Analysis
-
max time kernel
100s -
max time network
150s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28/03/2025, 03:18
Static task
static1
Behavioral task
behavioral1
Sample
arm7.elf
Resource
debian9-armhf-20240729-en
debian-9-armhf
8 signatures
150 seconds
General
-
Target
arm7.elf
-
Size
109KB
-
MD5
2cccc432f7b7f8bb28587af1e988f743
-
SHA1
eedf04f9007ce8bbb156f2bdd749de6dbc7bf325
-
SHA256
3182469b7e45ecf54dafe3536b38dbe82e2d4fc94537fdb98d61a48fac2c097f
-
SHA512
8cb0ae2e3e0821d51acc6ecd1b392f823d11984feb4aacbd60970be683a85596240cbaacd16b33e6bcbeb026e13adb59be4dbc07e68816bcb19f859aa51d5112
-
SSDEEP
3072:wMS4g67OOit36Y5lRon+cBIHCyJfKaEc6JPBj1MVs+mkWnl:wMS4g67OOit36+UngHJiaEc6JPBpMcX
Score
9/10
Malware Config
Signatures
-
Contacts a large (29819) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Renames itself 1 IoCs
pid Process 643 arm7.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.220.220 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 64 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/661/maps arm7.elf File opened for reading /proc/666/maps arm7.elf File opened for reading /proc/694/maps arm7.elf File opened for reading /proc/698/maps arm7.elf File opened for reading /proc/710/maps arm7.elf File opened for reading /proc/712/maps arm7.elf File opened for reading /proc/692/maps arm7.elf File opened for reading /proc/696/maps arm7.elf File opened for reading /proc/720/maps arm7.elf File opened for reading /proc/721/maps arm7.elf File opened for reading /proc/684/maps arm7.elf File opened for reading /proc/686/maps arm7.elf File opened for reading /proc/702/maps arm7.elf File opened for reading /proc/722/maps arm7.elf File opened for reading /proc/653/maps arm7.elf File opened for reading /proc/656/maps arm7.elf File opened for reading /proc/663/maps arm7.elf File opened for reading /proc/667/maps arm7.elf File opened for reading /proc/680/maps arm7.elf File opened for reading /proc/685/maps arm7.elf File opened for reading /proc/707/maps arm7.elf File opened for reading /proc/708/maps arm7.elf File opened for reading /proc/705/maps arm7.elf File opened for reading /proc/662/maps arm7.elf File opened for reading /proc/677/maps arm7.elf File opened for reading /proc/683/maps arm7.elf File opened for reading /proc/715/maps arm7.elf File opened for reading /proc/665/maps arm7.elf File opened for reading /proc/676/maps arm7.elf File opened for reading /proc/678/maps arm7.elf File opened for reading /proc/695/maps arm7.elf File opened for reading /proc/697/maps arm7.elf File opened for reading /proc/664/maps arm7.elf File opened for reading /proc/669/maps arm7.elf File opened for reading /proc/691/maps arm7.elf File opened for reading /proc/701/maps arm7.elf File opened for reading /proc/711/maps arm7.elf File opened for reading /proc/592/maps arm7.elf File opened for reading /proc/681/maps arm7.elf File opened for reading /proc/309/maps arm7.elf File opened for reading /proc/652/maps arm7.elf File opened for reading /proc/671/maps arm7.elf File opened for reading /proc/672/maps arm7.elf File opened for reading /proc/673/maps arm7.elf File opened for reading /proc/713/maps arm7.elf File opened for reading /proc/714/maps arm7.elf File opened for reading /proc/660/maps arm7.elf File opened for reading /proc/709/maps arm7.elf File opened for reading /proc/307/maps arm7.elf File opened for reading /proc/655/maps arm7.elf File opened for reading /proc/670/maps arm7.elf File opened for reading /proc/682/maps arm7.elf File opened for reading /proc/689/maps arm7.elf File opened for reading /proc/699/maps arm7.elf File opened for reading /proc/718/maps arm7.elf File opened for reading /proc/724/maps arm7.elf File opened for reading /proc/675/maps arm7.elf File opened for reading /proc/601/maps arm7.elf File opened for reading /proc/654/maps arm7.elf File opened for reading /proc/690/maps arm7.elf File opened for reading /proc/700/maps arm7.elf File opened for reading /proc/725/maps arm7.elf File opened for reading /proc/1/maps arm7.elf File opened for reading /proc/687/maps arm7.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself dvrUpdater 643 arm7.elf -
description ioc Process File opened for reading /proc/25/cmdline arm7.elf File opened for reading /proc/1/fd arm7.elf File opened for reading /proc/665/cmdline arm7.elf File opened for reading /proc/670/cmdline arm7.elf File opened for reading /proc/309/cmdline arm7.elf File opened for reading /proc/587/fd arm7.elf File opened for reading /proc/683/cmdline arm7.elf File opened for reading /proc/718/fd arm7.elf File opened for reading /proc/723/fd arm7.elf File opened for reading /proc/19/cmdline arm7.elf File opened for reading /proc/164/cmdline arm7.elf File opened for reading /proc/284/cmdline arm7.elf File opened for reading /proc/692/fd arm7.elf File opened for reading /proc/702/cmdline arm7.elf File opened for reading /proc/709/fd arm7.elf File opened for reading /proc/711/cmdline arm7.elf File opened for reading /proc/714/cmdline arm7.elf File opened for reading /proc/16/cmdline arm7.elf File opened for reading /proc/642/cmdline arm7.elf File opened for reading /proc/284/fd arm7.elf File opened for reading /proc/661/cmdline arm7.elf File opened for reading /proc/648/fd arm7.elf File opened for reading /proc/681/cmdline arm7.elf File opened for reading /proc/707/cmdline arm7.elf File opened for reading /proc/722/cmdline arm7.elf File opened for reading /proc/mounts arm7.elf File opened for reading /proc/1/cmdline arm7.elf File opened for reading /proc/7/cmdline arm7.elf File opened for reading /proc/655/cmdline arm7.elf File opened for reading /proc/657/cmdline arm7.elf File opened for reading /proc/671/cmdline arm7.elf File opened for reading /proc/712/fd arm7.elf File opened for reading /proc/725/cmdline arm7.elf File opened for reading /proc/17/cmdline arm7.elf File opened for reading /proc/26/cmdline arm7.elf File opened for reading /proc/139/cmdline arm7.elf File opened for reading /proc/220/cmdline arm7.elf File opened for reading /proc/276/cmdline arm7.elf File opened for reading /proc/676/fd arm7.elf File opened for reading /proc/684/cmdline arm7.elf File opened for reading /proc/686/fd arm7.elf File opened for reading /proc/656/cmdline arm7.elf File opened for reading /proc/662/fd arm7.elf File opened for reading /proc/677/cmdline arm7.elf File opened for reading /proc/695/fd arm7.elf File opened for reading /proc/713/fd arm7.elf File opened for reading /proc/715/cmdline arm7.elf File opened for reading /proc/722/fd arm7.elf File opened for reading /proc/75/cmdline arm7.elf File opened for reading /proc/105/cmdline arm7.elf File opened for reading /proc/589/cmdline arm7.elf File opened for reading /proc/682/cmdline arm7.elf File opened for reading /proc/700/fd arm7.elf File opened for reading /proc/716/fd arm7.elf File opened for reading /proc/720/fd arm7.elf File opened for reading /proc/724/cmdline arm7.elf File opened for reading /proc/97/cmdline arm7.elf File opened for reading /proc/142/cmdline arm7.elf File opened for reading /proc/647/cmdline arm7.elf File opened for reading /proc/673/cmdline arm7.elf File opened for reading /proc/691/cmdline arm7.elf File opened for reading /proc/713/cmdline arm7.elf File opened for reading /proc/715/fd arm7.elf File opened for reading /proc/716/cmdline arm7.elf