Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
47s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
01/02/2025, 13:42
Behavioral task
behavioral1
Sample
jklarm7.elf
Resource
debian9-armhf-20240611-en
debian-9-armhf
12 signatures
150 seconds
General
-
Target
jklarm7.elf
-
Size
77KB
-
MD5
45a33a3f566fe9a6ee1e492d1905634d
-
SHA1
2839588f169759f13e9377f05128d862e7c00f6f
-
SHA256
84450bcfa08e7c33b1ea94302457a478b394ef0996f626ee5f1c60ab83024756
-
SHA512
501a80cf158c3d87cfa1e86c0730dc09f31e206f84ea9d7d1468b2fc08e9366c7e6d1609d6035d64c08842fb480403dd445d68de6e36061625d6780e17d83505
-
SSDEEP
1536:Zxn7gLqXIQHj0jLwdeEyQqF1G4/BSc9Zg9ZUzMVy9r2UQZdljuit+AG2:kLgIZjLqeECl/BSyIWzMVy9r2Nd+AB
Score
9/10
Malware Config
Signatures
-
Contacts a large (109614) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
pid Process 649 jklarm7.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog jklarm7.elf File opened for modification /dev/misc/watchdog jklarm7.elf -
Renames itself 1 IoCs
pid Process 649 jklarm7.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 185.181.61.24 -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp jklarm7.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 62 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/707/maps jklarm7.elf File opened for reading /proc/711/maps jklarm7.elf File opened for reading /proc/769/maps jklarm7.elf File opened for reading /proc/678/maps jklarm7.elf File opened for reading /proc/692/maps jklarm7.elf File opened for reading /proc/699/maps jklarm7.elf File opened for reading /proc/748/maps jklarm7.elf File opened for reading /proc/755/maps jklarm7.elf File opened for reading /proc/756/maps jklarm7.elf File opened for reading /proc/762/maps jklarm7.elf File opened for reading /proc/703/maps jklarm7.elf File opened for reading /proc/706/maps jklarm7.elf File opened for reading /proc/732/maps jklarm7.elf File opened for reading /proc/766/maps jklarm7.elf File opened for reading /proc/768/maps jklarm7.elf File opened for reading /proc/682/maps jklarm7.elf File opened for reading /proc/750/maps jklarm7.elf File opened for reading /proc/760/maps jklarm7.elf File opened for reading /proc/701/maps jklarm7.elf File opened for reading /proc/733/maps jklarm7.elf File opened for reading /proc/745/maps jklarm7.elf File opened for reading /proc/742/maps jklarm7.elf File opened for reading /proc/752/maps jklarm7.elf File opened for reading /proc/761/maps jklarm7.elf File opened for reading /proc/690/maps jklarm7.elf File opened for reading /proc/718/maps jklarm7.elf File opened for reading /proc/721/maps jklarm7.elf File opened for reading /proc/686/maps jklarm7.elf File opened for reading /proc/759/maps jklarm7.elf File opened for reading /proc/679/maps jklarm7.elf File opened for reading /proc/681/maps jklarm7.elf File opened for reading /proc/753/maps jklarm7.elf File opened for reading /proc/740/maps jklarm7.elf File opened for reading /proc/746/maps jklarm7.elf File opened for reading /proc/695/maps jklarm7.elf File opened for reading /proc/728/maps jklarm7.elf File opened for reading /proc/734/maps jklarm7.elf File opened for reading /proc/754/maps jklarm7.elf File opened for reading /proc/685/maps jklarm7.elf File opened for reading /proc/693/maps jklarm7.elf File opened for reading /proc/723/maps jklarm7.elf File opened for reading /proc/698/maps jklarm7.elf File opened for reading /proc/705/maps jklarm7.elf File opened for reading /proc/730/maps jklarm7.elf File opened for reading /proc/735/maps jklarm7.elf File opened for reading /proc/714/maps jklarm7.elf File opened for reading /proc/738/maps jklarm7.elf File opened for reading /proc/689/maps jklarm7.elf File opened for reading /proc/715/maps jklarm7.elf File opened for reading /proc/702/maps jklarm7.elf File opened for reading /proc/758/maps jklarm7.elf File opened for reading /proc/713/maps jklarm7.elf File opened for reading /proc/722/maps jklarm7.elf File opened for reading /proc/736/maps jklarm7.elf File opened for reading /proc/691/maps jklarm7.elf File opened for reading /proc/697/maps jklarm7.elf File opened for reading /proc/709/maps jklarm7.elf File opened for reading /proc/744/maps jklarm7.elf File opened for reading /proc/767/maps jklarm7.elf File opened for reading /proc/687/maps jklarm7.elf File opened for reading /proc/720/maps jklarm7.elf File opened for reading /proc/726/maps jklarm7.elf -
Changes its process name 1 IoCs
description pid Process Changes the process name, possibly in an attempt to hide itself 649 jklarm7.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp jklarm7.elf -
description ioc Process File opened for reading /proc/329/status jklarm7.elf File opened for reading /proc/703/cmdline jklarm7.elf File opened for reading /proc/734/cmdline jklarm7.elf File opened for reading /proc/735/cmdline jklarm7.elf File opened for reading /proc/758/cmdline jklarm7.elf File opened for reading /proc/216/status jklarm7.elf File opened for reading /proc/728/cmdline jklarm7.elf File opened for reading /proc/269/status jklarm7.elf File opened for reading /proc/273/status jklarm7.elf File opened for reading /proc/599/status jklarm7.elf File opened for reading /proc/681/cmdline jklarm7.elf File opened for reading /proc/698/cmdline jklarm7.elf File opened for reading /proc/707/cmdline jklarm7.elf File opened for reading /proc/738/cmdline jklarm7.elf File opened for reading /proc/759/cmdline jklarm7.elf File opened for reading /proc/139/status jklarm7.elf File opened for reading /proc/685/cmdline jklarm7.elf File opened for reading /proc/699/cmdline jklarm7.elf File opened for reading /proc/316/status jklarm7.elf File opened for reading /proc/603/status jklarm7.elf File opened for reading /proc/687/cmdline jklarm7.elf File opened for reading /proc/715/cmdline jklarm7.elf File opened for reading /proc/718/cmdline jklarm7.elf File opened for reading /proc/742/cmdline jklarm7.elf File opened for reading /proc/762/cmdline jklarm7.elf File opened for reading /proc/284/status jklarm7.elf File opened for reading /proc/689/cmdline jklarm7.elf File opened for reading /proc/690/cmdline jklarm7.elf File opened for reading /proc/692/cmdline jklarm7.elf File opened for reading /proc/713/cmdline jklarm7.elf File opened for reading /proc/720/cmdline jklarm7.elf File opened for reading /proc/721/cmdline jklarm7.elf File opened for reading /proc/754/cmdline jklarm7.elf File opened for reading /proc/270/status jklarm7.elf File opened for reading /proc/693/cmdline jklarm7.elf File opened for reading /proc/702/cmdline jklarm7.elf File opened for reading /proc/714/cmdline jklarm7.elf File opened for reading /proc/315/status jklarm7.elf File opened for reading /proc/583/status jklarm7.elf File opened for reading /proc/635/status jklarm7.elf File opened for reading /proc/697/cmdline jklarm7.elf File opened for reading /proc/711/cmdline jklarm7.elf File opened for reading /proc/740/cmdline jklarm7.elf File opened for reading /proc/756/cmdline jklarm7.elf File opened for reading /proc/768/cmdline jklarm7.elf File opened for reading /proc/706/cmdline jklarm7.elf File opened for reading /proc/736/cmdline jklarm7.elf File opened for reading /proc/750/cmdline jklarm7.elf File opened for reading /proc/752/cmdline jklarm7.elf File opened for reading /proc/755/cmdline jklarm7.elf File opened for reading /proc/769/cmdline jklarm7.elf File opened for reading /proc/169/status jklarm7.elf File opened for reading /proc/604/status jklarm7.elf File opened for reading /proc/679/cmdline jklarm7.elf File opened for reading /proc/723/cmdline jklarm7.elf File opened for reading /proc/744/cmdline jklarm7.elf File opened for reading /proc/761/cmdline jklarm7.elf File opened for reading /proc/642/status jklarm7.elf File opened for reading /proc/682/cmdline jklarm7.elf File opened for reading /proc/748/cmdline jklarm7.elf File opened for reading /proc/767/cmdline jklarm7.elf File opened for reading /proc/644/status jklarm7.elf File opened for reading /proc/self/maps jklarm7.elf File opened for reading /proc/686/cmdline jklarm7.elf