{
	"id": "3514ee36-0471-40f6-9558-a32bdb6705e0",
	"created_at": "2026-04-06T00:18:25.869801Z",
	"updated_at": "2026-04-10T13:12:17.660251Z",
	"deleted_at": null,
	"sha1_hash": "5c0d380e5e3e71df8f155eb60d8d0ea3a54f1ea5",
	"title": "NoaBot Botnet - Sandboxing with ELFEN and Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 750580,
	"plain_text": "NoaBot Botnet - Sandboxing with ELFEN and Analysis\r\nArchived: 2026-04-05 23:35:12 UTC\r\nSHA256: b5e4c78705d602c8423b05d8cd758147fa5bcd2ac9a4fe7eb16a07ab46c82f07\r\nVT link\r\nTable of Contents\r\nFamily Introduction\r\nSandboxing with ELFEN\r\nDetonation\r\nuClibc Compilation\r\nBrute-Forcing Credentials\r\nPersistence through Cron\r\nAccessing Secrets\r\nAccessing Bash History\r\nAccessing SSH Private Keys\r\nAccessing User Accounts Information\r\nProcess Name Change\r\nNetwork Communications\r\nScanning through SSH\r\nC2 Domain\r\nSummary\r\nReferences\r\nFamily Introduction\r\nNoaBot is a Mirai-based botnet and possesses most of the original Mirai botnet’s capabilities. Its source code\r\ncontains noticeable differences like the spreader is based in SSH and not Telnet. Akamai detected the NoaBot\r\ncampaign in early 2023.\r\nThe sample analyzed in this post is an ELF executable targeted towards the MIPS 32-bit, little-endian architecture.\r\nSandboxing with ELFEN\r\nGenerally, a malware analyst performs sandboxing early in their workflow. The purpose of sandboxing is to\r\nquickly get a general idea of the malware sample’s capabilities - does it communicate over the network or encrypt\r\nfiles or establish persistence, etc. This information is useful in determining the next steps in the analysis workflow.\r\nI built the ELFEN sandbox to analyze Linux malware (file type: ELF ) and provide this information. It is open-source and easy to set up.\r\nhttps://nikhilh-20.github.io/blog/noabot_botnet/\r\nPage 1 of 9\n\nDetonation\r\nUnless it is known, a sample is usually submitted to a sandbox without any command-line arguments.\r\nThe analysis result summary is shown in the snap below:\r\nuClibc Compilation\r\nhttps://nikhilh-20.github.io/blog/noabot_botnet/\r\nPage 2 of 9\n\nThe sample is compiled with uClibc, and more specifically, with a version between v0.9.21 - v0.9.33.2 as\r\nevidenced by the string, npxXoudifFeEgGaACSncs[ . ELFEN detects this open-source library usage.\r\nBrute-Forcing Credentials\r\nELFEN generates process memory dumps during detonation. Besides extracting printable strings from the dumps,\r\nELFEN also applies Yara rules on them. Some in-memory strings in the analysis hint at credentials brute-forcing\r\nELFEN detects the presence of well-known password patterns through a Yara rule.\r\nPersistence through Cron\r\nThe sample establishes persistence through a cron job that runs the sample every time the system reboots. The\r\ncrontab file per user is located under the directory, /var/spool/cron/crontabs . ELFEN detects it as a dropped\r\nfile and makes it available to the user for downloading. In this case, the sample also sets up command-line\r\nparameters when it runs through the cron job.\r\n$ cat root\r\n@reboot ./8zpeVaQk \"$mimic|fuck\" noa\r\nELFEN traces the crontab invocation and detects it:\r\nhttps://nikhilh-20.github.io/blog/noabot_botnet/\r\nPage 3 of 9\n\nAccessing Secrets\r\nThe sample looks for a variety of secret information such as bash history, SSH private keys and user accounts\r\ninformation. Curiously, the sample does not seem to do anything (read/write) with the found files. A gap in\r\ntracing? Nevertheless, an analyst can likely make the assumption that the secret information is leveraged in some\r\nmanner.\r\nELFEN detects this behavior:\r\nAccessing Bash History\r\nThe sample looks for .bash_history files at various locations. This file records a history of the commands that a\r\nuser has entered in the Bash shell. ELFEN traces this behavior.\r\nAccessing SSH Private Keys\r\nThe sample looks for user SSH private keys for multiple algorithms: RSA , DSA and Ed25519 . These keys are\r\nused for authenticating the user over SSH. ELFEN traces this behavior.\r\nhttps://nikhilh-20.github.io/blog/noabot_botnet/\r\nPage 4 of 9\n\nAccessing User Accounts Information\r\nThe sample looks for the /etc/passwd file. This contains information about user accounts on the system. Note\r\nthat benign executables access this file as well during runtime. However, context is important. The sample also\r\naccesses other secrets, so access to /etc/passwd should not be ignored. ELFEN traces this behavior.\r\nProcess Name Change\r\nThe sample changes its process name to masquerade as a benign process. Specifically, the new process name can\r\nbe one of many popular utilities such as mongod , nginx , smbd , sshd , etc. ELFEN traces and detects this\r\nbehavior.\r\nNetwork Communications\r\nScanning through SSH\r\nThe sample scans ports 22 and 2222 (popular alternate port for SSH) for over 4000 IPv4 addresses. ELFEN\r\ntraces this behavior. The original Mirai botnet spread through Telnet. Researchers at Akamai reported that NoaBot\r\nuses SSH.\r\nhttps://nikhilh-20.github.io/blog/noabot_botnet/\r\nPage 5 of 9\n\nELFEN also captures network traffic into a PCAP and makes it available to the user for downloading. If the\r\nremote port is accepting connections, the sample sends a malformed SSH packet early in the SSH handshake. It\r\ncontains the string, hi .\r\nI observed that the sample does not send its SSH identification string first, as is usual in a normal SSH handshake.\r\nInstead, it waits for the server to send its identification string. It then replies with the malformed SSH packet.\r\nMy hypothesis is that the sample is trying to capture the server SSH identification string. Perhaps, to check if it’s\r\nvulnerable to a known exploit. It then sends the malformed SSH packet (the specific string, hi is irrelevant) to\r\npossibly avoid triggering any timeouts or RST packets from the server which may draw suspicion on server-side\r\ndefenses. As seen in the snap above, the connection gracefully terminates with a FIN-ACK-ACK packet sequence.\r\nC2 Domain\r\nThe sample reaches out to its C2, mimicmaster[.]online , which is currently unavailable.\r\nhttps://nikhilh-20.github.io/blog/noabot_botnet/\r\nPage 6 of 9\n\nFrom its Whois records, it can be seen that the domain is currently suspended.\r\nThe last known IPv4 address for the domain was 185[.]193.126.118 as seen on VT.\r\nhttps://nikhilh-20.github.io/blog/noabot_botnet/\r\nPage 7 of 9\n\nELFEN performs protocol analysis on the captured network traffic. At this point, only DNS protocol analysis is\r\nsupported.\r\nSummary\r\nThe NoaBot is yet another Mirai-based botnet, except it has notable differences in its capabilities like the SSH\r\nspreader. The main goal of this analysis was to demonstrate the usage of the ELFEN sandbox to quickly get\r\ninsights into a given malware sample.\r\nELFEN supports features such as:\r\nAnalysis and detection of Linux malware targeting x86-64, ARMv5, MIPS and PowerPC architectures.\r\nTracing files, processes, network-related syscalls and libc string-related functions.\r\nPCAP capture and protocol analysis.\r\nMemory dumps and capturing dropped files\r\nand more!\r\nIf you’ve not already, give ELFEN a try!\r\nReferences\r\n1. ELFEN\r\n2. Malpedia\r\n3. You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance\r\n4. open, openat - open file\r\nhttps://nikhilh-20.github.io/blog/noabot_botnet/\r\nPage 8 of 9\n\n5. Wiresharking Secure Shell (SSH)\r\n6. Whois\r\n7. VirusTotal\r\n8. ChatGPT\r\n9. uClibc\r\nSource: https://nikhilh-20.github.io/blog/noabot_botnet/\r\nhttps://nikhilh-20.github.io/blog/noabot_botnet/\r\nPage 9 of 9\n\nNetwork Communications Scanning through SSH     \nThe sample scans ports 22 and 2222 (popular alternate port for SSH) for over 4000 IPv4 addresses. ELFEN\ntraces this behavior. The original Mirai botnet spread through Telnet. Researchers at Akamai reported that NoaBot\nuses SSH.      \n   Page 5 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://nikhilh-20.github.io/blog/noabot_botnet/"
	],
	"report_names": [
		"noabot_botnet"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434705,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5c0d380e5e3e71df8f155eb60d8d0ea3a54f1ea5.pdf",
		"text": "https://archive.orkl.eu/5c0d380e5e3e71df8f155eb60d8d0ea3a54f1ea5.txt",
		"img": "https://archive.orkl.eu/5c0d380e5e3e71df8f155eb60d8d0ea3a54f1ea5.jpg"
	}
}