16f31d4bfc4b89c56e086bc4d70bfdc3564893f67dd8e6d5da7746781a27142d

Analysis

max time kernel
149s
max time network
188s
platform
debian-12_armhf
resource
debian12-armhf-20240221-en
resource tags

arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
10-10-2024 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.elf
Size

83KB
MD5

14c2a689c249bf03878ba92ab2f9b2ed
SHA1

26e1b2b29db94ef37cd4ac840ae8cb9ba684f8be
SHA256

16f31d4bfc4b89c56e086bc4d70bfdc3564893f67dd8e6d5da7746781a27142d
SHA512

2ee52a707dbb043690fa4ca194c6d428046c6f7c51eb682c70248e0fb80ba881e2d3262d84ae789d519771edbceb2840814380343d95ef5b3bdfdacf1126fc3c
SSDEEP

1536:q8nWaX2yH6MatpoTkE8I/OXhWE1vsAn7lKQmA5Qk6elg2idGviO322nh:Yg2+6lt4BAl1bn7lKQmA5elGviOG2n

Score

9^/10

credential_access defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (32428) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	na.elf
File opened for modification	/dev/misc/watchdog	na.elf

Renames itself 1 IoCs

pid	Process
709	na.elf

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	130.61.69.123
Destination IP	161.97.219.84
Destination IP	54.36.111.116
Destination IP	192.3.165.37
Destination IP	116.203.104.203
Destination IP	130.61.69.123
Destination IP	130.61.69.123

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.RdMNfy	crontab

Reads process memory 1 TTPs 13 IoCs

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

credential_access

Proc Filesystem

T1003.007

description	ioc	Process
File opened for reading	/proc/444/maps	na.elf
File opened for reading	/proc/66/maps	na.elf
File opened for reading	/proc/77/maps	na.elf
File opened for reading	/proc/222/maps	na.elf
File opened for reading	/proc/333/maps	na.elf
File opened for reading	/proc/55/maps	na.elf
File opened for reading	/proc/88/maps	na.elf
File opened for reading	/proc/111/maps	na.elf
File opened for reading	/proc/555/maps	na.elf
File opened for reading	/proc/11/maps	na.elf
File opened for reading	/proc/22/maps	na.elf
File opened for reading	/proc/33/maps	na.elf
File opened for reading	/proc/44/maps	na.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	wsdd	709	na.elf

Command and Scripting Interpreter: Unix Shell 1 TTPs 1 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
753	sh

Reads runtime system information 52 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1111~;/maps	na.elf
File opened for reading	/proc/6666�7/maps	na.elf
File opened for reading	/proc/6666C;/maps	na.elf
File opened for reading	/proc/6666N;/maps	na.elf
File opened for reading	/proc/222�/maps	na.elf
File opened for reading	/proc/1111\|1/maps	na.elf
File opened for reading	/proc/2222�3/maps	na.elf
File opened for reading	/proc/3333k4/maps	na.elf
File opened for reading	/proc/3333�;/maps	na.elf
File opened for reading	/proc/6666�8/maps	na.elf
File opened for reading	/proc/6666�;/maps	na.elf
File opened for reading	/proc/111c{/maps	na.elf
File opened for reading	/proc/333�/maps	na.elf
File opened for reading	/proc/333s�/maps	na.elf
File opened for reading	/proc/444d�/maps	na.elf
File opened for reading	/proc/6666;/maps	na.elf
File opened for reading	/proc/7777�;/maps	na.elf
File opened for reading	/proc/111us/maps	na.elf
File opened for reading	/proc/111u/maps	na.elf
File opened for reading	/proc/555s�/maps	na.elf
File opened for reading	/proc/3333;5/maps	na.elf
File opened for reading	/proc/3333e5/maps	na.elf
File opened for reading	/proc/6666�8/maps	na.elf
File opened for reading	/proc/7777�;/maps	na.elf
File opened for reading	/proc/7777/maps	na.elf
File opened for reading	/proc/222m�/maps	na.elf
File opened for reading	/proc/333�/maps	na.elf
File opened for reading	/proc/3333/5/maps	na.elf
File opened for reading	/proc/6666�;/maps	na.elf
File opened for reading	/proc/7777�;/maps	na.elf
File opened for reading	/proc/7777{;/maps	na.elf
File opened for reading	/proc/2222V4/maps	na.elf
File opened for reading	/proc/33335/maps	na.elf
File opened for reading	/proc/222l�/maps	na.elf
File opened for reading	/proc/777k�/maps	na.elf
File opened for reading	/proc/3333fffffff/maps	na.elf
File opened for reading	/proc/3333�4/maps	na.elf
File opened for reading	/proc/99ssi/maps	na.elf
File opened for reading	/proc/111k/maps	na.elf
File opened for reading	/proc/222c�/maps	na.elf
File opened for reading	/proc/1111�/maps	na.elf
File opened for reading	/proc/1111};/maps	na.elf
File opened for reading	/proc/3333�4/maps	na.elf
File opened for reading	/proc/6666�;/maps	na.elf
File opened for reading	/proc/222/maps	na.elf
File opened for reading	/proc/222v�/maps	na.elf
File opened for reading	/proc/2222�2/maps	na.elf
File opened for reading	/proc/3333o4/maps	na.elf
File opened for reading	/proc/6666�7/maps	na.elf
File opened for reading	/proc/7777�;/maps	na.elf
File opened for reading	/proc/111c}/maps	na.elf
File opened for reading	/proc/333s�/maps	na.elf

/tmp/na.elf
/tmp/na.elf
1⤵
- Modifies Watchdog functionality
- Renames itself
- Reads process memory
- Changes its process name
- Reads runtime system information
PID:709
- /bin/sh
  /bin/sh -c "echo '*/5 * * * * //.ffdfd crontab' | crontab -"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:753
- - /usr/bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:755

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Impair Defenses

T1562

Credential Access

OS Credential Dumping

T1003

Proc Filesystem

T1003.007

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.RdMNfy

Filesize
204B

MD5
21779fa02dbf485a571d0d00541490fb

SHA1
b0776409fa0f719275e8f84832ca3e7894e486bd

SHA256
fe7928846d68e821603c402c1e77b0a9b2cf71e620505e43d09e51f400042398

SHA512
cf897222504bc9a98a0b920b3e9743caecc32f457b631d4aeffe87740248312cb073e9fc8d45b32af96d8ebed7760a6c3af7ee5bc33c5a19a95b37d916a4e8a5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads