Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    10-10-2024 06:53

General

  • Target

    na.elf

  • Size

    49KB

  • MD5

    37db8aaa1261f99aa257c02c4df5c574

  • SHA1

    392f68947e899060d8b700a96d7593581d7a2aaf

  • SHA256

    c1622e5b492929782334c8d55380f5e25f5ab36aa287081372d3d2d1542572fe

  • SHA512

    8c97422efb75e49b65decf87d1267dfb33b4c3e18936c83bad883de2d4917a15a8cc7577749ebd65cb44dd7a6c90109703a457cfdd91a257231dece7162cc92f

  • SSDEEP

    768:ZnDCt5S1e48+ttCUiSPlkhuiNR7iRekrw5etTT32LzYH1wXcgB4H0QT0+LMfaJcW:lTffP0Z0kkEeMzY+X1BA0Z+Qm

Malware Config

Signatures

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes system logs 1 TTPs 2 IoCs

    Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Deletes log files 1 TTPs 4 IoCs

    Deletes log files on the system.

  • Reads process memory 1 TTPs 1 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

  • Changes its process name 1 IoCs

Processes

  • /tmp/na.elf
    /tmp/na.elf
    1⤵
    • Deletes system logs
    • Modifies Watchdog functionality
    • Renames itself
    • Deletes log files
    • Reads process memory
    • Changes its process name
    PID:647

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads