Malware Analysis Report

2025-08-05 14:41

Sample ID 250703-f58n8ahq5z
Target mipsel.elf
SHA256 f686accbe32136fab610609332b5b463049be4a85e1eb145311c9b3c137d253e
Tags
antivm defense_evasion discovery execution persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f686accbe32136fab610609332b5b463049be4a85e1eb145311c9b3c137d253e

Threat Level: Shows suspicious behavior

The file mipsel.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm defense_evasion discovery execution persistence privilege_escalation

Renames itself

Creates/modifies Cron job

Reads hardware information

Checks hardware identifiers (DMI)

Enumerates running processes

Reads MAC address of network interface

Checks CPU configuration

Reads CPU attributes

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to tmp directory

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:28

Reported

2025-07-03 05:31

Platform

debian12-mipsel-20250619-en

Max time kernel

151s

Max time network

155s

Command Line

[/tmp/mipsel.elf]

Signatures

Renames itself

Description Indicator Process Target
N/A N/A /tmp/mipsel.elf N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/class/dmi/id/board_vendor /root/.sys/configuration N/A
File opened for reading /sys/devices/virtual/dmi/id/board_vendor /root/.sys/configuration N/A

Creates/modifies Cron job

execution persistence privilege_escalation
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.x7oviY /usr/bin/crontab N/A

Enumerates running processes

Reads MAC address of network interface

defense_evasion discovery
Description Indicator Process Target
File opened for reading /sys/class/net/enp0s19/address /root/.sys/configuration N/A

Reads hardware information

discovery
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/board_name /root/.sys/configuration N/A
File opened for reading /sys/devices/virtual/dmi/id/product_uuid /root/.sys/configuration N/A
File opened for reading /sys/class/dmi/id/board_name /root/.sys/configuration N/A
File opened for reading /sys/class/dmi/id/product_uuid /root/.sys/configuration N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /root/.sys/configuration N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq /root/.sys/configuration N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/class/net /root/.sys/configuration N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/815/cmdline /root/.sys/configuration N/A
File opened for reading /proc/19/cmdline /root/.sys/configuration N/A
File opened for reading /proc/33/cmdline /root/.sys/configuration N/A
File opened for reading /proc/44/cmdline /root/.sys/configuration N/A
File opened for reading /proc/48/cmdline /root/.sys/configuration N/A
File opened for reading /proc/116/cmdline /root/.sys/configuration N/A
File opened for reading /proc/203/cmdline /root/.sys/configuration N/A
File opened for reading /proc/379/cmdline /root/.sys/configuration N/A
File opened for reading /proc/20/cmdline /root/.sys/configuration N/A
File opened for reading /proc/35/cmdline /root/.sys/configuration N/A
File opened for reading /proc/696/cmdline /root/.sys/configuration N/A
File opened for reading /proc/761/cmdline /root/.sys/configuration N/A
File opened for reading /proc/26/cmdline /root/.sys/configuration N/A
File opened for reading /proc/42/cmdline /root/.sys/configuration N/A
File opened for reading /proc/404/cmdline /root/.sys/configuration N/A
File opened for reading /proc/765/cmdline /root/.sys/configuration N/A
File opened for reading /proc/8/cmdline /root/.sys/configuration N/A
File opened for reading /proc/21/cmdline /root/.sys/configuration N/A
File opened for reading /proc/115/cmdline /root/.sys/configuration N/A
File opened for reading /proc/119/cmdline /root/.sys/configuration N/A
File opened for reading /proc/414/cmdline /root/.sys/configuration N/A
File opened for reading /proc/700/cmdline /root/.sys/configuration N/A
File opened for reading /proc/6/cmdline /root/.sys/configuration N/A
File opened for reading /proc/23/cmdline /root/.sys/configuration N/A
File opened for reading /proc/37/cmdline /root/.sys/configuration N/A
File opened for reading /proc/59/cmdline /root/.sys/configuration N/A
File opened for reading /proc/321/cmdline /root/.sys/configuration N/A
File opened for reading /proc/333/cmdline /root/.sys/configuration N/A
File opened for reading /proc/395/cmdline /root/.sys/configuration N/A
File opened for reading /proc/113/cmdline /root/.sys/configuration N/A
File opened for reading /proc/785/cmdline /root/.sys/configuration N/A
File opened for reading /proc/3/cmdline /root/.sys/configuration N/A
File opened for reading /proc/10/cmdline /root/.sys/configuration N/A
File opened for reading /proc/138/cmdline /root/.sys/configuration N/A
File opened for reading /proc/663/cmdline /root/.sys/configuration N/A
File opened for reading /proc/770/cmdline /root/.sys/configuration N/A
File opened for reading /proc/24/cmdline /root/.sys/configuration N/A
File opened for reading /proc/30/cmdline /root/.sys/configuration N/A
File opened for reading /proc/53/cmdline /root/.sys/configuration N/A
File opened for reading /proc/16/cmdline /root/.sys/configuration N/A
File opened for reading /proc/18/cmdline /root/.sys/configuration N/A
File opened for reading /proc/28/cmdline /root/.sys/configuration N/A
File opened for reading /proc/29/cmdline /root/.sys/configuration N/A
File opened for reading /proc/34/cmdline /root/.sys/configuration N/A
File opened for reading /proc/device-tree/model /root/.sys/configuration N/A
File opened for reading /proc/11/cmdline /root/.sys/configuration N/A
File opened for reading /proc/58/cmdline /root/.sys/configuration N/A
File opened for reading /proc/112/cmdline /root/.sys/configuration N/A
File opened for reading /proc/114/cmdline /root/.sys/configuration N/A
File opened for reading /proc/137/cmdline /root/.sys/configuration N/A
File opened for reading /proc/392/cmdline /root/.sys/configuration N/A
File opened for reading /proc/406/cmdline /root/.sys/configuration N/A
File opened for reading /proc/5/cmdline /root/.sys/configuration N/A
File opened for reading /proc/9/cmdline /root/.sys/configuration N/A
File opened for reading /proc/13/cmdline /root/.sys/configuration N/A
File opened for reading /proc/15/cmdline /root/.sys/configuration N/A
File opened for reading /proc/47/cmdline /root/.sys/configuration N/A
File opened for reading /proc/782/cmdline /root/.sys/configuration N/A
File opened for reading /proc/804/cmdline /root/.sys/configuration N/A
File opened for reading /proc/818/cmdline /root/.sys/configuration N/A
File opened for reading /proc/mounts /root/.sys/configuration N/A
File opened for reading /proc/762/cmdline /root/.sys/configuration N/A
File opened for reading /proc/7/cmdline /root/.sys/configuration N/A
File opened for reading /proc/12/cmdline /root/.sys/configuration N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/mipsel.elf N/A
N/A N/A /root/.sys/configuration N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/root1086f3d /root/.sys/configuration N/A

Processes

/tmp/mipsel.elf

[/tmp/mipsel.elf]

/bin/sh

[sh -c crontab -l]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c (crontab -l ; echo "@reboot /root/.sys/configuration")| crontab -]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab -]

/root/.sys/configuration

[/tmp/mipsel.elf]

Network

Country Destination Domain Proto
AU 1.1.1.1:53 debian12-mipsel-20250619-en-7 udp
AU 1.1.1.1:53 debian12-mipsel-20250619-en-7 udp
AU 1.1.1.1:53 time.cloudflare.com udp
AU 1.1.1.1:53 bttracker.debian.org udp
AU 1.1.1.1:53 router.bittorrent.com udp
SE 130.239.18.158:6881 bttracker.debian.org udp
US 67.215.246.10:6881 router.bittorrent.com udp
FI 135.181.238.57:50000 udp
FI 65.21.129.56:50000 udp
FI 37.27.119.190:50000 udp
FI 65.21.125.166:50000 udp
NL 178.162.174.82:28014 udp
SE 130.239.18.158:8524 bttracker.debian.org udp
NL 178.162.174.149:28001 udp
FI 37.27.119.253:50000 udp
FI 37.27.117.180:50000 udp
DE 23.158.56.120:14017 udp
DE 167.235.10.94:50000 udp
SE 130.239.18.158:8516 bttracker.debian.org udp
NL 37.48.86.173:28002 udp
RU 94.140.135.117:15674 udp
SE 130.239.18.158:8513 bttracker.debian.org udp
NL 46.232.211.200:25759 udp
NL 178.162.173.91:28003 udp
FR 88.160.95.5:34785 udp
US 69.50.95.40:12097 udp
FI 37.27.119.244:50000 udp
NL 5.79.66.11:54337 udp
SE 46.59.108.221:33272 udp
FI 37.27.119.120:50000 udp
UA 31.31.121.179:8704 udp
SG 43.133.45.199:50210 udp
NL 178.162.174.1:28006 udp
FI 65.21.128.233:50000 udp
RU 109.229.232.55:6881 udp
FI 37.27.107.125:50000 udp
JP 106.139.123.86:7014 udp
FI 65.21.128.218:50000 udp
FR 37.187.102.86:51413 udp
FI 37.27.119.119:50000 udp
RU 185.175.44.241:51413 udp
FI 37.27.119.179:50000 udp
FI 37.27.119.175:50000 udp
FI 65.21.128.238:50000 udp
FI 37.27.117.250:50000 udp
NL 178.162.173.97:28006 udp
FI 65.21.128.250:50000 udp
FI 37.27.104.49:50000 udp
FI 65.21.128.235:50000 udp
FI 135.181.238.117:50000 udp
FI 37.27.120.62:50000 udp
FI 37.27.119.242:50000 udp
FR 176.31.250.123:51413 udp
FI 37.27.117.49:50000 udp
FI 37.27.117.113:50000 udp
FI 65.21.129.47:50000 udp
DE 23.158.56.119:10096 udp
RU 5.19.248.133:51413 udp
FI 37.27.103.253:50000 udp
FI 37.27.117.251:50000 udp
FI 65.21.128.216:50000 udp
FI 135.181.227.243:50000 udp
NL 37.48.95.194:41493 udp
US 100.11.208.248:18631 udp
GB 81.102.24.145:21967 udp
FR 176.31.120.24:51413 udp
RU 84.22.138.237:6881 udp
RU 176.77.51.198:51413 udp
US 71.34.173.137:9010 udp
FI 135.181.227.248:50000 udp
FI 65.21.129.53:50000 udp
NL 95.211.81.107:51413 udp
FI 37.27.117.125:50000 udp
ES 213.94.23.64:35862 udp
FI 37.27.119.248:50000 udp
NL 185.203.56.49:25627 udp
FI 37.27.119.251:50000 udp
FI 37.27.117.48:50000 udp
NL 178.162.174.43:28007 udp
CN 116.232.182.218:15000 udp
NL 178.162.174.5:28005 udp
RU 109.248.217.202:6881 udp
JP 153.193.192.152:60000 udp
FR 178.33.233.79:8999 udp
FI 95.216.14.165:50000 udp
FR 195.154.233.74:6880 udp
DE 195.201.153.69:50000 udp
NL 45.80.169.122:6881 udp
FI 135.181.115.53:50000 udp
FI 37.27.117.59:50000 udp
NL 95.168.168.200:40477 udp
FI 37.27.120.47:50000 udp
SE 130.239.18.158:8824 bttracker.debian.org udp
SE 130.239.18.158:8580 bttracker.debian.org udp
MX 189.218.30.152:24841 udp
SE 130.239.18.158:8620 bttracker.debian.org udp
SE 130.239.18.158:8597 bttracker.debian.org udp
TR 78.180.11.32:47423 udp
US 3.215.223.233:6880 udp
SE 90.224.129.10:51413 udp
DE 78.47.80.71:52287 udp
US 3.133.238.179:6880 udp
RU 46.249.18.90:51413 udp
NL 178.162.173.141:28002 udp
DE 141.95.53.34:8663 udp
FR 163.172.147.202:51413 udp
NL 89.149.200.92:28037 udp
NL 178.162.174.31:28013 udp
NL 212.32.255.118:28010 udp
NL 5.79.73.211:6918 udp
NL 185.203.56.53:25320 udp
DE 57.129.45.77:8653 udp
NL 178.162.174.224:28001 udp
GB 81.153.103.174:6881 udp
RU 176.57.72.125:62514 udp
CA 107.159.28.214:6881 udp
FR 193.32.126.149:42944 udp
US 69.50.95.40:10080 udp
JP 14.11.128.160:9142 udp
GB 86.23.151.204:6881 udp
BR 168.227.166.187:38567 udp
US 142.202.48.88:14008 udp
ES 87.221.100.231:3737 udp
UA 146.120.161.48:25542 udp
RU 79.139.129.30:2395 udp
US 54.211.14.111:6882 udp
NL 185.149.91.147:51005 udp
SG 43.133.45.199:50000 udp
FI 65.21.128.242:50000 udp
FI 37.27.117.56:50000 udp
FI 65.109.35.105:50000 udp
DE 23.158.56.119:10043 udp
DE 138.201.61.180:50000 udp
GB 93.89.141.246:51413 udp
AL 79.106.231.163:1434 udp
FI 135.181.227.244:50000 udp
NL 178.162.174.222:28014 udp
NL 178.162.174.43:28004 udp
SE 130.239.18.158:8515 bttracker.debian.org udp
NL 178.162.173.132:28007 udp
SG 43.133.45.199:50378 udp
US 104.195.12.42:6881 udp
NL 45.87.251.153:12720 udp
US 45.203.206.54:6880 udp
HK 42.3.12.72:8249 udp
UA 78.26.151.86:41059 udp
NL 178.162.173.139:28007 udp
DE 23.158.56.120:18060 udp
NZ 121.75.199.81:6881 udp
US 184.58.69.89:6881 udp
RU 83.222.74.164:51886 udp
GB 86.19.58.208:25000 udp
JP 117.109.38.88:18008 udp
UA 46.150.69.165:61962 udp
DK 77.33.124.165:20202 udp
US 174.80.143.0:43295 udp
RU 77.91.111.196:24876 udp
FR 188.165.244.171:50417 udp
FI 135.181.238.53:50000 udp
HK 1.65.142.70:10489 udp
GB 81.86.138.144:15206 udp
NL 185.203.56.55:12337 udp
FR 5.39.85.82:57493 udp
JP 126.91.100.42:22481 udp
TW 118.170.228.7:18720 udp
CA 24.53.84.104:1024 udp
GB 94.174.73.98:6882 udp
JP 60.104.139.146:51413 udp
NL 178.162.174.99:28003 udp
JP 36.13.176.213:22314 udp
GR 94.68.176.48:38354 udp
PK 110.38.129.83:6881 udp
FR 5.39.85.50:55196 udp
KZ 46.8.151.172:12978 udp
IE 51.186.46.120:38303 udp
JP 111.104.215.113:6881 udp
RU 217.117.248.129:6881 udp
AR 190.49.78.71:6881 udp
CA 96.21.46.22:6889 udp
NZ 222.154.155.197:53805 udp
CA 198.245.61.26:61221 udp
JP 153.192.104.153:51413 udp
NL 80.115.120.20:55552 udp
AU 122.150.241.41:1477 udp
NL 46.232.210.80:64118 udp
RU 83.221.16.89:34339 udp
CN 39.188.131.12:6488 udp
ES 46.6.44.91:1796 udp
US 108.12.214.239:14627 udp
RU 109.163.219.187:1483 udp
CN 112.23.122.241:16269 udp
HU 145.236.138.251:8999 udp
NL 178.162.174.223:28006 udp
RU 5.164.13.50:6881 udp
US 209.141.60.213:52166 udp
CZ 90.176.81.95:6889 udp
FR 5.135.191.122:51413 udp
KR 114.129.231.113:40799 udp
SG 188.214.125.180:59692 udp
DE 193.37.152.156:11635 udp
US 147.135.85.18:59265 udp
PE 38.250.154.255:60306 udp
US 34.82.107.197:60020 udp
JP 113.153.192.104:14996 udp
NL 188.89.193.6:6881 udp
KR 222.100.58.95:6881 udp
PT 95.136.8.201:16817 udp
KR 175.206.217.212:41080 udp
IL 77.125.73.120:6889 udp
UA 94.244.59.101:33717 udp
EC 102.177.166.75:6881 udp
KR 121.184.149.108:7921 udp
RU 94.181.254.195:39729 udp
MT 46.11.31.89:42657 udp
RU 5.79.198.231:6881 udp
RO 84.117.192.23:48901 udp
IL 62.56.149.79:4375 udp
KR 121.153.208.202:32926 udp
EE 82.131.43.24:6881 udp
HK 123.202.78.150:24069 udp
CA 108.172.158.203:62076 udp
IT 93.34.237.68:18788 udp
AE 94.202.152.28:48731 udp
CA 75.157.68.26:23135 udp
IN 144.24.119.225:51413 udp
NL 87.212.191.246:43611 udp
IT 79.51.105.110:6881 udp
N/A 10.0.2.100:37844 udp
HU 178.164.167.129:6881 udp
RU 5.35.115.93:3331 udp
PK 182.186.152.28:41963 udp
CN 223.166.244.116:51413 udp
FR 94.103.121.193:15271 udp
CN 183.194.183.95:3215 udp
NL 159.65.200.220:6814 tcp
PH 120.29.90.87:5462 udp
CN 117.65.152.254:33164 udp
TW 114.34.175.132:6881 udp
CZ 78.80.34.215:63580 udp
AU 180.150.36.0:29940 udp
RU 159.253.172.189:3949 udp
JO 94.249.81.211:33198 udp
HU 87.97.120.226:51413 udp
RU 195.98.79.139:43493 udp
IN 223.185.48.17:16717 udp
GB 89.22.197.53:6881 udp
HU 84.21.182.152:6881 udp
CN 223.149.193.51:4512 udp
RU 82.194.247.10:4115 udp
LV 90.139.68.14:23056 udp
DE 213.244.63.41:6287 udp
N/A 10.0.2.100:60314 udp
FR 5.39.85.155:52228 udp
SE 87.251.203.105:6881 udp
CN 114.228.87.136:57001 udp
CN 180.173.60.255:51413 udp
PE 190.232.205.193:38639 udp
AZ 212.47.151.4:2465 udp
US 54.214.62.31:6881 udp
GR 79.130.166.254:54426 udp
IN 223.184.243.101:30909 udp
KR 175.208.71.36:33024 udp
RU 95.153.180.32:59238 udp
US 54.214.62.55:6881 udp
DE 43.240.149.123:32681 udp
GB 194.29.101.83:10240 udp
SG 167.99.72.189:6881 udp
KR 222.98.68.45:56416 tcp
DE 91.0.54.231:6889 udp
GD 192.214.127.87:28554 udp
BR 45.183.241.11:53785 udp
PE 38.25.10.132:1343 udp
FI 37.27.113.233:30787 udp
GQ 41.222.117.178:6881 udp
ID 103.184.51.101:20496 udp
BR 186.226.55.10:55261 udp
CN 114.92.111.167:51212 udp
AU 58.107.132.14:24567 udp
RU 82.194.247.10:4094 udp
RU 31.200.249.233:31819 tcp
NL 159.65.200.220:6811 tcp
UA 46.211.232.193:2269 udp
CA 54.39.107.165:16481 udp
US 35.167.186.212:6881 udp
IE 54.194.124.68:6881 udp
BG 83.97.64.97:1148 udp
CN 121.27.84.81:30406 udp
RU 185.141.77.190:16116 udp
IN 103.59.75.105:22341 udp
IN 110.226.183.10:8809 udp
CZ 46.13.217.101:6881 udp
RU 5.206.96.55:56416 tcp
DE 209.38.196.30:6818 tcp
FR 89.89.209.28:6881 udp
DE 23.158.56.119:10085 udp
ID 182.3.104.193:53981 udp
PE 38.25.17.211:48788 udp
DE 91.47.100.126:6889 udp
NL 159.65.200.220:6813 tcp
IN 152.59.34.217:49503 udp
FR 176.31.183.98:41109 udp
US 52.9.197.152:6881 udp
US 18.191.2.28:6881 udp
JP 13.114.205.93:6992 udp
CN 106.14.195.230:11160 udp
EG 105.196.62.186:49383 udp
MX 189.195.205.43:56416 tcp
ID 110.138.91.197:27304 udp
DE 34.107.106.144:6881 udp
US 34.57.159.4:6881 udp
GY 190.80.34.215:47294 udp
US 35.163.251.58:6881 udp
US 43.130.56.223:6000 udp
US 18.221.7.72:6881 udp
US 13.58.27.33:6881 udp
IE 54.194.124.68:6882 udp
CA 54.39.52.183:18985 udp
US 142.171.125.191:6881 udp
US 45.59.100.69:6881 udp
CN 106.14.195.230:11159 udp
PL 54.36.168.18:46075 udp
SI 46.122.67.75:56994 udp
GB 90.195.112.79:42112 udp
RU 77.37.132.206:5222 udp
NL 178.162.174.170:28001 udp
ES 93.176.180.96:6881 udp
FI 65.21.125.170:50000 udp
FI 65.21.34.43:50000 udp
SE 130.239.18.158:8510 bttracker.debian.org udp
NL 178.162.144.51:21183 udp
CL 176.52.131.74:6880 udp
GB 51.195.223.60:8647 udp
LT 78.63.100.13:24803 udp
NL 85.17.52.21:62046 udp
JP 60.142.201.17:11695 udp
FR 163.172.69.72:24242 udp
US 34.200.68.90:5133 udp
US 97.229.105.93:33699 udp
US 157.245.232.159:51413 udp
CN 221.229.52.111:6892 udp
US 174.179.186.32:6881 udp
HK 14.199.244.62:6881 udp
CA 139.28.218.3:64259 udp
PT 188.37.190.168:56416 tcp
NL 213.152.161.25:38000 udp
NL 5.79.93.242:61920 udp
KR 121.177.206.247:7677 udp
BE 195.16.5.111:56646 udp
KR 210.96.75.129:61587 udp
KR 59.7.247.226:7823 udp
PH 129.227.177.22:60020 udp
RU 5.142.161.192:49001 udp
US 45.33.39.224:6881 udp
ID 36.85.110.22:29080 udp
RU 5.44.6.177:2079 udp
CN 223.109.90.116:6892 udp
FR 5.39.89.115:6881 udp
CN 60.210.187.151:45779 udp
US 71.222.67.201:49679 udp
RU 176.49.217.162:6881 udp
MX 187.189.95.208:56416 tcp
RO 86.125.14.52:26023 udp
SG 43.133.45.199:50028 udp
CA 184.146.53.50:43375 udp
KR 211.237.36.9:40861 udp
CH 31.10.155.217:44031 udp
KR 175.213.130.196:7739 udp
JP 153.192.162.160:6889 udp

Files

/var/spool/cron/crontabs/tmp.x7oviY

MD5 f359112bebca2e5c3c28232388d11051
SHA1 d98ecfb84792a2028c28785e8af24a64c80a3289
SHA256 ba7334f1c35d8eb6b7adab9d5d25b97e17d05ac59cb043e348d0addc30b966a2
SHA512 d61ebbb8e7b12c0ce97f8c877908ef138c47c703f6d0ea9277aa6cd98578f83d76f0d6b35f5dc57dfb2ce6b711590f02ad8136dd2390b76b93e0598ef3bb301f

memory/813-1-0x00400000-0x0050a78c-memory.dmp