Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
10-10-2024 06:54
Static task
static1
Behavioral task
behavioral1
Sample
na.elf
Resource
debian9-armhf-20240611-en
General
-
Target
na.elf
-
Size
99KB
-
MD5
38886db10a384a1e73ffabccb9238bf7
-
SHA1
a49168056b5983e71284ae1763e4137e7e3833b6
-
SHA256
b98deb6e17828b98b27d18577fb8420df7ec9529b88afa470915e9edb1cf731c
-
SHA512
85d234be9e8105c8470b991b08c21c1fbf02a86ac2b61a9d75a1b19cf965440f5c9ca7bfb2207bf2da88de00715ab5baed2f408b3f66a67868c46c5e2e95755f
-
SSDEEP
1536:pTKgOunFegPVcXmKtrJ5C+NKb3Ox2PUc6zhH:pNL7PKWKhJ5DNKb7P6zh
Malware Config
Signatures
-
Contacts a large (57466) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes system logs 1 TTPs 2 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
description ioc Process File deleted /var/log/syslog na.elf File deleted /var/log/messages na.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog na.elf File opened for modification /dev/watchdog na.elf -
Renames itself 1 IoCs
pid Process 648 na.elf -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 162.243.19.47 Destination IP 63.231.92.27 Destination IP 185.84.81.194 -
description ioc Process File deleted /var/log/wtmp na.elf File deleted /var/log/auth.log na.elf File deleted /var/log/kern.log na.elf File deleted /var/log/daemon.log na.elf -
Reads process memory 1 TTPs 1 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/1/maps na.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /bin/sh 648 na.elf