Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    09-11-2024 08:12

General

  • Target

    sarm5.elf

  • Size

    56KB

  • MD5

    f6ee57bb796ae5b8bdc49f0ebcecc223

  • SHA1

    8c0d37d178f6049fb351111f5ccb915d1a0d5c04

  • SHA256

    61a9a4da729d3e32b3b22ff5179c31083963cb7f9ea0ff9f6f6146c4af74c8ec

  • SHA512

    d6669e140776d581aaa4550a304401efb2451b2a88b88743ba5b9d8eb995af5fd2e0513c2b3a16d8d2fcd1ee0031f51c9f1f731a58ec5768dd7896c0632e9794

  • SSDEEP

    768:K1+0NJvSxR2NRJ+uyZMcWzoljFCasKKildWauiKvsq+tWLauwGg0W268L7qbmdtu:a+gu2Nqatol0sl7OjZLYUDPqbt

Score
9/10

Malware Config

Signatures

  • Contacts a large (67118) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 23 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks hardware identifiers (DMI) 1 TTPs 1 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

Processes

  • /tmp/sarm5.elf
    /tmp/sarm5.elf
    1⤵
    • Deletes itself
    • Checks hardware identifiers (DMI)
    PID:652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads