Malware Analysis Report

2025-08-06 01:19

Sample ID 241107-shv6tsxjer
Target armv5l.elf
SHA256 78da34887205a74c6f532dc5e347284624cff44e8320de5ecfeb36a608d05d3d
Tags
upx discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

78da34887205a74c6f532dc5e347284624cff44e8320de5ecfeb36a608d05d3d

Threat Level: Shows suspicious behavior

The file armv5l.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery

Reads system routing table

UPX packed file

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:08

Reported

2024-11-07 15:10

Platform

debian9-armhf-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/armv5l.elf]

Signatures

Reads system routing table

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/armv5l.elf N/A

Reads system network configuration

discovery
Description Indicator Process Target
File opened for reading /proc/net/route /tmp/armv5l.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/armv5l.elf N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/Infected.log /tmp/armv5l.elf N/A

Processes

/tmp/armv5l.elf

[/tmp/armv5l.elf]

Network

Country Destination Domain Proto
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp
DE 181.214.231.152:31130 tcp

Files

memory/656-1-0x00008000-0x00064d80-memory.dmp

/tmp/Infected.log

MD5 a70a5dde6f79eaea4e71c88b6a2ccc38
SHA1 92c0273c4be5d4b7bdbdd500de5a64e5e05652b2
SHA256 d087a5a10a09b589993d8cc44a24ef22db26ffd0feeeb3f29b15af008c292af8
SHA512 aaa7d00faa34a87292f23a16dae8a7a4b5a40c8e375a579f1286427819c2a04e1c6f970dbc0f2433e6c03f59a2ece0f28ba1e8fc526bc4afe77f176f61876c52