Analysis
-
max time kernel
149s -
max time network
162s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
28/03/2025, 03:48
Static task
static1
Behavioral task
behavioral1
Sample
arm6.elf
Resource
debian12-armhf-20240221-en
debian-12-armhf
8 signatures
150 seconds
General
-
Target
arm6.elf
-
Size
116KB
-
MD5
6c04e05f915c597955f76bbb94cb86b7
-
SHA1
275158212364f282a2c77ded085607090a25e08e
-
SHA256
70871aedab0f9d4f5da309709738ed89fc6e0461457f2a3812c9a6d91ac73168
-
SHA512
642124378333756291599d15a9465d78d328df279f9ff71865eb192d71b7b982e0d8007646951637cbaafdc069b3231998357c9e8ea60db9897264096f69abbc
-
SSDEEP
3072:fBmKyo0CgHtFdRtoH0skJkZaWL4YuBRBG6f3ON1LknQ/:fBmKyo0CgHtFdH4qJ7W/IRBhf61L
Score
9/10
Malware Config
Signatures
-
Contacts a large (30004) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Renames itself 1 IoCs
pid Process 712 arm6.elf -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 23 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/347/maps arm6.elf File opened for reading /proc/722/maps arm6.elf File opened for reading /proc/728/maps arm6.elf File opened for reading /proc/735/maps arm6.elf File opened for reading /proc/741/maps arm6.elf File opened for reading /proc/1/maps arm6.elf File opened for reading /proc/350/maps arm6.elf File opened for reading /proc/725/maps arm6.elf File opened for reading /proc/731/maps arm6.elf File opened for reading /proc/733/maps arm6.elf File opened for reading /proc/660/maps arm6.elf File opened for reading /proc/663/maps arm6.elf File opened for reading /proc/726/maps arm6.elf File opened for reading /proc/727/maps arm6.elf File opened for reading /proc/730/maps arm6.elf File opened for reading /proc/734/maps arm6.elf File opened for reading /proc/744/maps arm6.elf File opened for reading /proc/729/maps arm6.elf File opened for reading /proc/732/maps arm6.elf File opened for reading /proc/736/maps arm6.elf File opened for reading /proc/742/maps arm6.elf File opened for reading /proc/743/maps arm6.elf File opened for reading /proc/745/maps arm6.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself dvrEncoder 712 arm6.elf -
description ioc Process File opened for reading /proc/701/cmdline arm6.elf File opened for reading /proc/212/fd arm6.elf File opened for reading /proc/28/cmdline arm6.elf File opened for reading /proc/347/cmdline arm6.elf File opened for reading /proc/714/cmdline arm6.elf File opened for reading /proc/720/cmdline arm6.elf File opened for reading /proc/725/cmdline arm6.elf File opened for reading /proc/10/cmdline arm6.elf File opened for reading /proc/679/cmdline arm6.elf File opened for reading /proc/717/cmdline arm6.elf File opened for reading /proc/735/fd arm6.elf File opened for reading /proc/33/cmdline arm6.elf File opened for reading /proc/323/fd arm6.elf File opened for reading /proc/mounts arm6.elf File opened for reading /proc/31/cmdline arm6.elf File opened for reading /proc/12/cmdline arm6.elf File opened for reading /proc/22/cmdline arm6.elf File opened for reading /proc/42/cmdline arm6.elf File opened for reading /proc/301/cmdline arm6.elf File opened for reading /proc/188/fd arm6.elf File opened for reading /proc/727/cmdline arm6.elf File opened for reading /proc/732/fd arm6.elf File opened for reading /proc/15/cmdline arm6.elf File opened for reading /proc/45/cmdline arm6.elf File opened for reading /proc/663/cmdline arm6.elf File opened for reading /proc/745/fd arm6.elf File opened for reading /proc/350/fd arm6.elf File opened for reading /proc/743/fd arm6.elf File opened for reading /proc/212/cmdline arm6.elf File opened for reading /proc/213/cmdline arm6.elf File opened for reading /proc/660/fd arm6.elf File opened for reading /proc/732/cmdline arm6.elf File opened for reading /proc/717/fd arm6.elf File opened for reading /proc/4/cmdline arm6.elf File opened for reading /proc/323/cmdline arm6.elf File opened for reading /proc/301/fd arm6.elf File opened for reading /proc/736/fd arm6.elf File opened for reading /proc/2/cmdline arm6.elf File opened for reading /proc/17/cmdline arm6.elf File opened for reading /proc/29/cmdline arm6.elf File opened for reading /proc/56/cmdline arm6.elf File opened for reading /proc/710/cmdline arm6.elf File opened for reading /proc/365/fd arm6.elf File opened for reading /proc/733/fd arm6.elf File opened for reading /proc/1/cmdline arm6.elf File opened for reading /proc/25/cmdline arm6.elf File opened for reading /proc/57/cmdline arm6.elf File opened for reading /proc/142/cmdline arm6.elf File opened for reading /proc/715/fd arm6.elf File opened for reading /proc/741/cmdline arm6.elf File opened for reading /proc/143/cmdline arm6.elf File opened for reading /proc/321/cmdline arm6.elf File opened for reading /proc/325/cmdline arm6.elf File opened for reading /proc/713/fd arm6.elf File opened for reading /proc/20/cmdline arm6.elf File opened for reading /proc/365/cmdline arm6.elf File opened for reading /proc/663/fd arm6.elf File opened for reading /proc/679/fd arm6.elf File opened for reading /proc/720/fd arm6.elf File opened for reading /proc/735/cmdline arm6.elf File opened for reading /proc/13/cmdline arm6.elf File opened for reading /proc/660/cmdline arm6.elf File opened for reading /proc/728/cmdline arm6.elf File opened for reading /proc/729/fd arm6.elf