Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
06/03/2025, 03:37
Behavioral task
behavioral1
Sample
nabx86.elf
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
General
-
Target
nabx86.elf
-
Size
34KB
-
MD5
e78b38a38e9d29e65c62d69fab9c21d6
-
SHA1
24e806a34d68ded244ed6a126788d628bafea484
-
SHA256
df328e1ec2ef2844f67426ad0dcea1b844de261cee24a94a83365cdccb89cb8d
-
SHA512
2f3813b83f1c91dc134469aabaf977e2eb263fb2d1024d61838a96fc54d0e65998d44035b8d266b6d83e6e7a9555c60fa9533c756155a83d656aef6b1443dd2b
-
SSDEEP
768:3K+WG4fB+Huvbh7W3SC1UhFquNbfkopyP:3KC4BlsUCuFsopY
Malware Config
Signatures
-
Contacts a large (14898) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Renames itself 1 IoCs
pid 1571 -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 81.169.136.222 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
description ioc pid Changes the process name, possibly in an attempt to hide itself rtkit-daemon 1571 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc File opened for reading /proc/net/tcp -
description ioc File opened for reading /proc/24/comm File opened for reading /proc/1142/comm File opened for reading /proc/843/status File opened for reading /proc/7/comm File opened for reading /proc/94/comm File opened for reading /proc/673/comm File opened for reading /proc/1162/comm File opened for reading /proc/614/status File opened for reading /proc/1089/status File opened for reading /proc/197/comm File opened for reading /proc/213/comm File opened for reading /proc/1221/comm File opened for reading /proc/770/status File opened for reading /proc/637/comm File opened for reading /proc/110/comm File opened for reading /proc/113/comm File opened for reading /proc/263/comm File opened for reading /proc/405/comm File opened for reading /proc/509/comm File opened for reading /proc/1298/comm File opened for reading /proc/1248/comm File opened for reading /proc/735/comm File opened for reading /proc/6/comm File opened for reading /proc/8/comm File opened for reading /proc/586/comm File opened for reading /proc/594/comm File opened for reading /proc/845/comm File opened for reading /proc/1158/comm File opened for reading /proc/73/comm File opened for reading /proc/91/comm File opened for reading /proc/508/comm File opened for reading /proc/770/comm File opened for reading /proc/963/status File opened for reading /proc/984/status File opened for reading /proc/1162/status File opened for reading /proc/1199/status File opened for reading /proc/1492/comm File opened for reading /proc/27/comm File opened for reading /proc/78/comm File opened for reading /proc/957/comm File opened for reading /proc/984/comm File opened for reading /proc/1105/comm File opened for reading /proc/991/status File opened for reading /proc/1231/status File opened for reading /proc/1421/comm File opened for reading /proc/637/status File opened for reading /proc/409/comm File opened for reading /proc/1091/comm File opened for reading /proc/1164/comm File opened for reading /proc/1074/status File opened for reading /proc/1105/status File opened for reading /proc/1512/status File opened for reading /proc/542/status File opened for reading /proc/90/comm File opened for reading /proc/1044/comm File opened for reading /proc/1195/status File opened for reading /proc/1561/status File opened for reading /proc/1452/comm File opened for reading /proc/837/comm File opened for reading /proc/991/comm File opened for reading /proc/12/comm File opened for reading /proc/21/comm File opened for reading /proc/74/comm File opened for reading /proc/86/comm