Malware Analysis Report

2025-08-05 14:41

Sample ID 250703-f55ybshq5y
Target mipsel.elf
SHA256 1155e7fc20f281f4cd3d899223663dbfdde8c979816df5c60cb2d021d73b4c38
Tags
antivm defense_evasion discovery execution persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1155e7fc20f281f4cd3d899223663dbfdde8c979816df5c60cb2d021d73b4c38

Threat Level: Shows suspicious behavior

The file mipsel.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm defense_evasion discovery execution persistence privilege_escalation

Renames itself

Checks hardware identifiers (DMI)

Enumerates running processes

Creates/modifies Cron job

Reads MAC address of network interface

Reads hardware information

Reads CPU attributes

Checks CPU configuration

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to tmp directory

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:28

Reported

2025-07-03 05:30

Platform

debian9-mipsel-20250619-en

Max time kernel

149s

Max time network

148s

Command Line

[/tmp/mipsel.elf]

Signatures

Renames itself

Description Indicator Process Target
N/A N/A /tmp/mipsel.elf N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/board_vendor /root/.sys/configuration N/A
File opened for reading /sys/class/dmi/id/board_vendor /root/.sys/configuration N/A

Creates/modifies Cron job

execution persistence privilege_escalation
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.gydmVB /usr/bin/crontab N/A

Enumerates running processes

Reads MAC address of network interface

defense_evasion discovery
Description Indicator Process Target
File opened for reading /sys/class/net/enp0s19/address /root/.sys/configuration N/A

Reads hardware information

discovery
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/board_name /root/.sys/configuration N/A
File opened for reading /sys/devices/virtual/dmi/id/product_uuid /root/.sys/configuration N/A
File opened for reading /sys/class/dmi/id/board_name /root/.sys/configuration N/A
File opened for reading /sys/class/dmi/id/product_uuid /root/.sys/configuration N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /root/.sys/configuration N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq /root/.sys/configuration N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/class/net /root/.sys/configuration N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/17/cmdline /root/.sys/configuration N/A
File opened for reading /proc/13/cmdline /root/.sys/configuration N/A
File opened for reading /proc/79/cmdline /root/.sys/configuration N/A
File opened for reading /proc/82/cmdline /root/.sys/configuration N/A
File opened for reading /proc/695/cmdline /root/.sys/configuration N/A
File opened for reading /proc/700/cmdline /root/.sys/configuration N/A
File opened for reading /proc/373/cmdline /root/.sys/configuration N/A
File opened for reading /proc/6/cmdline /root/.sys/configuration N/A
File opened for reading /proc/75/cmdline /root/.sys/configuration N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/16/cmdline /root/.sys/configuration N/A
File opened for reading /proc/665/cmdline /root/.sys/configuration N/A
File opened for reading /proc/666/cmdline /root/.sys/configuration N/A
File opened for reading /proc/672/cmdline /root/.sys/configuration N/A
File opened for reading /proc/710/cmdline /root/.sys/configuration N/A
File opened for reading /proc/3/cmdline /root/.sys/configuration N/A
File opened for reading /proc/19/cmdline /root/.sys/configuration N/A
File opened for reading /proc/77/cmdline /root/.sys/configuration N/A
File opened for reading /proc/81/cmdline /root/.sys/configuration N/A
File opened for reading /proc/244/cmdline /root/.sys/configuration N/A
File opened for reading /proc/18/cmdline /root/.sys/configuration N/A
File opened for reading /proc/71/cmdline /root/.sys/configuration N/A
File opened for reading /proc/336/cmdline /root/.sys/configuration N/A
File opened for reading /proc/374/cmdline /root/.sys/configuration N/A
File opened for reading /proc/662/cmdline /root/.sys/configuration N/A
File opened for reading /proc/9/cmdline /root/.sys/configuration N/A
File opened for reading /proc/10/cmdline /root/.sys/configuration N/A
File opened for reading /proc/12/cmdline /root/.sys/configuration N/A
File opened for reading /proc/23/cmdline /root/.sys/configuration N/A
File opened for reading /proc/74/cmdline /root/.sys/configuration N/A
File opened for reading /proc/226/cmdline /root/.sys/configuration N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/7/cmdline /root/.sys/configuration N/A
File opened for reading /proc/24/cmdline /root/.sys/configuration N/A
File opened for reading /proc/117/cmdline /root/.sys/configuration N/A
File opened for reading /proc/169/cmdline /root/.sys/configuration N/A
File opened for reading /proc/717/cmdline /root/.sys/configuration N/A
File opened for reading /proc/5/cmdline /root/.sys/configuration N/A
File opened for reading /proc/22/cmdline /root/.sys/configuration N/A
File opened for reading /proc/36/cmdline /root/.sys/configuration N/A
File opened for reading /proc/73/cmdline /root/.sys/configuration N/A
File opened for reading /proc/2/cmdline /root/.sys/configuration N/A
File opened for reading /proc/8/cmdline /root/.sys/configuration N/A
File opened for reading /proc/11/cmdline /root/.sys/configuration N/A
File opened for reading /proc/20/cmdline /root/.sys/configuration N/A
File opened for reading /proc/37/cmdline /root/.sys/configuration N/A
File opened for reading /proc/69/cmdline /root/.sys/configuration N/A
File opened for reading /proc/109/cmdline /root/.sys/configuration N/A
File opened for reading /proc/147/cmdline /root/.sys/configuration N/A
File opened for reading /proc/333/cmdline /root/.sys/configuration N/A
File opened for reading /proc/338/cmdline /root/.sys/configuration N/A
File opened for reading /proc/15/cmdline /root/.sys/configuration N/A
File opened for reading /proc/72/cmdline /root/.sys/configuration N/A
File opened for reading /proc/76/cmdline /root/.sys/configuration N/A
File opened for reading /proc/380/cmdline /root/.sys/configuration N/A
File opened for reading /proc/699/cmdline /root/.sys/configuration N/A
File opened for reading /proc/701/cmdline /root/.sys/configuration N/A
File opened for reading /proc/4/cmdline /root/.sys/configuration N/A
File opened for reading /proc/118/cmdline /root/.sys/configuration N/A
File opened for reading /proc/337/cmdline /root/.sys/configuration N/A
File opened for reading /proc/671/cmdline /root/.sys/configuration N/A
File opened for reading /proc/21/cmdline /root/.sys/configuration N/A
File opened for reading /proc/153/cmdline /root/.sys/configuration N/A
File opened for reading /proc/721/cmdline /root/.sys/configuration N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/mipsel.elf N/A
N/A N/A /root/.sys/configuration N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/root1086f3d /root/.sys/configuration N/A

Processes

/tmp/mipsel.elf

[/tmp/mipsel.elf]

/bin/sh

[sh -c crontab -l]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c (crontab -l ; echo "@reboot /root/.sys/configuration")| crontab -]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab -]

/root/.sys/configuration

[/tmp/mipsel.elf]

Network

Country Destination Domain Proto
AU 1.1.1.1:53 time.cloudflare.com udp
AU 1.1.1.1:53 bttracker.debian.org udp
AU 1.1.1.1:53 router.bittorrent.com udp
SE 130.239.18.158:6881 bttracker.debian.org udp
US 67.215.246.10:6881 router.bittorrent.com udp
NL 188.90.169.20:51413 udp
JP 118.243.127.73:10249 udp
US 73.208.41.226:6881 udp
NL 45.87.251.11:28127 udp
JP 126.74.175.82:7286 udp
BR 143.137.3.191:6319 udp
AU 180.200.203.116:6881 udp
KR 120.142.31.97:40928 udp
DE 95.91.226.170:2427 udp
HK 38.47.220.3:15198 udp
SE 130.239.18.158:8521 bttracker.debian.org udp
BG 212.21.146.188:56581 udp
NL 185.149.91.15:51010 udp
SE 130.239.18.158:8644 bttracker.debian.org udp
NL 178.162.174.222:28014 udp
NL 86.104.22.178:18246 udp
FI 135.181.238.57:50000 udp
NL 178.162.174.65:28004 udp
SE 130.239.18.158:8824 bttracker.debian.org udp
SE 130.239.18.158:8524 bttracker.debian.org udp
IN 157.49.80.175:54043 udp
GY 190.80.53.67:45575 udp
US 72.180.123.97:37231 udp
FR 86.201.135.117:39292 udp
BR 186.249.128.169:59262 udp
RU 62.68.136.130:33695 udp
US 47.229.186.37:25106 udp
AR 186.124.150.204:53885 udp
DE 89.246.96.40:1796 udp
BR 191.217.157.141:41439 udp
AR 200.122.10.115:44070 udp
AR 181.116.176.110:14308 udp
BR 189.50.232.200:29454 udp
FR 86.104.74.124:60639 udp
NL 185.107.45.31:7246 udp
BR 201.182.123.130:63771 udp
AU 124.177.210.151:6881 udp
BR 177.37.233.18:32555 udp
NL 178.162.174.149:28001 udp
CN 171.222.189.44:23791 udp
CZ 85.70.70.183:51413 udp
US 108.28.191.220:43080 udp
PA 181.197.124.53:31531 udp
AR 190.179.154.70:55511 udp
IL 77.137.69.161:18604 udp
CO 190.251.204.205:38795 udp
TH 1.20.94.19:33344 udp
FR 176.170.14.213:40739 udp
KR 221.145.67.185:40969 udp
FR 88.173.209.44:63506 udp
US 172.56.71.36:18014 udp
CA 178.128.234.42:6882 udp
US 45.203.208.35:6880 udp
NL 185.149.91.21:51118 udp
RU 109.174.104.47:39478 udp
MD 213.232.235.11:8999 udp
NL 5.79.66.11:54337 udp
NL 95.211.247.101:28009 udp
DE 141.95.53.34:8648 udp
NL 64.238.204.200:14685 udp
US 71.197.172.99:51413 udp
US 172.111.38.128:26074 udp
CA 69.159.19.53:51413 udp
BE 109.133.195.229:23999 udp
NL 45.152.209.84:49643 udp
BE 193.105.133.241:8299 udp
NL 85.17.52.21:62046 udp
RU 188.113.2.204:6881 udp
DE 78.47.84.104:22223 udp
NL 45.87.251.6:28001 udp
NL 178.162.173.56:28003 udp
SE 130.239.18.158:8510 bttracker.debian.org udp
NL 46.232.210.29:63353 udp
NL 37.48.93.130:64884 udp
FR 62.210.201.217:8642 udp
NL 46.232.210.119:64100 udp
US 73.199.179.20:29722 udp
UA 91.236.98.230:2660 udp
JP 58.87.27.211:27009 udp
DE 23.158.56.119:10047 udp
RU 89.222.147.25:6881 udp
RU 193.233.181.227:6881 udp
RU 193.84.113.165:6881 udp
US 50.34.37.70:33957 udp
AL 79.106.231.163:1434 udp
FI 135.181.227.244:50000 udp
NL 178.162.174.43:28004 udp
SE 130.239.18.158:8515 bttracker.debian.org udp
SE 130.239.18.158:8580 bttracker.debian.org udp
FR 195.154.233.74:6880 udp
SE 130.239.18.158:8516 bttracker.debian.org udp
GB 80.44.217.19:46292 udp
NL 178.162.173.91:28003 udp
SE 130.239.18.158:8620 bttracker.debian.org udp
SE 130.239.18.158:8597 bttracker.debian.org udp
SE 130.239.18.158:8513 bttracker.debian.org udp
JP 111.96.224.183:15249 udp
DE 51.75.145.90:6881 udp
NL 85.17.65.80:6910 udp
US 69.50.95.40:10021 udp
DE 23.158.56.120:14069 udp
HU 80.95.67.237:22037 udp
RO 86.125.14.52:26023 udp
HK 123.202.78.150:24069 udp
CA 198.2.95.103:39335 udp
RU 2.63.5.214:23946 udp
DK 86.52.115.134:35547 udp
NL 46.232.211.167:13109 udp
FR 5.135.184.86:50357 udp
NL 178.162.173.110:28012 udp
NL 46.232.211.238:58193 udp
NL 46.232.210.246:50204 udp
FR 188.165.194.30:51413 udp
NL 178.162.174.77:28014 udp
FR 5.196.68.33:51413 udp
CA 148.163.160.5:6881 udp
NL 46.232.211.15:12009 udp
NL 45.87.251.6:28043 udp
BR 177.152.99.237:32690 udp
FR 188.165.243.15:55084 udp
GB 143.159.145.247:63717 udp
US 136.56.173.46:26621 udp
TW 175.98.32.48:13639 udp
BR 186.226.50.125:34581 udp
KR 119.204.119.135:33183 udp
ES 84.121.70.18:6889 udp
HK 42.98.123.5:15000 udp
BD 157.119.237.16:20481 udp
US 100.11.208.248:18631 udp
NL 178.162.174.99:28003 udp
NL 185.203.56.55:12337 udp
NL 89.149.202.17:28034 udp
BY 178.124.154.112:51413 udp
HK 118.141.251.66:7555 udp
DE 94.31.73.127:22951 udp
RU 5.130.16.244:23647 udp
KR 14.36.155.162:42797 udp
RU 185.49.109.17:49001 udp
NL 149.143.96.50:60210 udp
CH 185.98.169.90:20236 udp
NL 217.121.231.94:59625 udp
SE 130.239.18.158:8508 bttracker.debian.org udp
JP 92.202.211.212:51413 udp
CN 112.18.9.61:3592 udp
CN 39.86.186.20:50969 udp
JP 48.218.149.167:16151 udp
KR 1.245.31.30:32888 udp
BG 77.78.14.73:38893 udp
NL 85.144.150.46:56979 udp
AU 203.29.96.28:63425 udp
RU 80.234.76.186:4352 udp
CN 221.229.52.111:6892 udp
US 69.50.95.40:10059 udp
US 69.50.95.40:10096 udp
CN 220.163.32.213:1117 udp
MY 113.211.212.212:32426 udp
BR 200.53.199.243:13644 udp
RO 86.121.117.167:6889 udp
RU 5.18.190.158:3080 udp
KR 121.153.202.98:7732 udp
AU 120.148.150.146:6882 udp
GB 109.154.79.79:6881 udp
CA 108.180.109.209:6882 udp
KR 210.183.172.173:7973 udp
NL 185.149.91.15:51516 udp
SE 213.66.32.98:64665 udp
UA 109.87.142.146:42969 udp
AT 178.189.213.19:6881 udp
RU 95.26.29.84:10374 udp
JP 210.149.154.151:6880 udp
NL 185.149.91.167:51534 udp
DK 185.111.109.38:10527 udp
GB 88.97.245.235:17447 udp
US 148.153.170.2:6880 udp
CA 172.97.233.98:6889 udp
BR 187.99.126.123:60352 udp
BR 186.250.8.115:6881 udp
HK 1.36.58.21:6889 udp
BG 178.254.207.35:26884 udp
NL 178.162.174.168:28009 udp
HU 87.97.120.226:51413 udp
RU 79.139.250.170:2649 udp
US 47.208.129.1:6881 udp
IE 84.203.100.48:5740 udp
HU 84.21.182.152:6881 udp
KR 218.156.22.144:46287 udp
ES 46.6.44.91:1796 udp
JP 118.154.85.206:46053 udp
KR 211.223.80.56:40757 udp
US 129.101.59.28:65006 udp
IN 144.24.119.225:51413 udp
RU 217.144.161.45:10648 udp
NL 185.203.56.67:14723 udp
KR 222.112.77.233:59277 udp
NO 85.252.183.114:57775 udp
AU 101.115.25.33:2016 udp
CN 112.23.122.241:16269 udp
PE 190.232.205.193:38639 udp
CN 112.0.14.153:44877 udp
CN 36.251.1.37:42167 udp
IL 93.172.234.143:51413 udp
UA 94.232.209.137:15008 udp
NL 143.179.125.83:54374 udp
FR 94.103.121.193:15271 udp
CN 180.173.60.255:51413 udp
US 102.129.234.44:61976 udp
CN 111.12.248.60:16857 udp
UZ 213.230.112.48:42916 udp
RU 178.72.81.137:10658 udp
BR 177.37.138.223:47681 udp
RU 80.234.76.15:9999 udp
LV 90.139.68.14:23056 udp
US 13.58.27.33:6881 udp
RU 193.111.3.52:14479 udp
AU 58.172.0.154:6889 udp
RU 185.169.103.44:12631 udp
NL 159.65.200.220:6814 tcp
BR 186.226.55.10:55261 udp
RU 178.71.236.95:21484 udp
RU 82.194.247.10:4094 udp
CA 96.21.46.22:6889 udp
PE 38.25.18.10:38833 udp
CA 198.245.61.26:61221 udp
BY 46.53.253.26:49701 udp
EE 176.46.90.46:20562 udp
AU 124.184.141.22:45682 udp
NL 45.87.251.132:28167 udp
RU 45.142.122.35:51413 udp
GR 79.130.166.254:54426 udp
IN 223.184.243.101:30909 udp
ID 103.184.51.101:20496 udp
KR 175.208.71.36:33024 udp
US 54.214.62.55:6881 udp
DE 43.240.149.123:32681 udp
GB 194.29.101.83:10240 udp
SG 167.99.72.189:6881 udp
DE 213.244.63.41:6287 udp
N/A 10.0.2.100:60314 udp
FR 5.39.85.155:52228 udp
SE 87.251.203.105:6881 udp
RU 147.45.35.216:1277 udp
N/A 10.0.2.100:38909 udp
IN 110.226.183.10:8809 udp
CN 113.204.47.50:2720 udp
FR 92.90.10.42:47176 udp
RU 176.49.117.71:56203 udp
HU 176.63.12.59:35491 udp
CN 60.173.178.47:15000 udp
CZ 46.13.217.101:6881 udp
MX 38.65.166.75:40405 udp
CN 223.149.193.51:4512 udp
SE 2.248.149.79:56435 udp
RU 79.105.116.32:2272 udp
RU 95.153.180.32:59238 udp
NL 46.232.210.80:64118 udp
CN 114.92.111.167:51212 udp
US 66.56.80.179:42837 udp
UA 213.174.10.21:23065 tcp
NL 159.65.200.220:6811 tcp
PE 38.250.154.255:60306 udp
FR 90.2.110.190:22482 udp
UA 94.244.59.101:33717 udp
IN 152.57.165.118:46878 udp
DE 209.38.196.30:6818 tcp
PH 120.29.90.87:5462 udp
CN 117.65.152.254:33164 udp
TW 114.34.175.132:6881 udp
IN 152.59.34.217:49503 udp
JO 94.249.81.211:33198 udp
PL 88.135.163.69:6881 udp
US 76.149.173.207:18888 udp
CA 108.172.158.203:62076 udp
CA 54.39.107.165:16481 udp
US 35.167.186.212:6881 udp
IE 54.194.124.68:6881 udp
BG 83.97.64.97:1148 udp
CN 121.27.84.81:30406 udp
RU 185.141.77.190:16116 udp
IN 103.59.75.105:22341 udp
US 34.82.108.93:6145 udp
AZ 212.47.151.4:2465 udp
PE 38.25.17.211:48788 udp
PL 46.227.240.79:3031 udp
GB 90.195.112.79:42112 udp
NL 193.32.16.248:23065 tcp
NL 159.65.200.220:6813 tcp
DE 91.47.100.126:6889 udp
CZ 78.80.34.215:63580 udp
AU 180.150.36.0:29940 udp
RU 159.253.172.189:3949 udp
US 54.214.62.31:6881 udp
NL 178.162.173.160:28012 udp
NL 178.162.173.117:28010 udp
NL 178.162.173.98:28000 udp
SE 130.239.18.158:8531 bttracker.debian.org udp
US 35.163.251.58:6881 udp
US 43.130.56.223:6000 udp
TR 85.102.84.104:23065 tcp
CA 54.39.52.183:18985 udp
US 142.171.125.191:6881 udp
PL 54.36.168.18:46075 udp
SI 46.122.67.75:23376 udp
EG 105.196.62.186:49383 udp
PL 89.67.24.139:60366 udp
PH 210.4.120.188:33836 udp
US 98.55.88.105:43138 udp
CH 212.102.37.58:27218 udp
KR 58.78.128.148:6881 udp
NL 5.79.93.242:61920 udp
US 73.219.249.34:46510 udp
GB 134.65.149.9:59852 udp
FR 163.172.69.72:24242 udp
NL 45.131.79.89:64015 udp
ES 83.35.165.178:52207 udp
ID 103.156.164.27:22561 udp
FR 88.160.95.5:34785 udp
KR 175.212.11.94:32691 udp
FR 193.32.126.149:42944 udp
US 69.50.95.40:10080 udp
CN 120.233.34.165:6904 udp
NL 37.48.89.221:41579 udp
BR 187.106.35.232:4920 udp
KR 112.164.101.93:7802 udp
FR 62.210.124.91:55609 udp
KR 59.7.247.226:7823 udp
JP 14.133.49.120:9311 udp
KR 222.100.58.95:6881 udp
NL 80.115.120.20:55552 udp
RU 79.139.146.157:1350 udp
DZ 197.202.7.20:23065 tcp
PT 95.136.8.201:16817 udp
RU 5.44.6.177:2079 udp
IT 93.34.237.68:18788 udp
PH 180.190.208.65:8886 udp
BB 65.48.167.8:21797 udp
EC 102.177.166.75:6881 udp
US 145.224.101.39:18233 udp
NL 95.168.168.200:52908 udp
RU 188.162.6.47:17637 udp
IT 2.36.225.40:40815 udp
UA 37.57.31.17:32000 udp
NO 84.202.87.244:16430 udp
BR 192.141.188.141:20537 udp
BR 181.191.161.108:28294 udp
RU 95.25.175.55:39473 udp
US 18.191.2.28:6881 udp
RU 79.105.116.113:2411 udp
BR 189.201.249.13:6881 udp
KR 175.213.130.196:7739 udp
GB 94.174.73.98:6882 udp
NL 165.140.119.114:27847 udp
RU 82.194.247.10:4115 udp
DE 91.59.251.27:51413 udp
CN 180.97.50.210:6890 udp

Files

/var/spool/cron/crontabs/tmp.gydmVB

MD5 0d9f567dc152036c07805d6a39f8484f
SHA1 1e91240d4daf47f1b58c08a37bc7e1ec1043b1a4
SHA256 239d280a9a8eb4d82665c775e2f6aac27d9a8b66d37ec24f6955ec072fedefeb
SHA512 ac73e472dddd75c17c15915d1fd15e78d4e5b63f96c088a27d1eb8a28a8e57bc46bc7642e614fffe69c0c5d23de50aab34baa7ee21e460c32bb3cc6a0947fac9

memory/718-1-0x00400000-0x0050a78c-memory.dmp