Analysis
-
max time kernel
139s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20250410-en -
resource tags
arch:armhfimage:debian9-armhf-20250410-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
16/04/2025, 00:06
Behavioral task
behavioral1
Sample
drea4.elf
Resource
debian9-armhf-20250410-en
debian-9-armhf
4 signatures
150 seconds
General
-
Target
drea4.elf
-
Size
153KB
-
MD5
ffa590338ac87a1bd489be8d6df4d94f
-
SHA1
49c73d34f4a3f249300096aa330bb80145b8975c
-
SHA256
43abd8d0fec081d764c53b57b7223047bd8ad4e989a6281d4d54e50ad188a385
-
SHA512
f57df1d80a7fd3c9a4b1489d92e28ee722740203f92d7c5a908e9e6bdf01f9e5f7c59ab40b8b229686565d18e17ef7509c34aac7220a27a194ad4b8945a74847
-
SSDEEP
1536:Nr1aH42hB66LgARDhapvN1ipF629Az4VRO1rT+CAr+aaxR6O9+bRXViE1l2Ywywx:Nr1aFhM8DWbOF6P4mNfI+a8U1QG5Y
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 641 drea4.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 43 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/3/maps drea4.elf File opened for reading /proc/8/maps drea4.elf File opened for reading /proc/18/maps drea4.elf File opened for reading /proc/27/maps drea4.elf File opened for reading /proc/74/maps drea4.elf File opened for reading /proc/107/maps drea4.elf File opened for reading /proc/138/maps drea4.elf File opened for reading /proc/218/maps drea4.elf File opened for reading /proc/10/maps drea4.elf File opened for reading /proc/25/maps drea4.elf File opened for reading /proc/136/maps drea4.elf File opened for reading /proc/2/maps drea4.elf File opened for reading /proc/5/maps drea4.elf File opened for reading /proc/11/maps drea4.elf File opened for reading /proc/16/maps drea4.elf File opened for reading /proc/19/maps drea4.elf File opened for reading /proc/41/maps drea4.elf File opened for reading /proc/166/maps drea4.elf File opened for reading /proc/17/maps drea4.elf File opened for reading /proc/134/maps drea4.elf File opened for reading /proc/145/maps drea4.elf File opened for reading /proc/14/maps drea4.elf File opened for reading /proc/21/maps drea4.elf File opened for reading /proc/22/maps drea4.elf File opened for reading /proc/43/maps drea4.elf File opened for reading /proc/4/maps drea4.elf File opened for reading /proc/7/maps drea4.elf File opened for reading /proc/12/maps drea4.elf File opened for reading /proc/20/maps drea4.elf File opened for reading /proc/26/maps drea4.elf File opened for reading /proc/42/maps drea4.elf File opened for reading /proc/96/maps drea4.elf File opened for reading /proc/104/maps drea4.elf File opened for reading /proc/6/maps drea4.elf File opened for reading /proc/9/maps drea4.elf File opened for reading /proc/13/maps drea4.elf File opened for reading /proc/15/maps drea4.elf File opened for reading /proc/24/maps drea4.elf File opened for reading /proc/28/maps drea4.elf File opened for reading /proc/29/maps drea4.elf File opened for reading /proc/106/maps drea4.elf File opened for reading /proc/23/maps drea4.elf File opened for reading /proc/195/maps drea4.elf -
Changes its process name 3 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself - 640 drea4.elf Changes the process name, possibly in an attempt to hide itself kworker/u8:0 640 drea4.elf Changes the process name, possibly in an attempt to hide itself httpd 640 drea4.elf