Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
155s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
06/03/2025, 11:17
Behavioral task
behavioral1
Sample
splarm7.elf
Resource
debian9-armhf-20240611-en
debian-9-armhf
11 signatures
150 seconds
General
-
Target
splarm7.elf
-
Size
78KB
-
MD5
a8c01822dd78feded3b335735aed537b
-
SHA1
41c85552054f07fc42c2f2a6b381de525f4e7bda
-
SHA256
1f429e2c3be03639b683b89caab099f6a1c5047a089c017d9d8e86d0ce12e48b
-
SHA512
9ba831769961ae82f4dd76cbd647fa6fa29a5807721443eba7318193b545a78181dcff9ea5b596c16a79828e8e8de255c37dc66b3d98f3f7e181c7fd27b02b02
-
SSDEEP
1536:FBnwFBrlZoytA8Sv6HP4oI7p9R4Kxfp421gVBl9qy8QudlLMibWRSU+:EBhZ68Sv6HP4j7KKxfp4KgVBl9qy81W2
Score
9/10
Malware Config
Signatures
-
Contacts a large (66558) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog splarm7.elf File opened for modification /dev/misc/watchdog splarm7.elf -
Renames itself 1 IoCs
pid Process 654 splarm7.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 202.61.197.122 -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp splarm7.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 64 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/693/maps splarm7.elf File opened for reading /proc/718/maps splarm7.elf File opened for reading /proc/726/maps splarm7.elf File opened for reading /proc/732/maps splarm7.elf File opened for reading /proc/754/maps splarm7.elf File opened for reading /proc/774/maps splarm7.elf File opened for reading /proc/721/maps splarm7.elf File opened for reading /proc/740/maps splarm7.elf File opened for reading /proc/770/maps splarm7.elf File opened for reading /proc/771/maps splarm7.elf File opened for reading /proc/777/maps splarm7.elf File opened for reading /proc/784/maps splarm7.elf File opened for reading /proc/790/maps splarm7.elf File opened for reading /proc/691/maps splarm7.elf File opened for reading /proc/779/maps splarm7.elf File opened for reading /proc/781/maps splarm7.elf File opened for reading /proc/685/maps splarm7.elf File opened for reading /proc/686/maps splarm7.elf File opened for reading /proc/697/maps splarm7.elf File opened for reading /proc/743/maps splarm7.elf File opened for reading /proc/761/maps splarm7.elf File opened for reading /proc/776/maps splarm7.elf File opened for reading /proc/692/maps splarm7.elf File opened for reading /proc/701/maps splarm7.elf File opened for reading /proc/727/maps splarm7.elf File opened for reading /proc/730/maps splarm7.elf File opened for reading /proc/742/maps splarm7.elf File opened for reading /proc/762/maps splarm7.elf File opened for reading /proc/760/maps splarm7.elf File opened for reading /proc/783/maps splarm7.elf File opened for reading /proc/709/maps splarm7.elf File opened for reading /proc/720/maps splarm7.elf File opened for reading /proc/744/maps splarm7.elf File opened for reading /proc/759/maps splarm7.elf File opened for reading /proc/793/maps splarm7.elf File opened for reading /proc/703/maps splarm7.elf File opened for reading /proc/713/maps splarm7.elf File opened for reading /proc/724/maps splarm7.elf File opened for reading /proc/765/maps splarm7.elf File opened for reading /proc/778/maps splarm7.elf File opened for reading /proc/756/maps splarm7.elf File opened for reading /proc/722/maps splarm7.elf File opened for reading /proc/750/maps splarm7.elf File opened for reading /proc/752/maps splarm7.elf File opened for reading /proc/767/maps splarm7.elf File opened for reading /proc/785/maps splarm7.elf File opened for reading /proc/683/maps splarm7.elf File opened for reading /proc/695/maps splarm7.elf File opened for reading /proc/707/maps splarm7.elf File opened for reading /proc/733/maps splarm7.elf File opened for reading /proc/699/maps splarm7.elf File opened for reading /proc/705/maps splarm7.elf File opened for reading /proc/736/maps splarm7.elf File opened for reading /proc/755/maps splarm7.elf File opened for reading /proc/787/maps splarm7.elf File opened for reading /proc/789/maps splarm7.elf File opened for reading /proc/791/maps splarm7.elf File opened for reading /proc/682/maps splarm7.elf File opened for reading /proc/714/maps splarm7.elf File opened for reading /proc/715/maps splarm7.elf File opened for reading /proc/746/maps splarm7.elf File opened for reading /proc/688/maps splarm7.elf File opened for reading /proc/751/maps splarm7.elf File opened for reading /proc/702/maps splarm7.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself systemd 654 splarm7.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp splarm7.elf -
description ioc Process File opened for reading /proc/685/cmdline splarm7.elf File opened for reading /proc/686/cmdline splarm7.elf File opened for reading /proc/775/cmdline splarm7.elf File opened for reading /proc/778/cmdline splarm7.elf File opened for reading /proc/791/cmdline splarm7.elf File opened for reading /proc/164/comm splarm7.elf File opened for reading /proc/283/status splarm7.elf File opened for reading /proc/640/status splarm7.elf File opened for reading /proc/724/cmdline splarm7.elf File opened for reading /proc/767/cmdline splarm7.elf File opened for reading /proc/2/comm splarm7.elf File opened for reading /proc/42/comm splarm7.elf File opened for reading /proc/689/cmdline splarm7.elf File opened for reading /proc/329/comm splarm7.elf File opened for reading /proc/self/maps splarm7.elf File opened for reading /proc/711/cmdline splarm7.elf File opened for reading /proc/785/cmdline splarm7.elf File opened for reading /proc/687/cmdline splarm7.elf File opened for reading /proc/716/cmdline splarm7.elf File opened for reading /proc/733/cmdline splarm7.elf File opened for reading /proc/764/cmdline splarm7.elf File opened for reading /proc/770/cmdline splarm7.elf File opened for reading /proc/782/cmdline splarm7.elf File opened for reading /proc/140/comm splarm7.elf File opened for reading /proc/312/comm splarm7.elf File opened for reading /proc/605/comm splarm7.elf File opened for reading /proc/652/comm splarm7.elf File opened for reading /proc/653/comm splarm7.elf File opened for reading /proc/692/cmdline splarm7.elf File opened for reading /proc/695/cmdline splarm7.elf File opened for reading /proc/699/cmdline splarm7.elf File opened for reading /proc/25/comm splarm7.elf File opened for reading /proc/717/cmdline splarm7.elf File opened for reading /proc/755/cmdline splarm7.elf File opened for reading /proc/772/cmdline splarm7.elf File opened for reading /proc/783/cmdline splarm7.elf File opened for reading /proc/793/cmdline splarm7.elf File opened for reading /proc/269/comm splarm7.elf File opened for reading /proc/640/comm splarm7.elf File opened for reading /proc/600/status splarm7.elf File opened for reading /proc/605/status splarm7.elf File opened for reading /proc/647/status splarm7.elf File opened for reading /proc/697/cmdline splarm7.elf File opened for reading /proc/747/cmdline splarm7.elf File opened for reading /proc/756/cmdline splarm7.elf File opened for reading /proc/771/cmdline splarm7.elf File opened for reading /proc/17/comm splarm7.elf File opened for reading /proc/98/comm splarm7.elf File opened for reading /proc/740/cmdline splarm7.elf File opened for reading /proc/754/cmdline splarm7.elf File opened for reading /proc/784/cmdline splarm7.elf File opened for reading /proc/43/comm splarm7.elf File opened for reading /proc/76/comm splarm7.elf File opened for reading /proc/210/comm splarm7.elf File opened for reading /proc/606/status splarm7.elf File opened for reading /proc/766/cmdline splarm7.elf File opened for reading /proc/14/comm splarm7.elf File opened for reading /proc/590/comm splarm7.elf File opened for reading /proc/606/comm splarm7.elf File opened for reading /proc/646/comm splarm7.elf File opened for reading /proc/280/status splarm7.elf File opened for reading /proc/312/status splarm7.elf File opened for reading /proc/683/cmdline splarm7.elf File opened for reading /proc/746/cmdline splarm7.elf