Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
156s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem -
submitted
01/02/2025, 13:42
Behavioral task
behavioral1
Sample
splmpsl.elf
Resource
debian12-mipsel-20240221-en
General
-
Target
splmpsl.elf
-
Size
74KB
-
MD5
307165bfa9fdd0f10ddc4ce2b02116b6
-
SHA1
916398aef92071b40dd16d3512c2fc365e71a0f3
-
SHA256
373bfd3607320c5a7019353e020b6f6f00e035671ef75d76473ca5c92577e102
-
SHA512
26c6df9a3b383f7132cee6ff3428881700f277f439b6666f70cbee518d4572e6d8d7902462738e21c2cadc20b9bd607e6811fe954a19c354297b9b89f2f4de2a
-
SSDEEP
1536:1a1bQWaJus8f90gHiuEdOXUeEQS8AW6zxzNQy0Na:1WUWaJus8fOxOXUeUQg
Malware Config
Signatures
-
Contacts a large (44077) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
pid Process 741 splmpsl.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog splmpsl.elf File opened for modification /dev/watchdog splmpsl.elf -
Renames itself 1 IoCs
pid Process 741 splmpsl.elf -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 202.61.197.122 Destination IP 202.61.197.122 -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp splmpsl.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 15 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/768/maps splmpsl.elf File opened for reading /proc/783/maps splmpsl.elf File opened for reading /proc/786/maps splmpsl.elf File opened for reading /proc/760/maps splmpsl.elf File opened for reading /proc/764/maps splmpsl.elf File opened for reading /proc/778/maps splmpsl.elf File opened for reading /proc/771/maps splmpsl.elf File opened for reading /proc/773/maps splmpsl.elf File opened for reading /proc/774/maps splmpsl.elf File opened for reading /proc/785/maps splmpsl.elf File opened for reading /proc/762/maps splmpsl.elf File opened for reading /proc/770/maps splmpsl.elf File opened for reading /proc/782/maps splmpsl.elf File opened for reading /proc/784/maps splmpsl.elf File opened for reading /proc/787/maps splmpsl.elf -
Changes its process name 1 IoCs
description pid Process Changes the process name, possibly in an attempt to hide itself 741 splmpsl.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp splmpsl.elf -
description ioc Process File opened for reading /proc/353/status splmpsl.elf File opened for reading /proc/391/status splmpsl.elf File opened for reading /proc/713/status splmpsl.elf File opened for reading /proc/760/cmdline splmpsl.elf File opened for reading /proc/770/cmdline splmpsl.elf File opened for reading /proc/787/cmdline splmpsl.elf File opened for reading /proc/262/status splmpsl.elf File opened for reading /proc/371/status splmpsl.elf File opened for reading /proc/388/status splmpsl.elf File opened for reading /proc/735/status splmpsl.elf File opened for reading /proc/771/cmdline splmpsl.elf File opened for reading /proc/392/status splmpsl.elf File opened for reading /proc/680/status splmpsl.elf File opened for reading /proc/697/status splmpsl.elf File opened for reading /proc/782/cmdline splmpsl.elf File opened for reading /proc/783/cmdline splmpsl.elf File opened for reading /proc/679/status splmpsl.elf File opened for reading /proc/773/cmdline splmpsl.elf File opened for reading /proc/778/cmdline splmpsl.elf File opened for reading /proc/699/status splmpsl.elf File opened for reading /proc/710/status splmpsl.elf File opened for reading /proc/746/status splmpsl.elf File opened for reading /proc/768/cmdline splmpsl.elf File opened for reading /proc/784/cmdline splmpsl.elf File opened for reading /proc/363/status splmpsl.elf File opened for reading /proc/382/status splmpsl.elf File opened for reading /proc/667/status splmpsl.elf File opened for reading /proc/self/maps splmpsl.elf File opened for reading /proc/774/cmdline splmpsl.elf File opened for reading /proc/202/status splmpsl.elf File opened for reading /proc/419/status splmpsl.elf File opened for reading /proc/711/status splmpsl.elf File opened for reading /proc/786/cmdline splmpsl.elf File opened for reading /proc/180/status splmpsl.elf File opened for reading /proc/359/status splmpsl.elf File opened for reading /proc/762/cmdline splmpsl.elf File opened for reading /proc/764/cmdline splmpsl.elf File opened for reading /proc/785/cmdline splmpsl.elf