Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

5

na.elf

ubuntu-24.04-amd64

7

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    15/10/2024, 06:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    na.elf

  • Size

    35KB

  • MD5

    75c590da87126d6558727e6212900f36

  • SHA1

    8cd568774d4a1d0f4253c890872e08ae02adb024

  • SHA256

    c13deb9c8dde10f79603e309adef364de0710ab530bc652738a8f13f944bc9a7

  • SHA512

    e527d595e6a09063ab094c9b6d2785c92a04cd378399bc8f8b947e9f751c63b98477e76b2df726ebcf2275834d58e59b9e81998ef5e4e8dde394707be48d2dc0

  • SSDEEP

    768:AaENdtwmp8zGK1FXMMmS+qzIpz06+CMli5W7GzcPX83N:8NdtwO8zxt+H0NlcR3N

Score
7/10
credential_accessdiscoveryevasionexecutionpersistenceprivilege_escalatioprivilege_escalation

Malware Config

Signatures

  • OS Credential Dumping 1 TTPs 1 IoCs

    Adversaries may attempt to dump credentials to use it in password cracking.

    credential_access
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 2 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

    persistenceprivilege_escalation
  • Reads list of loaded kernel modules 1 TTPs 1 IoCs

    Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

    evasion
  • Changes its process name 1 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/na.elf
    /tmp/na.elf
    1⤵
    • OS Credential Dumping
    • Renames itself
    • Creates/modifies Cron job
    • Modifies init.d
    • Modifies systemd
    • Reads list of loaded kernel modules
    • Changes its process name
    • Reads runtime system information
    PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Persistence

Boot or Logon Autostart Execution

2
T1547

XDG Autostart Entries

1
T1547.013

Boot or Logon Initialization Scripts

1
T1037

RC Scripts

1
T1037.004

Create or Modify System Process

1
T1543

Systemd Service

1
T1543.002

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

XDG Autostart Entries

1
T1547.013

Boot or Logon Initialization Scripts

1
T1037

RC Scripts

1
T1037.004

Create or Modify System Process

1
T1543

Systemd Service

1
T1543.002

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

OS Credential Dumping

1
T1003

/etc/passwd and /etc/shadow

1
T1003.008

Discovery

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • /etc/init.d/systemjob
    Filesize

    58B

    MD5

    3d79dd9f75f96ef7423e02c339df5ba1

    SHA1

    44b8ade4755ca25e0ab50d1e1f7bdc6e48f5a512

    SHA256

    e164a65c989beb3c2e72832496875afd3d62992cf12edf1ce3b2fc9181894450

    SHA512

    a597317a1c962f74b860d345cca554a8df82922a906973ee1c1fc02e81469ebbdc4d0369212ad34458198f4535777f81afbdd004f4a14963adf5625518004821

    Download Submit

  • /etc/systemd/system/system_worker.service
    Filesize

    125B

    MD5

    e166a788784ffa4fce0c6369ed83d7aa

    SHA1

    83113538df7094fcc2c033ebd042b85cf1ef061b

    SHA256

    1588075b48ab7a19cf8e7b74e9ce9704104b1238e71e62fa892a89c044b5b7e4

    SHA512

    2ea7601bfc8e11b196df1ce6012057129d573cc1fa702724e3506d75c0f2af0a788623974a560a8056b9866b60c1989fe6413666be01775f2f24656ab582d695

    Download Submit

  • /var/spool/cron/crontabs/root
    Filesize

    26B

    MD5

    c33a10893b04d3dbf0e3226896771800

    SHA1

    c688f73295e5bab94b1a6d9f2fa909aa064806b1

    SHA256

    f9d4ae54cc682dbca63d7d4f55c86a61f156eade748e02899558f6db511563c3

    SHA512

    9c9209478790c5d14988ab8ffdb14c11ada529a1726950c8296753d7181b4dc42c1a60e6ad2cda8876e059657dcde47824a9fb124afa9790276b2c2e2af02672

    Download Submit