Analysis
-
max time kernel
132s -
max time network
147s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
14/04/2025, 15:03
Behavioral task
behavioral1
Sample
arm5.elf
Resource
debian9-armhf-20240418-en
debian-9-armhf
4 signatures
150 seconds
General
-
Target
arm5.elf
-
Size
148KB
-
MD5
6e923d73f32e576fd967d78ce89c900b
-
SHA1
11f8fb82effae80c4a2976ad7cffe37796a2f7f6
-
SHA256
b3025deef3be69c42eab00fd6b4e184d4fda19293de1f979905f55eb6dd74ad0
-
SHA512
abe41abd8bba184756e3096f31df4a1e6b0f37b24ec498eae6aa444c0e754d578bb76722c195a6dc855564b91bd2e91af4cfb45ccae3b34fa59d4e293185179a
-
SSDEEP
1536:Doz/4sWkAHyE2nDth8WN5/2iVb4Vsy7TnRfC4c87EOiD/RLl5Rku+AlgewywdPCn:DozbxfDp5/p4X79fC4fURB5vBR5HB
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 646 arm5.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 42 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/76/maps arm5.elf File opened for reading /proc/97/maps arm5.elf File opened for reading /proc/107/maps arm5.elf File opened for reading /proc/15/maps arm5.elf File opened for reading /proc/20/maps arm5.elf File opened for reading /proc/27/maps arm5.elf File opened for reading /proc/146/maps arm5.elf File opened for reading /proc/25/maps arm5.elf File opened for reading /proc/41/maps arm5.elf File opened for reading /proc/132/maps arm5.elf File opened for reading /proc/149/maps arm5.elf File opened for reading /proc/4/maps arm5.elf File opened for reading /proc/7/maps arm5.elf File opened for reading /proc/9/maps arm5.elf File opened for reading /proc/11/maps arm5.elf File opened for reading /proc/19/maps arm5.elf File opened for reading /proc/29/maps arm5.elf File opened for reading /proc/138/maps arm5.elf File opened for reading /proc/169/maps arm5.elf File opened for reading /proc/13/maps arm5.elf File opened for reading /proc/14/maps arm5.elf File opened for reading /proc/17/maps arm5.elf File opened for reading /proc/18/maps arm5.elf File opened for reading /proc/3/maps arm5.elf File opened for reading /proc/5/maps arm5.elf File opened for reading /proc/8/maps arm5.elf File opened for reading /proc/16/maps arm5.elf File opened for reading /proc/22/maps arm5.elf File opened for reading /proc/24/maps arm5.elf File opened for reading /proc/28/maps arm5.elf File opened for reading /proc/43/maps arm5.elf File opened for reading /proc/2/maps arm5.elf File opened for reading /proc/6/maps arm5.elf File opened for reading /proc/26/maps arm5.elf File opened for reading /proc/42/maps arm5.elf File opened for reading /proc/105/maps arm5.elf File opened for reading /proc/108/maps arm5.elf File opened for reading /proc/137/maps arm5.elf File opened for reading /proc/10/maps arm5.elf File opened for reading /proc/12/maps arm5.elf File opened for reading /proc/21/maps arm5.elf File opened for reading /proc/23/maps arm5.elf -
Changes its process name 3 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself - 645 arm5.elf Changes the process name, possibly in an attempt to hide itself kworker/u8:0 645 arm5.elf Changes the process name, possibly in an attempt to hide itself httpd 645 arm5.elf