d9d783f550e8627c50a10eca332856d5e807b5f96c6e9fae75d4095c4c5ec110

Analysis

max time kernel
151s
max time network
154s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20230831-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20230831-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
06-10-2023 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d9d783f550e8627c50a10eca332856d5e807b5f96c6e9fae75d4095c4c5ec110elf_JC.elf
Size

112KB
MD5

c50077086bc9d977d043e3894ed9af1c
SHA1

9337e5760a543123584b0509b898c36bd5fadd88
SHA256

d9d783f550e8627c50a10eca332856d5e807b5f96c6e9fae75d4095c4c5ec110
SHA512

7e79710e7b4fd277e7cf357e3224d68377c95db6bea92d2c2cdc4e696f0f715ae40bfa1eea76838cd2190f44b7d5356ca4225faa05df089f79cf0e9c4af1602b
SSDEEP

3072:DNCnGZBiSCRTU2jTXVRQxOshGu9lRTNtAF05FI6RkFMF0:DkGZBiSUTnTXzMhh3RTNt2qF0

Score

9^/10

antivm discovery

Malware Config

Signatures

Contacts a large (37001) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	-sh	606	NEAS.d9d783f550e8627c50a10eca332856d5e807b5f96c6e9fae75d4095c4c5ec110elf_JC.elf

Deletes itself 1 IoCs

pid	Process
606	NEAS.d9d783f550e8627c50a10eca332856d5e807b5f96c6e9fae75d4095c4c5ec110elf_JC.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/NEAS.d9d783f550e8627c50a10eca332856d5e807b5f96c6e9fae75d4095c4c5ec110elf_JC.elf	NEAS.d9d783f550e8627c50a10eca332856d5e807b5f96c6e9fae75d4095c4c5ec110elf_JC.elf

/tmp/NEAS.d9d783f550e8627c50a10eca332856d5e807b5f96c6e9fae75d4095c4c5ec110elf_JC.elf
/tmp/NEAS.d9d783f550e8627c50a10eca332856d5e807b5f96c6e9fae75d4095c4c5ec110elf_JC.elf
1⤵
- Changes its process name
- Deletes itself
- Writes file to tmp directory
PID:606

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads