Analysis
-
max time kernel
149s -
max time network
152s -
platform
debian-12_armhf -
resource
debian12-armhf-20240729-en -
resource tags
arch:armhfimage:debian12-armhf-20240729-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
28/03/2025, 03:33
Static task
static1
Behavioral task
behavioral1
Sample
arm5.elf
Resource
debian12-armhf-20240729-en
debian-12-armhf
8 signatures
150 seconds
General
-
Target
arm5.elf
-
Size
116KB
-
MD5
2801ac08801e960a9e9f1d2abd7f5b4b
-
SHA1
48ba8d8b3ec5d718697835279f637b0ae45b6081
-
SHA256
5b228f994b7fe9ec41e8d1ff535aa7842bce3fc38b03a9009139a31e2077e7f5
-
SHA512
01dee1178b76c3feef9158f8820407d65e074e2a43d0facbbfb9839eff0f5c966314419ba82a25a3394c9e20054c86f69af96c18bfe2dcbd0408301879954854
-
SSDEEP
3072:RBmKyo0CgHtFdRtoH0skJkZaWL4YuBRBG6f3ON1LknQ/:RBmKyo0CgHtFdH4qJ7W/IRBhf61L
Score
9/10
Malware Config
Signatures
-
Contacts a large (33424) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Renames itself 1 IoCs
pid Process 703 arm5.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 19 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/728/maps arm5.elf File opened for reading /proc/349/maps arm5.elf File opened for reading /proc/713/maps arm5.elf File opened for reading /proc/719/maps arm5.elf File opened for reading /proc/720/maps arm5.elf File opened for reading /proc/722/maps arm5.elf File opened for reading /proc/724/maps arm5.elf File opened for reading /proc/726/maps arm5.elf File opened for reading /proc/1/maps arm5.elf File opened for reading /proc/664/maps arm5.elf File opened for reading /proc/715/maps arm5.elf File opened for reading /proc/723/maps arm5.elf File opened for reading /proc/716/maps arm5.elf File opened for reading /proc/721/maps arm5.elf File opened for reading /proc/352/maps arm5.elf File opened for reading /proc/663/maps arm5.elf File opened for reading /proc/714/maps arm5.elf File opened for reading /proc/725/maps arm5.elf File opened for reading /proc/727/maps arm5.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself dvrRecorder 703 arm5.elf -
description ioc Process File opened for reading /proc/630/fd arm5.elf File opened for reading /proc/711/cmdline arm5.elf File opened for reading /proc/723/cmdline arm5.elf File opened for reading /proc/727/cmdline arm5.elf File opened for reading /proc/18/cmdline arm5.elf File opened for reading /proc/288/cmdline arm5.elf File opened for reading /proc/338/cmdline arm5.elf File opened for reading /proc/648/cmdline arm5.elf File opened for reading /proc/mounts arm5.elf File opened for reading /proc/2/cmdline arm5.elf File opened for reading /proc/12/cmdline arm5.elf File opened for reading /proc/42/cmdline arm5.elf File opened for reading /proc/51/cmdline arm5.elf File opened for reading /proc/706/cmdline arm5.elf File opened for reading /proc/724/fd arm5.elf File opened for reading /proc/9/cmdline arm5.elf File opened for reading /proc/28/cmdline arm5.elf File opened for reading /proc/705/cmdline arm5.elf File opened for reading /proc/713/cmdline arm5.elf File opened for reading /proc/721/cmdline arm5.elf File opened for reading /proc/722/cmdline arm5.elf File opened for reading /proc/724/cmdline arm5.elf File opened for reading /proc/726/fd arm5.elf File opened for reading /proc/328/fd arm5.elf File opened for reading /proc/682/fd arm5.elf File opened for reading /proc/20/cmdline arm5.elf File opened for reading /proc/22/cmdline arm5.elf File opened for reading /proc/197/cmdline arm5.elf File opened for reading /proc/327/fd arm5.elf File opened for reading /proc/716/cmdline arm5.elf File opened for reading /proc/4/cmdline arm5.elf File opened for reading /proc/679/cmdline arm5.elf File opened for reading /proc/704/fd arm5.elf File opened for reading /proc/720/fd arm5.elf File opened for reading /proc/711/fd arm5.elf File opened for reading /proc/23/cmdline arm5.elf File opened for reading /proc/31/cmdline arm5.elf File opened for reading /proc/186/cmdline arm5.elf File opened for reading /proc/269/cmdline arm5.elf File opened for reading /proc/364/fd arm5.elf File opened for reading /proc/714/cmdline arm5.elf File opened for reading /proc/25/cmdline arm5.elf File opened for reading /proc/27/cmdline arm5.elf File opened for reading /proc/678/fd arm5.elf File opened for reading /proc/679/fd arm5.elf File opened for reading /proc/15/cmdline arm5.elf File opened for reading /proc/30/cmdline arm5.elf File opened for reading /proc/44/cmdline arm5.elf File opened for reading /proc/73/cmdline arm5.elf File opened for reading /proc/347/cmdline arm5.elf File opened for reading /proc/364/cmdline arm5.elf File opened for reading /proc/726/cmdline arm5.elf File opened for reading /proc/3/cmdline arm5.elf File opened for reading /proc/328/cmdline arm5.elf File opened for reading /proc/663/cmdline arm5.elf File opened for reading /proc/344/fd arm5.elf File opened for reading /proc/709/fd arm5.elf File opened for reading /proc/17/cmdline arm5.elf File opened for reading /proc/142/cmdline arm5.elf File opened for reading /proc/278/fd arm5.elf File opened for reading /proc/45/cmdline arm5.elf File opened for reading /proc/725/cmdline arm5.elf File opened for reading /proc/16/cmdline arm5.elf File opened for reading /proc/57/cmdline arm5.elf