Malware Analysis Report

2025-08-06 01:18

Sample ID 241107-sfk8vatnas
Target armv7l.elf
SHA256 5d478f6b5d75d96127d490cc21d9cc8c31400066f2e989dd7e76d0db02ca5712
Tags
upx discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

5d478f6b5d75d96127d490cc21d9cc8c31400066f2e989dd7e76d0db02ca5712

Threat Level: Shows suspicious behavior

The file armv7l.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery

Reads system routing table

UPX packed file

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:04

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:04

Reported

2024-11-07 15:06

Platform

debian12-armhf-20240729-en

Max time kernel

146s

Max time network

148s

Command Line

[/tmp/armv7l.elf]

Signatures

Reads system routing table

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/armv7l.elf N/A

Reads system network configuration

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/armv7l.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/armv7l.elf N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/Infected.log /tmp/armv7l.elf N/A

Processes

/tmp/armv7l.elf

[/tmp/armv7l.elf]

Network

Country Destination Domain Proto
DE 181.214.231.152:31130 tcp
US 1.1.1.1:53 debian12-armhf-20240729-en-2 udp
US 1.1.1.1:53 debian12-armhf-20240729-en-2 udp
US 1.1.1.1:53 debian12-armhf-20240729-en-2 udp
US 1.1.1.1:53 debian12-armhf-20240729-en-2 udp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp

Files

memory/706-1-0x00008000-0x00068a70-memory.dmp

/tmp/Infected.log

MD5 a70a5dde6f79eaea4e71c88b6a2ccc38
SHA1 92c0273c4be5d4b7bdbdd500de5a64e5e05652b2
SHA256 d087a5a10a09b589993d8cc44a24ef22db26ffd0feeeb3f29b15af008c292af8
SHA512 aaa7d00faa34a87292f23a16dae8a7a4b5a40c8e375a579f1286427819c2a04e1c6f970dbc0f2433e6c03f59a2ece0f28ba1e8fc526bc4afe77f176f61876c52