NoaBot Botnet - Sandboxing with ELFEN and Analysis
Archived: 2026-04-05 23:35:12 UTC
SHA256: b5e4c78705d602c8423b05d8cd758147fa5bcd2ac9a4fe7eb16a07ab46c82f07
VT link
Table of Contents
Family Introduction
Sandboxing with ELFEN
Detonation
uClibc Compilation
Brute-Forcing Credentials
Persistence through Cron
Accessing Secrets
Accessing Bash History
Accessing SSH Private Keys
Accessing User Accounts Information
Process Name Change
Network Communications
Scanning through SSH
C2 Domain
Summary
References
Family Introduction
NoaBot is a Mirai-based botnet and possesses most of the original Mirai botnet’s capabilities. Its source code
contains noticeable differences like the spreader is based in SSH and not Telnet. Akamai detected the NoaBot
campaign in early 2023.
The sample analyzed in this post is an ELF executable targeted towards the MIPS 32-bit, little-endian architecture.
Sandboxing with ELFEN
Generally, a malware analyst performs sandboxing early in their workflow. The purpose of sandboxing is to
quickly get a general idea of the malware sample’s capabilities - does it communicate over the network or encrypt
files or establish persistence, etc. This information is useful in determining the next steps in the analysis workflow.
I built the ELFEN sandbox to analyze Linux malware (file type: ELF ) and provide this information. It is open-source and easy to set up.
https://nikhilh-20.github.io/blog/noabot_botnet/
Page 1 of 9

Detonation
Unless it is known, a sample is usually submitted to a sandbox without any command-line arguments.
The analysis result summary is shown in the snap below:
uClibc Compilation
https://nikhilh-20.github.io/blog/noabot_botnet/
Page 2 of 9

The sample is compiled with uClibc, and more specifically, with a version between v0.9.21 - v0.9.33.2 as
evidenced by the string, npxXoudifFeEgGaACSncs[ . ELFEN detects this open-source library usage.
Brute-Forcing Credentials
ELFEN generates process memory dumps during detonation. Besides extracting printable strings from the dumps,
ELFEN also applies Yara rules on them. Some in-memory strings in the analysis hint at credentials brute-forcing
ELFEN detects the presence of well-known password patterns through a Yara rule.
Persistence through Cron
The sample establishes persistence through a cron job that runs the sample every time the system reboots. The
crontab file per user is located under the directory, /var/spool/cron/crontabs . ELFEN detects it as a dropped
file and makes it available to the user for downloading. In this case, the sample also sets up command-line
parameters when it runs through the cron job.
$ cat root
@reboot ./8zpeVaQk "$mimic|fuck" noa
ELFEN traces the crontab invocation and detects it:
https://nikhilh-20.github.io/blog/noabot_botnet/
Page 3 of 9

Accessing Secrets
The sample looks for a variety of secret information such as bash history, SSH private keys and user accounts
information. Curiously, the sample does not seem to do anything (read/write) with the found files. A gap in
tracing? Nevertheless, an analyst can likely make the assumption that the secret information is leveraged in some
manner.
ELFEN detects this behavior:
Accessing Bash History
The sample looks for .bash_history files at various locations. This file records a history of the commands that a
user has entered in the Bash shell. ELFEN traces this behavior.
Accessing SSH Private Keys
The sample looks for user SSH private keys for multiple algorithms: RSA , DSA and Ed25519 . These keys are
used for authenticating the user over SSH. ELFEN traces this behavior.
https://nikhilh-20.github.io/blog/noabot_botnet/
Page 4 of 9

Accessing User Accounts Information
The sample looks for the /etc/passwd file. This contains information about user accounts on the system. Note
that benign executables access this file as well during runtime. However, context is important. The sample also
accesses other secrets, so access to /etc/passwd should not be ignored. ELFEN traces this behavior.
Process Name Change
The sample changes its process name to masquerade as a benign process. Specifically, the new process name can
be one of many popular utilities such as mongod , nginx , smbd , sshd , etc. ELFEN traces and detects this
behavior.
Network Communications
Scanning through SSH
The sample scans ports 22 and 2222 (popular alternate port for SSH) for over 4000 IPv4 addresses. ELFEN
traces this behavior. The original Mirai botnet spread through Telnet. Researchers at Akamai reported that NoaBot
uses SSH.
https://nikhilh-20.github.io/blog/noabot_botnet/
Page 5 of 9

ELFEN also captures network traffic into a PCAP and makes it available to the user for downloading. If the
remote port is accepting connections, the sample sends a malformed SSH packet early in the SSH handshake. It
contains the string, hi .
I observed that the sample does not send its SSH identification string first, as is usual in a normal SSH handshake.
Instead, it waits for the server to send its identification string. It then replies with the malformed SSH packet.
My hypothesis is that the sample is trying to capture the server SSH identification string. Perhaps, to check if it’s
vulnerable to a known exploit. It then sends the malformed SSH packet (the specific string, hi is irrelevant) to
possibly avoid triggering any timeouts or RST packets from the server which may draw suspicion on server-side
defenses. As seen in the snap above, the connection gracefully terminates with a FIN-ACK-ACK packet sequence.
C2 Domain
The sample reaches out to its C2, mimicmaster[.]online , which is currently unavailable.
https://nikhilh-20.github.io/blog/noabot_botnet/
Page 6 of 9

From its Whois records, it can be seen that the domain is currently suspended.
The last known IPv4 address for the domain was 185[.]193.126.118 as seen on VT.
https://nikhilh-20.github.io/blog/noabot_botnet/
Page 7 of 9

ELFEN performs protocol analysis on the captured network traffic. At this point, only DNS protocol analysis is
supported.
Summary
The NoaBot is yet another Mirai-based botnet, except it has notable differences in its capabilities like the SSH
spreader. The main goal of this analysis was to demonstrate the usage of the ELFEN sandbox to quickly get
insights into a given malware sample.
ELFEN supports features such as:
Analysis and detection of Linux malware targeting x86-64, ARMv5, MIPS and PowerPC architectures.
Tracing files, processes, network-related syscalls and libc string-related functions.
PCAP capture and protocol analysis.
Memory dumps and capturing dropped files
and more!
If you’ve not already, give ELFEN a try!
References
1. ELFEN
2. Malpedia
3. You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance
4. open, openat - open file
https://nikhilh-20.github.io/blog/noabot_botnet/
Page 8 of 9

5. Wiresharking Secure Shell (SSH)
6. Whois
7. VirusTotal
8. ChatGPT
9. uClibc
Source: https://nikhilh-20.github.io/blog/noabot_botnet/
https://nikhilh-20.github.io/blog/noabot_botnet/
Page 9 of 9

Network Communications Scanning through SSH     
The sample scans ports 22 and 2222 (popular alternate port for SSH) for over 4000 IPv4 addresses. ELFEN
traces this behavior. The original Mirai botnet spread through Telnet. Researchers at Akamai reported that NoaBot
uses SSH.      
   Page 5 of 9