.pid /var/run/sendsigs.omit.d /var/run/shm /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/user /var/run/utmp /var/tmp/systemd-private-378ec7a853c645de8921f9b515d61efa-ntpsec.service-GB1Joy /var/tmp/systemd-private-378ec7a853c645de8921f9b515d61efa-systemd-logind.service-C1tbBQ /var/tmp/systemd-private-378ec7a853c645de8921f9b515d61efa-systemd-timedated.service-g8gim5
    3⤵
    - Deletes Audit logs
    - Deletes journal logs
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    - Deletes log files
    PID:712
- /bin/sh
  /bin/sh -c "rm -rf /var/log/wtmp"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:743
- - /usr/bin/rm
    rm -rf /var/log/wtmp
    3⤵
    - Deletes log files
    PID:744
- /bin/sh
  /bin/sh -c "rm -rf /tmp/*"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:745
- - /usr/bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:746
- /bin/sh
  /bin/sh -c "rm -rf /bin/netstat"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:747
- - /usr/bin/rm
    rm -rf /bin/netstat
    3⤵
    PID:748
- /bin/sh
  /bin/sh -c "iptables -F"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:749
- /bin/sh
  /bin/sh -c "pkill -9 busybox"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:750
- - /usr/bin/pkill
    pkill -9 busybox
    3⤵
    - Reads runtime system information
    PID:751
- /bin/sh
  /bin/sh -c "pkill -9 perl"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:752
- - /usr/bin/pkill
    pkill -9 perl
    3⤵
    - Reads runtime system information
    PID:753
- /bin/sh
  /bin/sh -c "pkill -9 python"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:754
- - /usr/bin/pkill
    pkill -9 python
    3⤵
    - Reads runtime system information
    PID:755
- /bin/sh
  /bin/sh -c "service iptables stop"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:757
- - /usr/sbin/service
    service iptables stop
    3⤵
    - System Network Configuration Discovery
    PID:758
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:759
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:760
  - - /usr/bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      PID:764
  - - /usr/bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      PID:763
- - /usr/local/sbin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:758
- - /usr/local/bin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:758
- - /usr/sbin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:758
- - /usr/bin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:758
- /bin/sh
  /bin/sh -c "/sbin/iptables -F; /sbin/iptables -X"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:769
- - /sbin/iptables
    /sbin/iptables -F
    3⤵
    - Flushes firewall rules
    PID:770
- - /sbin/iptables
    /sbin/iptables -X
    3⤵
    - Flushes firewall rules
    PID:771
- /bin/sh
  /bin/sh -c "service firewalld stop"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:772
- - /usr/sbin/service
    service firewalld stop
    3⤵
    PID:773
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:776
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:777
  - - /usr/bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      PID:780
  - - /usr/bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      PID:779
- - /usr/local/sbin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:773
- - /usr/local/bin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:773
- - /usr/sbin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:773
- - /usr/bin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:773
- /bin/sh
  /bin/sh -c "rm -rf ~/.bash_history"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:783
- - /usr/bin/rm
    rm -rf "~/.bash_history"
    3⤵
    PID:784
- /bin/sh
  /bin/sh -c "history -c"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:785