Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20230831-en -
resource tags
arch:armhfimage:debian9-armhf-20230831-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
15/10/2023, 14:13
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.14118093cf16f93a86ff29c5bce11f7ff7f9cc5c7ba20f12e6368c7075915668elf_JC.elf
Resource
debian9-armhf-20230831-en
General
-
Target
NEAS.14118093cf16f93a86ff29c5bce11f7ff7f9cc5c7ba20f12e6368c7075915668elf_JC.elf
-
Size
86KB
-
MD5
f621331783c1d2f65f2a42857fc4aea5
-
SHA1
cb57892abea2dae13c5e18e715c9d60d298f02a3
-
SHA256
14118093cf16f93a86ff29c5bce11f7ff7f9cc5c7ba20f12e6368c7075915668
-
SHA512
30a6a12ead663f73ee96949ea422f29695ada81e12f2e019896c17f42c58f49f68eaa7bf6ff7493094c08edcc31dd014d199c8f164d846a5669c803d68161f96
-
SSDEEP
1536:Y1n4c5QX0ZHQCO7WRWtn6oCpEXYgs0XI16EzTAelvyoNib6lathqZtY7C8c+P:uO7v0kXYgs0416ET46lathqzd8c+P
Malware Config
Signatures
-
Flushes firewall rules 4 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
pid Process 384 iptables 391 iptables 394 iptables 395 iptables -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
description ioc Process File opened for modification /etc/resolv.conf NEAS.14118093cf16f93a86ff29c5bce11f7ff7f9cc5c7ba20f12e6368c7075915668elf_JC.elf
Processes
-
/tmp/NEAS.14118093cf16f93a86ff29c5bce11f7ff7f9cc5c7ba20f12e6368c7075915668elf_JC.elf/tmp/NEAS.14118093cf16f93a86ff29c5bce11f7ff7f9cc5c7ba20f12e6368c7075915668elf_JC.elf1⤵
- Writes DNS configuration
PID:372
-
/sbin/iptablesiptables -P INPUT ACCEPT1⤵PID:375
-
/sbin/iptablesiptables -P FORWARD ACCEPT1⤵PID:378
-
/sbin/iptablesiptables -P OUTPUT ACCEPT1⤵PID:380
-
/sbin/iptablesiptables -t nat -F1⤵
- Flushes firewall rules
PID:384
-
/sbin/iptablesiptables -t mangle -F1⤵
- Flushes firewall rules
PID:391
-
/sbin/iptablesiptables -F1⤵
- Flushes firewall rules
PID:394
-
/sbin/iptablesiptables -X1⤵
- Flushes firewall rules
PID:395