Analysis
-
max time kernel
99s -
max time network
155s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
-
submitted
10-10-2024 06:54
General
-
Target
na.elf
-
Size
86KB
-
MD5
fd2e100d5eb1c1f9d4ba81241c43620b
-
SHA1
8114ab62d5314edb40383dcd849e38656f5dd888
-
SHA256
d7b0dce26bb6d14f8d8a1867b714dc289273ab78b87ce66ba97b244b0468a4ce
-
SHA512
df352dcc3769b399138185f8e864a5d33fc8c0b62715e2f3cb85963047a2ca6f72ad3e3c89c1d9ea3ee54af53b510432eee6d09594b35e5f603461596bc1f247
-
SSDEEP
1536:S4Ors/hxsJ9Uz6/2IUqjzO7nixoFdZSsJcLNtn:SfA/hxsJCzCXUtFdFOn
Malware Config
Signatures
-
Contacts a large (16230) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes system logs 1 TTPs 2 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Renames itself 1 IoCs
-
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Deletes log files 1 TTPs 2 IoCs
Deletes log files on the system.
-
Reads process memory 1 TTPs 1 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
Changes its process name 1 IoCs
Processes
-
/tmp/na.elf/tmp/na.elf1⤵
- Deletes system logs
- Modifies Watchdog functionality
- Renames itself
- Deletes log files
- Reads process memory
- Changes its process name
-
/bin/shsh -c "echo '*/5 * * * * //.ffdfd crontab' | crontab -"2⤵
-