Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240418-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    09-11-2024 11:26

General

  • Target

    sarm7.elf

  • Size

    80KB

  • MD5

    bc9ff137fc512243033da78906fcb5d1

  • SHA1

    3994aa2aa14253dc79a3ceb417cd803b4351b413

  • SHA256

    406552637f54c4bcf7a73d26ee3e82bb32c226677c6af55f1118a05f5a9c19a6

  • SHA512

    658ad36a6ec3da1af3ad3db1372dcef7c3abbd28818ffb69819b3c2e30b82e0588817cdf72fae6b6744bb0c48236b6fa3adfdb8e3520f8e4383e6bbdba89797e

  • SSDEEP

    1536:AknaQMW/eMeXgKpBRmBoKp/T03uHaBfDh3iggqlR2iS3Rzu/cZy:7v/eMstpBRioS/A3uHaBfDra3RC/My

Score
9/10

Malware Config

Signatures

  • Contacts a large (93461) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 25 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks hardware identifiers (DMI) 1 TTPs 1 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

Processes

  • /tmp/sarm7.elf
    /tmp/sarm7.elf
    1⤵
    • Deletes itself
    • Checks hardware identifiers (DMI)
    PID:642

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads