Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240418-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    09-11-2024 06:45

General

  • Target

    sarm.elf

  • Size

    56KB

  • MD5

    28219bf16d9d56d66ab6939eac81d10d

  • SHA1

    78e283feb82b53b90afc3715e8d09ed0b94f0fa0

  • SHA256

    85b8915b635adbab46e45999f61f4ea93bba5597d1b22c3dcdb585320ca2d70a

  • SHA512

    4e9833e313439950e490bbbce0fa2818941d64fa309558f45f145fcedf7c26fe3ab1024bc1836896f3c76715ca3c812cb5f8091f0f51a159818800949dbbe138

  • SSDEEP

    768:MpcoW65mEgCq31UhyblACEgqlC/CAKNqdxQ/h/qWLosyfWXkpFArHIW8w291:0cbLCqS0JElNUS/PLR0FF

Score
9/10

Malware Config

Signatures

  • Contacts a large (93616) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 16 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks hardware identifiers (DMI) 1 TTPs 1 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

Processes

  • /tmp/sarm.elf
    /tmp/sarm.elf
    1⤵
    • Deletes itself
    • Checks hardware identifiers (DMI)
    PID:638

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads