Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
160s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
10/03/2025, 22:47
Behavioral task
behavioral1
Sample
jklarm7.elf
Resource
debian9-armhf-20240611-en
debian-9-armhf
11 signatures
150 seconds
General
-
Target
jklarm7.elf
-
Size
82KB
-
MD5
a9675614a267473cb83e195d9074a067
-
SHA1
a4d148cf841fc2b84c8bb3dd322e40f601532875
-
SHA256
fe4e8d464b7849a5483782d0c47e53deaf199e284badad12ed98ca79e47a79d9
-
SHA512
8adcc5df013328218823d3310bcc4f27f6e1e9e51de2e7ecd5521873f5ac6cc2315f9136e1599f1da4114e65eaed23449e78f9ce04062243aa8ec793086b1c28
-
SSDEEP
1536:BRn0RQX3XBK48wT+4D3H2qFzu6gRGrkesfzx3n7etZNlncUGqDllWYi/XRAsmzXT:XXnBA4D3HLFzut/euzN7etZNlncUSpXk
Score
9/10
Malware Config
Signatures
-
Contacts a large (107932) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog jklarm7.elf File opened for modification /dev/misc/watchdog jklarm7.elf -
Renames itself 1 IoCs
pid Process 652 jklarm7.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 152.53.15.127 -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp jklarm7.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 64 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/772/maps jklarm7.elf File opened for reading /proc/687/maps jklarm7.elf File opened for reading /proc/690/maps jklarm7.elf File opened for reading /proc/698/maps jklarm7.elf File opened for reading /proc/699/maps jklarm7.elf File opened for reading /proc/700/maps jklarm7.elf File opened for reading /proc/712/maps jklarm7.elf File opened for reading /proc/717/maps jklarm7.elf File opened for reading /proc/728/maps jklarm7.elf File opened for reading /proc/750/maps jklarm7.elf File opened for reading /proc/752/maps jklarm7.elf File opened for reading /proc/683/maps jklarm7.elf File opened for reading /proc/739/maps jklarm7.elf File opened for reading /proc/770/maps jklarm7.elf File opened for reading /proc/773/maps jklarm7.elf File opened for reading /proc/689/maps jklarm7.elf File opened for reading /proc/708/maps jklarm7.elf File opened for reading /proc/763/maps jklarm7.elf File opened for reading /proc/684/maps jklarm7.elf File opened for reading /proc/746/maps jklarm7.elf File opened for reading /proc/756/maps jklarm7.elf File opened for reading /proc/781/maps jklarm7.elf File opened for reading /proc/696/maps jklarm7.elf File opened for reading /proc/710/maps jklarm7.elf File opened for reading /proc/758/maps jklarm7.elf File opened for reading /proc/748/maps jklarm7.elf File opened for reading /proc/757/maps jklarm7.elf File opened for reading /proc/780/maps jklarm7.elf File opened for reading /proc/713/maps jklarm7.elf File opened for reading /proc/723/maps jklarm7.elf File opened for reading /proc/740/maps jklarm7.elf File opened for reading /proc/749/maps jklarm7.elf File opened for reading /proc/759/maps jklarm7.elf File opened for reading /proc/688/maps jklarm7.elf File opened for reading /proc/695/maps jklarm7.elf File opened for reading /proc/697/maps jklarm7.elf File opened for reading /proc/715/maps jklarm7.elf File opened for reading /proc/732/maps jklarm7.elf File opened for reading /proc/760/maps jklarm7.elf File opened for reading /proc/771/maps jklarm7.elf File opened for reading /proc/785/maps jklarm7.elf File opened for reading /proc/691/maps jklarm7.elf File opened for reading /proc/694/maps jklarm7.elf File opened for reading /proc/704/maps jklarm7.elf File opened for reading /proc/705/maps jklarm7.elf File opened for reading /proc/711/maps jklarm7.elf File opened for reading /proc/716/maps jklarm7.elf File opened for reading /proc/761/maps jklarm7.elf File opened for reading /proc/762/maps jklarm7.elf File opened for reading /proc/768/maps jklarm7.elf File opened for reading /proc/775/maps jklarm7.elf File opened for reading /proc/754/maps jklarm7.elf File opened for reading /proc/736/maps jklarm7.elf File opened for reading /proc/742/maps jklarm7.elf File opened for reading /proc/743/maps jklarm7.elf File opened for reading /proc/707/maps jklarm7.elf File opened for reading /proc/727/maps jklarm7.elf File opened for reading /proc/764/maps jklarm7.elf File opened for reading /proc/765/maps jklarm7.elf File opened for reading /proc/769/maps jklarm7.elf File opened for reading /proc/776/maps jklarm7.elf File opened for reading /proc/720/maps jklarm7.elf File opened for reading /proc/725/maps jklarm7.elf File opened for reading /proc/693/maps jklarm7.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself atd 652 jklarm7.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp jklarm7.elf -
description ioc Process File opened for reading /proc/595/status jklarm7.elf File opened for reading /proc/602/status jklarm7.elf File opened for reading /proc/self/maps jklarm7.elf File opened for reading /proc/739/cmdline jklarm7.elf File opened for reading /proc/763/cmdline jklarm7.elf File opened for reading /proc/784/cmdline jklarm7.elf File opened for reading /proc/7/comm jklarm7.elf File opened for reading /proc/102/comm jklarm7.elf File opened for reading /proc/647/comm jklarm7.elf File opened for reading /proc/603/status jklarm7.elf File opened for reading /proc/757/cmdline jklarm7.elf File opened for reading /proc/687/cmdline jklarm7.elf File opened for reading /proc/693/cmdline jklarm7.elf File opened for reading /proc/699/cmdline jklarm7.elf File opened for reading /proc/773/cmdline jklarm7.elf File opened for reading /proc/780/cmdline jklarm7.elf File opened for reading /proc/690/cmdline jklarm7.elf File opened for reading /proc/6/comm jklarm7.elf File opened for reading /proc/267/comm jklarm7.elf File opened for reading /proc/697/cmdline jklarm7.elf File opened for reading /proc/703/cmdline jklarm7.elf File opened for reading /proc/269/comm jklarm7.elf File opened for reading /proc/12/comm jklarm7.elf File opened for reading /proc/20/comm jklarm7.elf File opened for reading /proc/716/cmdline jklarm7.elf File opened for reading /proc/754/cmdline jklarm7.elf File opened for reading /proc/24/comm jklarm7.elf File opened for reading /proc/271/status jklarm7.elf File opened for reading /proc/705/cmdline jklarm7.elf File opened for reading /proc/733/cmdline jklarm7.elf File opened for reading /proc/752/cmdline jklarm7.elf File opened for reading /proc/652/comm jklarm7.elf File opened for reading /proc/142/status jklarm7.elf File opened for reading /proc/266/status jklarm7.elf File opened for reading /proc/696/cmdline jklarm7.elf File opened for reading /proc/740/cmdline jklarm7.elf File opened for reading /proc/772/cmdline jklarm7.elf File opened for reading /proc/41/comm jklarm7.elf File opened for reading /proc/43/comm jklarm7.elf File opened for reading /proc/691/cmdline jklarm7.elf File opened for reading /proc/774/cmdline jklarm7.elf File opened for reading /proc/2/comm jklarm7.elf File opened for reading /proc/308/comm jklarm7.elf File opened for reading /proc/649/comm jklarm7.elf File opened for reading /proc/212/status jklarm7.elf File opened for reading /proc/708/cmdline jklarm7.elf File opened for reading /proc/723/cmdline jklarm7.elf File opened for reading /proc/111/comm jklarm7.elf File opened for reading /proc/145/comm jklarm7.elf File opened for reading /proc/301/status jklarm7.elf File opened for reading /proc/727/cmdline jklarm7.elf File opened for reading /proc/758/cmdline jklarm7.elf File opened for reading /proc/301/comm jklarm7.elf File opened for reading /proc/298/status jklarm7.elf File opened for reading /proc/689/cmdline jklarm7.elf File opened for reading /proc/694/cmdline jklarm7.elf File opened for reading /proc/710/cmdline jklarm7.elf File opened for reading /proc/16/comm jklarm7.elf File opened for reading /proc/282/status jklarm7.elf File opened for reading /proc/282/comm jklarm7.elf File opened for reading /proc/651/comm jklarm7.elf File opened for reading /proc/269/status jklarm7.elf File opened for reading /proc/25/comm jklarm7.elf File opened for reading /proc/113/comm jklarm7.elf