Analysis

  • max time kernel
    149s
  • max time network
    162s
  • platform
    debian-12_armhf
  • resource
    debian12-armhf-20240221-en
  • resource tags

    arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
  • submitted
    28/03/2025, 03:48

General

  • Target

    arm6.elf

  • Size

    116KB

  • MD5

    6c04e05f915c597955f76bbb94cb86b7

  • SHA1

    275158212364f282a2c77ded085607090a25e08e

  • SHA256

    70871aedab0f9d4f5da309709738ed89fc6e0461457f2a3812c9a6d91ac73168

  • SHA512

    642124378333756291599d15a9465d78d328df279f9ff71865eb192d71b7b982e0d8007646951637cbaafdc069b3231998357c9e8ea60db9897264096f69abbc

  • SSDEEP

    3072:fBmKyo0CgHtFdRtoH0skJkZaWL4YuBRBG6f3ON1LknQ/:fBmKyo0CgHtFdH4qJ7W/IRBhf61L

Malware Config

Signatures

  • Contacts a large (30004) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads process memory 1 TTPs 23 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

  • Changes its process name 1 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/arm6.elf
    /tmp/arm6.elf
    1⤵
    • Renames itself
    • Reads process memory
    • Changes its process name
    • Reads runtime system information
    PID:712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads