Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 06:45
Static task
static1
General
-
Target
sarm.elf
-
Size
56KB
-
MD5
28219bf16d9d56d66ab6939eac81d10d
-
SHA1
78e283feb82b53b90afc3715e8d09ed0b94f0fa0
-
SHA256
85b8915b635adbab46e45999f61f4ea93bba5597d1b22c3dcdb585320ca2d70a
-
SHA512
4e9833e313439950e490bbbce0fa2818941d64fa309558f45f145fcedf7c26fe3ab1024bc1836896f3c76715ca3c812cb5f8091f0f51a159818800949dbbe138
-
SSDEEP
768:MpcoW65mEgCq31UhyblACEgqlC/CAKNqdxQ/h/qWLosyfWXkpFArHIW8w291:0cbLCqS0JElNUS/PLR0FF
Malware Config
Signatures
-
Contacts a large (93616) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
sarm.elfpid process 638 sarm.elf -
Unexpected DNS network traffic destination 16 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 185.84.81.194 Destination IP 138.197.140.189 Destination IP 103.1.206.179 Destination IP 109.91.184.21 Destination IP 185.181.61.24 Destination IP 94.247.43.254 Destination IP 192.71.166.92 Destination IP 70.34.254.19 Destination IP 168.235.111.72 Destination IP 178.254.22.166 Destination IP 94.247.43.254 Destination IP 37.252.191.197 Destination IP 185.181.61.24 Destination IP 217.160.70.42 Destination IP 94.247.43.254 Destination IP 80.152.203.134 -
Checks hardware identifiers (DMI) 1 TTPs 1 IoCs
Checks DMI information which indicate if the system is a virtual machine.
Processes:
sarm.elfdescription ioc process File opened for reading /sys/devices/virtual/dmi/id/sys_vendor sarm.elf