Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
06/03/2025, 14:42
Behavioral task
behavioral1
Sample
nabarm7.elf
Resource
debian9-armhf-20240611-en
debian-9-armhf
11 signatures
150 seconds
General
-
Target
nabarm7.elf
-
Size
60KB
-
MD5
0c58e9115cbf70013b03892f6d214034
-
SHA1
b50ba301b902ef18102298d65cf2cf486b364caa
-
SHA256
fb531b9c8d62d2e4fefe7e86921942555154d85d70648af680cb71118885ecc3
-
SHA512
6bccbdaf65560ed1d8af2fd9ec9aa19101f1966054642da3306881de425f919d9669b0e8f44064137647509f469f125c9777fce4c51fd25436275d2b8685dd2f
-
SSDEEP
1536:VxnH8q55qmevnpejyx2s+uJPQ7hkulqDJllt6iJSjiyg:oq55qmCQjyx23uJPQ7hkuQ71Sj5g
Score
9/10
Malware Config
Signatures
-
Contacts a large (14892) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog nabarm7.elf File opened for modification /dev/misc/watchdog nabarm7.elf -
Renames itself 1 IoCs
pid Process 647 nabarm7.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 152.53.15.127 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp nabarm7.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 64 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/667/maps nabarm7.elf File opened for reading /proc/677/maps nabarm7.elf File opened for reading /proc/696/maps nabarm7.elf File opened for reading /proc/727/maps nabarm7.elf File opened for reading /proc/745/maps nabarm7.elf File opened for reading /proc/747/maps nabarm7.elf File opened for reading /proc/762/maps nabarm7.elf File opened for reading /proc/766/maps nabarm7.elf File opened for reading /proc/680/maps nabarm7.elf File opened for reading /proc/705/maps nabarm7.elf File opened for reading /proc/753/maps nabarm7.elf File opened for reading /proc/758/maps nabarm7.elf File opened for reading /proc/763/maps nabarm7.elf File opened for reading /proc/768/maps nabarm7.elf File opened for reading /proc/771/maps nabarm7.elf File opened for reading /proc/774/maps nabarm7.elf File opened for reading /proc/682/maps nabarm7.elf File opened for reading /proc/691/maps nabarm7.elf File opened for reading /proc/713/maps nabarm7.elf File opened for reading /proc/726/maps nabarm7.elf File opened for reading /proc/746/maps nabarm7.elf File opened for reading /proc/750/maps nabarm7.elf File opened for reading /proc/778/maps nabarm7.elf File opened for reading /proc/782/maps nabarm7.elf File opened for reading /proc/681/maps nabarm7.elf File opened for reading /proc/685/maps nabarm7.elf File opened for reading /proc/703/maps nabarm7.elf File opened for reading /proc/715/maps nabarm7.elf File opened for reading /proc/775/maps nabarm7.elf File opened for reading /proc/776/maps nabarm7.elf File opened for reading /proc/780/maps nabarm7.elf File opened for reading /proc/669/maps nabarm7.elf File opened for reading /proc/704/maps nabarm7.elf File opened for reading /proc/721/maps nabarm7.elf File opened for reading /proc/722/maps nabarm7.elf File opened for reading /proc/757/maps nabarm7.elf File opened for reading /proc/767/maps nabarm7.elf File opened for reading /proc/777/maps nabarm7.elf File opened for reading /proc/779/maps nabarm7.elf File opened for reading /proc/719/maps nabarm7.elf File opened for reading /proc/720/maps nabarm7.elf File opened for reading /proc/723/maps nabarm7.elf File opened for reading /proc/672/maps nabarm7.elf File opened for reading /proc/674/maps nabarm7.elf File opened for reading /proc/686/maps nabarm7.elf File opened for reading /proc/693/maps nabarm7.elf File opened for reading /proc/694/maps nabarm7.elf File opened for reading /proc/709/maps nabarm7.elf File opened for reading /proc/670/maps nabarm7.elf File opened for reading /proc/675/maps nabarm7.elf File opened for reading /proc/678/maps nabarm7.elf File opened for reading /proc/683/maps nabarm7.elf File opened for reading /proc/684/maps nabarm7.elf File opened for reading /proc/710/maps nabarm7.elf File opened for reading /proc/712/maps nabarm7.elf File opened for reading /proc/695/maps nabarm7.elf File opened for reading /proc/700/maps nabarm7.elf File opened for reading /proc/729/maps nabarm7.elf File opened for reading /proc/733/maps nabarm7.elf File opened for reading /proc/737/maps nabarm7.elf File opened for reading /proc/743/maps nabarm7.elf File opened for reading /proc/749/maps nabarm7.elf File opened for reading /proc/756/maps nabarm7.elf File opened for reading /proc/706/maps nabarm7.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself apt.systemd.dai 647 nabarm7.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp nabarm7.elf -
description ioc Process File opened for reading /proc/461/status nabarm7.elf File opened for reading /proc/689/cmdline nabarm7.elf File opened for reading /proc/706/cmdline nabarm7.elf File opened for reading /proc/740/cmdline nabarm7.elf File opened for reading /proc/749/cmdline nabarm7.elf File opened for reading /proc/763/cmdline nabarm7.elf File opened for reading /proc/738/cmdline nabarm7.elf File opened for reading /proc/741/cmdline nabarm7.elf File opened for reading /proc/752/cmdline nabarm7.elf File opened for reading /proc/761/cmdline nabarm7.elf File opened for reading /proc/23/comm nabarm7.elf File opened for reading /proc/28/comm nabarm7.elf File opened for reading /proc/602/comm nabarm7.elf File opened for reading /proc/682/cmdline nabarm7.elf File opened for reading /proc/713/cmdline nabarm7.elf File opened for reading /proc/722/cmdline nabarm7.elf File opened for reading /proc/731/cmdline nabarm7.elf File opened for reading /proc/769/cmdline nabarm7.elf File opened for reading /proc/685/cmdline nabarm7.elf File opened for reading /proc/703/cmdline nabarm7.elf File opened for reading /proc/728/cmdline nabarm7.elf File opened for reading /proc/747/cmdline nabarm7.elf File opened for reading /proc/773/cmdline nabarm7.elf File opened for reading /proc/13/comm nabarm7.elf File opened for reading /proc/27/comm nabarm7.elf File opened for reading /proc/275/comm nabarm7.elf File opened for reading /proc/639/comm nabarm7.elf File opened for reading /proc/646/comm nabarm7.elf File opened for reading /proc/275/status nabarm7.elf File opened for reading /proc/277/status nabarm7.elf File opened for reading /proc/692/cmdline nabarm7.elf File opened for reading /proc/696/cmdline nabarm7.elf File opened for reading /proc/753/cmdline nabarm7.elf File opened for reading /proc/41/comm nabarm7.elf File opened for reading /proc/147/comm nabarm7.elf File opened for reading /proc/267/status nabarm7.elf File opened for reading /proc/309/status nabarm7.elf File opened for reading /proc/710/cmdline nabarm7.elf File opened for reading /proc/737/cmdline nabarm7.elf File opened for reading /proc/744/cmdline nabarm7.elf File opened for reading /proc/756/cmdline nabarm7.elf File opened for reading /proc/75/comm nabarm7.elf File opened for reading /proc/691/cmdline nabarm7.elf File opened for reading /proc/7/comm nabarm7.elf File opened for reading /proc/14/comm nabarm7.elf File opened for reading /proc/642/comm nabarm7.elf File opened for reading /proc/self/maps nabarm7.elf File opened for reading /proc/686/cmdline nabarm7.elf File opened for reading /proc/702/cmdline nabarm7.elf File opened for reading /proc/705/cmdline nabarm7.elf File opened for reading /proc/724/cmdline nabarm7.elf File opened for reading /proc/43/comm nabarm7.elf File opened for reading /proc/640/status nabarm7.elf File opened for reading /proc/681/cmdline nabarm7.elf File opened for reading /proc/732/cmdline nabarm7.elf File opened for reading /proc/775/cmdline nabarm7.elf File opened for reading /proc/648/comm nabarm7.elf File opened for reading /proc/673/cmdline nabarm7.elf File opened for reading /proc/676/cmdline nabarm7.elf File opened for reading /proc/774/cmdline nabarm7.elf File opened for reading /proc/5/comm nabarm7.elf File opened for reading /proc/6/comm nabarm7.elf File opened for reading /proc/165/comm nabarm7.elf File opened for reading /proc/280/comm nabarm7.elf