Analysis
-
max time kernel
150s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
10-10-2024 06:53
Static task
static1
Behavioral task
behavioral1
Sample
na.elf
Resource
debian9-armhf-20240611-en
General
-
Target
na.elf
-
Size
49KB
-
MD5
37db8aaa1261f99aa257c02c4df5c574
-
SHA1
392f68947e899060d8b700a96d7593581d7a2aaf
-
SHA256
c1622e5b492929782334c8d55380f5e25f5ab36aa287081372d3d2d1542572fe
-
SHA512
8c97422efb75e49b65decf87d1267dfb33b4c3e18936c83bad883de2d4917a15a8cc7577749ebd65cb44dd7a6c90109703a457cfdd91a257231dece7162cc92f
-
SSDEEP
768:ZnDCt5S1e48+ttCUiSPlkhuiNR7iRekrw5etTT32LzYH1wXcgB4H0QT0+LMfaJcW:lTffP0Z0kkEeMzY+X1BA0Z+Qm
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes system logs 1 TTPs 2 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
Processes:
na.elfdescription ioc Process File deleted /var/log/syslog na.elf File deleted /var/log/messages na.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
na.elfdescription ioc Process File opened for modification /dev/watchdog na.elf File opened for modification /dev/misc/watchdog na.elf -
Renames itself 1 IoCs
Processes:
na.elfpid Process 647 na.elf -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 108.165.48.201 Destination IP 147.78.121.189 Destination IP 161.97.219.84 -
Processes:
na.elfdescription ioc Process File deleted /var/log/wtmp na.elf File deleted /var/log/auth.log na.elf File deleted /var/log/kern.log na.elf File deleted /var/log/daemon.log na.elf -
Reads process memory 1 TTPs 1 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
Processes:
na.elfdescription ioc Process File opened for reading /proc/1/maps na.elf -
Changes its process name 1 IoCs
Processes:
na.elfdescription ioc pid Process Changes the process name, possibly in an attempt to hide itself /bin/sh 647 na.elf