Analysis
-
max time kernel
124s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
10/03/2025, 00:12
Behavioral task
behavioral1
Sample
nabarm5.elf
Resource
debian9-armhf-20240611-en
debian-9-armhf
11 signatures
150 seconds
General
-
Target
nabarm5.elf
-
Size
36KB
-
MD5
60dcb6b17e4c2bfe8538c546e0891790
-
SHA1
fa479fa7ca6381d2ffeea8ae216c0fc599069850
-
SHA256
b97d3b2d55c0a8fc873da4accd60f26d45031d4a1f45d9cefdac7350bba9dc35
-
SHA512
c3c8381f3ebf9a281b706d144219fb392df46756f9f40f0526fed0ff0c9e9e67e5073f43a14b1139991313d615cde048ef0288c63a5cfc6e44a19249eaf9603a
-
SSDEEP
768:6tpf5yjepoCyNjwxBbPct5sUIlP4XEA7bNPMfA9tbU6IL4C:2f5yC+NUxB7ct5kPQEmMI9tJ/
Score
9/10
Malware Config
Signatures
-
Contacts a large (14510) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog nabarm5.elf File opened for modification /dev/misc/watchdog nabarm5.elf -
Renames itself 1 IoCs
pid Process 650 nabarm5.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 194.36.144.87 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp nabarm5.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 64 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/691/maps nabarm5.elf File opened for reading /proc/712/maps nabarm5.elf File opened for reading /proc/729/maps nabarm5.elf File opened for reading /proc/743/maps nabarm5.elf File opened for reading /proc/750/maps nabarm5.elf File opened for reading /proc/680/maps nabarm5.elf File opened for reading /proc/707/maps nabarm5.elf File opened for reading /proc/716/maps nabarm5.elf File opened for reading /proc/724/maps nabarm5.elf File opened for reading /proc/771/maps nabarm5.elf File opened for reading /proc/772/maps nabarm5.elf File opened for reading /proc/774/maps nabarm5.elf File opened for reading /proc/779/maps nabarm5.elf File opened for reading /proc/682/maps nabarm5.elf File opened for reading /proc/685/maps nabarm5.elf File opened for reading /proc/702/maps nabarm5.elf File opened for reading /proc/706/maps nabarm5.elf File opened for reading /proc/759/maps nabarm5.elf File opened for reading /proc/694/maps nabarm5.elf File opened for reading /proc/673/maps nabarm5.elf File opened for reading /proc/679/maps nabarm5.elf File opened for reading /proc/681/maps nabarm5.elf File opened for reading /proc/733/maps nabarm5.elf File opened for reading /proc/734/maps nabarm5.elf File opened for reading /proc/739/maps nabarm5.elf File opened for reading /proc/752/maps nabarm5.elf File opened for reading /proc/670/maps nabarm5.elf File opened for reading /proc/677/maps nabarm5.elf File opened for reading /proc/687/maps nabarm5.elf File opened for reading /proc/697/maps nabarm5.elf File opened for reading /proc/703/maps nabarm5.elf File opened for reading /proc/728/maps nabarm5.elf File opened for reading /proc/754/maps nabarm5.elf File opened for reading /proc/757/maps nabarm5.elf File opened for reading /proc/666/maps nabarm5.elf File opened for reading /proc/727/maps nabarm5.elf File opened for reading /proc/765/maps nabarm5.elf File opened for reading /proc/777/maps nabarm5.elf File opened for reading /proc/781/maps nabarm5.elf File opened for reading /proc/693/maps nabarm5.elf File opened for reading /proc/698/maps nabarm5.elf File opened for reading /proc/751/maps nabarm5.elf File opened for reading /proc/753/maps nabarm5.elf File opened for reading /proc/756/maps nabarm5.elf File opened for reading /proc/758/maps nabarm5.elf File opened for reading /proc/762/maps nabarm5.elf File opened for reading /proc/766/maps nabarm5.elf File opened for reading /proc/667/maps nabarm5.elf File opened for reading /proc/674/maps nabarm5.elf File opened for reading /proc/676/maps nabarm5.elf File opened for reading /proc/692/maps nabarm5.elf File opened for reading /proc/699/maps nabarm5.elf File opened for reading /proc/710/maps nabarm5.elf File opened for reading /proc/748/maps nabarm5.elf File opened for reading /proc/773/maps nabarm5.elf File opened for reading /proc/715/maps nabarm5.elf File opened for reading /proc/721/maps nabarm5.elf File opened for reading /proc/722/maps nabarm5.elf File opened for reading /proc/695/maps nabarm5.elf File opened for reading /proc/705/maps nabarm5.elf File opened for reading /proc/709/maps nabarm5.elf File opened for reading /proc/735/maps nabarm5.elf File opened for reading /proc/738/maps nabarm5.elf File opened for reading /proc/688/maps nabarm5.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself systemd-journal 650 nabarm5.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp nabarm5.elf -
description ioc Process File opened for reading /proc/772/cmdline nabarm5.elf File opened for reading /proc/776/cmdline nabarm5.elf File opened for reading /proc/779/cmdline nabarm5.elf File opened for reading /proc/9/comm nabarm5.elf File opened for reading /proc/15/comm nabarm5.elf File opened for reading /proc/266/comm nabarm5.elf File opened for reading /proc/605/comm nabarm5.elf File opened for reading /proc/667/cmdline nabarm5.elf File opened for reading /proc/700/cmdline nabarm5.elf File opened for reading /proc/704/cmdline nabarm5.elf File opened for reading /proc/725/cmdline nabarm5.elf File opened for reading /proc/265/comm nabarm5.elf File opened for reading /proc/284/status nabarm5.elf File opened for reading /proc/645/status nabarm5.elf File opened for reading /proc/745/cmdline nabarm5.elf File opened for reading /proc/761/cmdline nabarm5.elf File opened for reading /proc/781/cmdline nabarm5.elf File opened for reading /proc/21/comm nabarm5.elf File opened for reading /proc/641/comm nabarm5.elf File opened for reading /proc/147/status nabarm5.elf File opened for reading /proc/696/cmdline nabarm5.elf File opened for reading /proc/709/cmdline nabarm5.elf File opened for reading /proc/732/cmdline nabarm5.elf File opened for reading /proc/655/status nabarm5.elf File opened for reading /proc/685/cmdline nabarm5.elf File opened for reading /proc/724/cmdline nabarm5.elf File opened for reading /proc/765/cmdline nabarm5.elf File opened for reading /proc/777/cmdline nabarm5.elf File opened for reading /proc/8/comm nabarm5.elf File opened for reading /proc/166/comm nabarm5.elf File opened for reading /proc/166/status nabarm5.elf File opened for reading /proc/642/status nabarm5.elf File opened for reading /proc/673/cmdline nabarm5.elf File opened for reading /proc/748/cmdline nabarm5.elf File opened for reading /proc/636/comm nabarm5.elf File opened for reading /proc/743/cmdline nabarm5.elf File opened for reading /proc/767/cmdline nabarm5.elf File opened for reading /proc/775/cmdline nabarm5.elf File opened for reading /proc/401/comm nabarm5.elf File opened for reading /proc/462/comm nabarm5.elf File opened for reading /proc/266/status nabarm5.elf File opened for reading /proc/687/cmdline nabarm5.elf File opened for reading /proc/708/cmdline nabarm5.elf File opened for reading /proc/722/cmdline nabarm5.elf File opened for reading /proc/741/cmdline nabarm5.elf File opened for reading /proc/746/cmdline nabarm5.elf File opened for reading /proc/669/cmdline nabarm5.elf File opened for reading /proc/682/cmdline nabarm5.elf File opened for reading /proc/759/cmdline nabarm5.elf File opened for reading /proc/774/cmdline nabarm5.elf File opened for reading /proc/654/status nabarm5.elf File opened for reading /proc/676/cmdline nabarm5.elf File opened for reading /proc/716/cmdline nabarm5.elf File opened for reading /proc/104/comm nabarm5.elf File opened for reading /proc/106/comm nabarm5.elf File opened for reading /proc/645/comm nabarm5.elf File opened for reading /proc/679/cmdline nabarm5.elf File opened for reading /proc/29/comm nabarm5.elf File opened for reading /proc/41/comm nabarm5.elf File opened for reading /proc/414/comm nabarm5.elf File opened for reading /proc/647/comm nabarm5.elf File opened for reading /proc/265/status nabarm5.elf File opened for reading /proc/461/status nabarm5.elf File opened for reading /proc/735/cmdline nabarm5.elf