Analysis
-
max time kernel
150s -
max time network
156s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
28/03/2025, 03:53
Static task
static1
Behavioral task
behavioral1
Sample
meowarm7.elf
Resource
debian12-armhf-20240221-en
debian-12-armhf
8 signatures
150 seconds
General
-
Target
meowarm7.elf
-
Size
109KB
-
MD5
38b455fdf7ff5de6f4792f928b62c9de
-
SHA1
befb8e64c2fa18a7e83df7cf2bf9a975e1101ee9
-
SHA256
102f4f18240fe8ff5c57eb25a353446c3395f22e21a0dafe62a607fcc87f9d2f
-
SHA512
2e093da85f7ca752b230d39110923465ab7c64c5b6c960be3c62405f62200d83b8184551da00b21f271f989b1ddebdaf583dfaedc4c0f4ca095c5d5920918ab6
-
SSDEEP
3072:2LcmMXOkmutCxVT0vorh4WV/SyifkaBsKpPhHhsVYGckmn9:2LcmMXOkmutCxl7r/XisaBsKpPhBsi3
Score
9/10
Malware Config
Signatures
-
Contacts a large (25066) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Renames itself 1 IoCs
pid Process 704 meowarm7.elf -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 17 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/1/maps meowarm7.elf File opened for reading /proc/717/maps meowarm7.elf File opened for reading /proc/720/maps meowarm7.elf File opened for reading /proc/345/maps meowarm7.elf File opened for reading /proc/718/maps meowarm7.elf File opened for reading /proc/719/maps meowarm7.elf File opened for reading /proc/722/maps meowarm7.elf File opened for reading /proc/724/maps meowarm7.elf File opened for reading /proc/726/maps meowarm7.elf File opened for reading /proc/341/maps meowarm7.elf File opened for reading /proc/636/maps meowarm7.elf File opened for reading /proc/637/maps meowarm7.elf File opened for reading /proc/715/maps meowarm7.elf File opened for reading /proc/723/maps meowarm7.elf File opened for reading /proc/716/maps meowarm7.elf File opened for reading /proc/721/maps meowarm7.elf File opened for reading /proc/725/maps meowarm7.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself dvrEncoder 704 meowarm7.elf -
description ioc Process File opened for reading /proc/29/cmdline meowarm7.elf File opened for reading /proc/144/cmdline meowarm7.elf File opened for reading /proc/341/cmdline meowarm7.elf File opened for reading /proc/707/fd meowarm7.elf File opened for reading /proc/706/cmdline meowarm7.elf File opened for reading /proc/6/cmdline meowarm7.elf File opened for reading /proc/15/cmdline meowarm7.elf File opened for reading /proc/316/fd meowarm7.elf File opened for reading /proc/345/fd meowarm7.elf File opened for reading /proc/143/cmdline meowarm7.elf File opened for reading /proc/3/cmdline meowarm7.elf File opened for reading /proc/8/cmdline meowarm7.elf File opened for reading /proc/33/cmdline meowarm7.elf File opened for reading /proc/34/cmdline meowarm7.elf File opened for reading /proc/52/cmdline meowarm7.elf File opened for reading /proc/701/cmdline meowarm7.elf File opened for reading /proc/35/cmdline meowarm7.elf File opened for reading /proc/58/cmdline meowarm7.elf File opened for reading /proc/339/fd meowarm7.elf File opened for reading /proc/9/cmdline meowarm7.elf File opened for reading /proc/679/cmdline meowarm7.elf File opened for reading /proc/317/fd meowarm7.elf File opened for reading /proc/720/fd meowarm7.elf File opened for reading /proc/723/cmdline meowarm7.elf File opened for reading /proc/704/fd meowarm7.elf File opened for reading /proc/720/cmdline meowarm7.elf File opened for reading /proc/310/fd meowarm7.elf File opened for reading /proc/20/cmdline meowarm7.elf File opened for reading /proc/722/cmdline meowarm7.elf File opened for reading /proc/302/cmdline meowarm7.elf File opened for reading /proc/27/cmdline meowarm7.elf File opened for reading /proc/17/cmdline meowarm7.elf File opened for reading /proc/31/cmdline meowarm7.elf File opened for reading /proc/221/fd meowarm7.elf File opened for reading /proc/726/fd meowarm7.elf File opened for reading /proc/12/cmdline meowarm7.elf File opened for reading /proc/47/cmdline meowarm7.elf File opened for reading /proc/712/fd meowarm7.elf File opened for reading /proc/717/cmdline meowarm7.elf File opened for reading /proc/725/fd meowarm7.elf File opened for reading /proc/38/cmdline meowarm7.elf File opened for reading /proc/485/fd meowarm7.elf File opened for reading /proc/19/cmdline meowarm7.elf File opened for reading /proc/45/cmdline meowarm7.elf File opened for reading /proc/221/cmdline meowarm7.elf File opened for reading /proc/703/cmdline meowarm7.elf File opened for reading /proc/1/cmdline meowarm7.elf File opened for reading /proc/32/cmdline meowarm7.elf File opened for reading /proc/310/cmdline meowarm7.elf File opened for reading /proc/716/cmdline meowarm7.elf File opened for reading /proc/707/cmdline meowarm7.elf File opened for reading /proc/11/cmdline meowarm7.elf File opened for reading /proc/26/cmdline meowarm7.elf File opened for reading /proc/307/fd meowarm7.elf File opened for reading /proc/24/cmdline meowarm7.elf File opened for reading /proc/680/cmdline meowarm7.elf File opened for reading /proc/683/cmdline meowarm7.elf File opened for reading /proc/341/fd meowarm7.elf File opened for reading /proc/637/fd meowarm7.elf File opened for reading /proc/2/cmdline meowarm7.elf File opened for reading /proc/7/cmdline meowarm7.elf File opened for reading /proc/18/cmdline meowarm7.elf File opened for reading /proc/43/cmdline meowarm7.elf File opened for reading /proc/485/cmdline meowarm7.elf