Analysis
-
max time kernel
149s -
max time network
156s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
07/03/2025, 12:16
Behavioral task
behavioral1
Sample
nabarm7.elf
Resource
debian9-armhf-20240611-en
debian-9-armhf
11 signatures
150 seconds
General
-
Target
nabarm7.elf
-
Size
60KB
-
MD5
f4c77d37de1d01ab7014b3c518dfe1ad
-
SHA1
348b990203bfa4ff2553eeed79be06ae3f329ca5
-
SHA256
564099ffa57e8f1c182b7696b8815f8bee08e485c08f61f2936447ee955910c0
-
SHA512
3d47556832dd4e939720eb1109213eccd9ad37ee0eada7d76f8be3e4df0eb9006e9315867875ba21c9146d255842c2877aebcfaebbf4a973f0f5929d022b46c0
-
SSDEEP
1536:l5nK8qV5+me/npejsxktsVuqTsrJsOqZllsSi5uy/K:FqV5+miQjsxkt8uqTsrJsqduyS
Score
9/10
Malware Config
Signatures
-
Contacts a large (14892) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog nabarm7.elf File opened for modification /dev/misc/watchdog nabarm7.elf -
Renames itself 1 IoCs
pid Process 648 nabarm7.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 185.181.61.24 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp nabarm7.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 64 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/733/maps nabarm7.elf File opened for reading /proc/753/maps nabarm7.elf File opened for reading /proc/756/maps nabarm7.elf File opened for reading /proc/777/maps nabarm7.elf File opened for reading /proc/679/maps nabarm7.elf File opened for reading /proc/757/maps nabarm7.elf File opened for reading /proc/775/maps nabarm7.elf File opened for reading /proc/741/maps nabarm7.elf File opened for reading /proc/685/maps nabarm7.elf File opened for reading /proc/713/maps nabarm7.elf File opened for reading /proc/724/maps nabarm7.elf File opened for reading /proc/748/maps nabarm7.elf File opened for reading /proc/783/maps nabarm7.elf File opened for reading /proc/686/maps nabarm7.elf File opened for reading /proc/738/maps nabarm7.elf File opened for reading /proc/743/maps nabarm7.elf File opened for reading /proc/745/maps nabarm7.elf File opened for reading /proc/763/maps nabarm7.elf File opened for reading /proc/776/maps nabarm7.elf File opened for reading /proc/680/maps nabarm7.elf File opened for reading /proc/684/maps nabarm7.elf File opened for reading /proc/704/maps nabarm7.elf File opened for reading /proc/739/maps nabarm7.elf File opened for reading /proc/750/maps nabarm7.elf File opened for reading /proc/765/maps nabarm7.elf File opened for reading /proc/697/maps nabarm7.elf File opened for reading /proc/702/maps nabarm7.elf File opened for reading /proc/782/maps nabarm7.elf File opened for reading /proc/787/maps nabarm7.elf File opened for reading /proc/717/maps nabarm7.elf File opened for reading /proc/760/maps nabarm7.elf File opened for reading /proc/681/maps nabarm7.elf File opened for reading /proc/695/maps nabarm7.elf File opened for reading /proc/719/maps nabarm7.elf File opened for reading /proc/720/maps nabarm7.elf File opened for reading /proc/747/maps nabarm7.elf File opened for reading /proc/771/maps nabarm7.elf File opened for reading /proc/778/maps nabarm7.elf File opened for reading /proc/691/maps nabarm7.elf File opened for reading /proc/779/maps nabarm7.elf File opened for reading /proc/781/maps nabarm7.elf File opened for reading /proc/682/maps nabarm7.elf File opened for reading /proc/692/maps nabarm7.elf File opened for reading /proc/710/maps nabarm7.elf File opened for reading /proc/749/maps nabarm7.elf File opened for reading /proc/751/maps nabarm7.elf File opened for reading /proc/758/maps nabarm7.elf File opened for reading /proc/769/maps nabarm7.elf File opened for reading /proc/694/maps nabarm7.elf File opened for reading /proc/773/maps nabarm7.elf File opened for reading /proc/688/maps nabarm7.elf File opened for reading /proc/722/maps nabarm7.elf File opened for reading /proc/731/maps nabarm7.elf File opened for reading /proc/764/maps nabarm7.elf File opened for reading /proc/700/maps nabarm7.elf File opened for reading /proc/709/maps nabarm7.elf File opened for reading /proc/716/maps nabarm7.elf File opened for reading /proc/735/maps nabarm7.elf File opened for reading /proc/785/maps nabarm7.elf File opened for reading /proc/696/maps nabarm7.elf File opened for reading /proc/727/maps nabarm7.elf File opened for reading /proc/737/maps nabarm7.elf File opened for reading /proc/708/maps nabarm7.elf File opened for reading /proc/715/maps nabarm7.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself kblockd 648 nabarm7.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp nabarm7.elf -
description ioc Process File opened for reading /proc/15/comm nabarm7.elf File opened for reading /proc/722/cmdline nabarm7.elf File opened for reading /proc/727/cmdline nabarm7.elf File opened for reading /proc/21/comm nabarm7.elf File opened for reading /proc/140/comm nabarm7.elf File opened for reading /proc/641/comm nabarm7.elf File opened for reading /proc/717/cmdline nabarm7.elf File opened for reading /proc/773/cmdline nabarm7.elf File opened for reading /proc/6/comm nabarm7.elf File opened for reading /proc/12/comm nabarm7.elf File opened for reading /proc/143/comm nabarm7.elf File opened for reading /proc/2/comm nabarm7.elf File opened for reading /proc/10/comm nabarm7.elf File opened for reading /proc/16/comm nabarm7.elf File opened for reading /proc/587/status nabarm7.elf File opened for reading /proc/733/cmdline nabarm7.elf File opened for reading /proc/745/cmdline nabarm7.elf File opened for reading /proc/23/comm nabarm7.elf File opened for reading /proc/274/status nabarm7.elf File opened for reading /proc/781/cmdline nabarm7.elf File opened for reading /proc/3/comm nabarm7.elf File opened for reading /proc/600/comm nabarm7.elf File opened for reading /proc/262/status nabarm7.elf File opened for reading /proc/591/status nabarm7.elf File opened for reading /proc/109/comm nabarm7.elf File opened for reading /proc/139/comm nabarm7.elf File opened for reading /proc/295/comm nabarm7.elf File opened for reading /proc/599/comm nabarm7.elf File opened for reading /proc/297/status nabarm7.elf File opened for reading /proc/760/cmdline nabarm7.elf File opened for reading /proc/26/comm nabarm7.elf File opened for reading /proc/14/comm nabarm7.elf File opened for reading /proc/646/comm nabarm7.elf File opened for reading /proc/278/status nabarm7.elf File opened for reading /proc/694/cmdline nabarm7.elf File opened for reading /proc/702/cmdline nabarm7.elf File opened for reading /proc/681/cmdline nabarm7.elf File opened for reading /proc/692/cmdline nabarm7.elf File opened for reading /proc/648/comm nabarm7.elf File opened for reading /proc/307/status nabarm7.elf File opened for reading /proc/731/cmdline nabarm7.elf File opened for reading /proc/76/comm nabarm7.elf File opened for reading /proc/213/comm nabarm7.elf File opened for reading /proc/645/comm nabarm7.elf File opened for reading /proc/599/status nabarm7.elf File opened for reading /proc/700/cmdline nabarm7.elf File opened for reading /proc/720/cmdline nabarm7.elf File opened for reading /proc/723/cmdline nabarm7.elf File opened for reading /proc/20/comm nabarm7.elf File opened for reading /proc/278/comm nabarm7.elf File opened for reading /proc/145/status nabarm7.elf File opened for reading /proc/651/status nabarm7.elf File opened for reading /proc/684/cmdline nabarm7.elf File opened for reading /proc/719/cmdline nabarm7.elf File opened for reading /proc/5/comm nabarm7.elf File opened for reading /proc/13/comm nabarm7.elf File opened for reading /proc/18/comm nabarm7.elf File opened for reading /proc/19/comm nabarm7.elf File opened for reading /proc/42/comm nabarm7.elf File opened for reading /proc/640/comm nabarm7.elf File opened for reading /proc/594/status nabarm7.elf File opened for reading /proc/706/cmdline nabarm7.elf File opened for reading /proc/24/comm nabarm7.elf File opened for reading /proc/716/cmdline nabarm7.elf