Malware Analysis Report

2024-12-01 00:01

Sample ID 220718-r2jrgaegh2
Target 518668d64e5e5ec824bb002f8860c4142f0cacdb8e72a9f76b73ae30f1474007
SHA256 518668d64e5e5ec824bb002f8860c4142f0cacdb8e72a9f76b73ae30f1474007
Tags
gafgyt mirai mirai_x86corona
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

518668d64e5e5ec824bb002f8860c4142f0cacdb8e72a9f76b73ae30f1474007

Threat Level: Known bad

The file 518668d64e5e5ec824bb002f8860c4142f0cacdb8e72a9f76b73ae30f1474007 was found to be: Known bad.

Malicious Activity Summary

gafgyt mirai mirai_x86corona

Detected Gafgyt variant

Detected x86corona Mirai variant

Gafgyt family

Mirai family

Mirai_x86corona family

Detect Mirai payload

Modifies the Watchdog daemon

Reads system routing table

Reads system network configuration

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-18 14:41

Signatures

Detect Mirai payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected x86corona Mirai variant

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gafgyt family

gafgyt

Mirai family

mirai

Mirai_x86corona family

mirai_x86corona

Analysis: behavioral9

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

debian9-mipsel-en-20211208

Command Line

[/tmp/89.42.133.67/m68k]

Signatures

N/A

Processes

/tmp/89.42.133.67/m68k

[/tmp/89.42.133.67/m68k]

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/powerpc]

Signatures

N/A

Processes

/tmp/89.42.133.67/powerpc

[/tmp/89.42.133.67/powerpc]

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

debian9-mipsbe-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/powerpc]

Signatures

N/A

Processes

/tmp/89.42.133.67/powerpc

[/tmp/89.42.133.67/powerpc]

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

debian9-mipsel-en-20211208

Command Line

[/tmp/89.42.133.67/powerpc]

Signatures

N/A

Processes

/tmp/89.42.133.67/powerpc

[/tmp/89.42.133.67/powerpc]

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:42

Platform

debian9-armhf-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/sparc]

Signatures

N/A

Processes

/tmp/89.42.133.67/sparc

[/tmp/89.42.133.67/sparc]

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

debian9-mipsbe-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/sparc]

Signatures

N/A

Processes

/tmp/89.42.133.67/sparc

[/tmp/89.42.133.67/sparc]

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/sparc]

Signatures

N/A

Processes

/tmp/89.42.133.67/sparc

[/tmp/89.42.133.67/sparc]

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:44

Platform

debian9-armhf-en-20211208

Max time kernel

0s

Max time network

156s

Command Line

[/tmp/89.42.133.67/armv4l]

Signatures

N/A

Processes

/tmp/89.42.133.67/armv4l

[/tmp/89.42.133.67/armv4l]

Network

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:44

Platform

debian9-armhf-en-20211208

Max time kernel

0s

Max time network

158s

Command Line

[/tmp/89.42.133.67/armv5l]

Signatures

N/A

Processes

/tmp/89.42.133.67/armv5l

[/tmp/89.42.133.67/armv5l]

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:44

Platform

debian9-armhf-en-20211208

Max time kernel

19172s

Max time network

157s

Command Line

[/tmp/89.42.133.67/armv6l]

Signatures

Modifies the Watchdog daemon

Reads system routing table

Description Indicator Process Target
/proc/net/route /proc/net/route /tmp/89.42.133.67/armv6l N/A

Reads system network configuration

Description Indicator Process Target
/proc/net/route /proc/net/route /tmp/89.42.133.67/armv6l N/A

Processes

/tmp/89.42.133.67/armv6l

[/tmp/89.42.133.67/armv6l]

Network

Country Destination Domain Proto
RO 89.42.133.67:123 tcp
CN 42.133.67.123:123 tcp
RO 89.42.133.67:123 tcp
CN 42.133.67.123:123 tcp
RO 89.42.133.67:123 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

debian9-armhf-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/m68k]

Signatures

N/A

Processes

/tmp/89.42.133.67/m68k

[/tmp/89.42.133.67/m68k]

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

debian9-mipsbe-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/m68k]

Signatures

N/A

Processes

/tmp/89.42.133.67/m68k

[/tmp/89.42.133.67/m68k]

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:42

Platform

debian9-armhf-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/sh4]

Signatures

N/A

Processes

/tmp/89.42.133.67/sh4

[/tmp/89.42.133.67/sh4]

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

debian9-mipsel-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/sh4]

Signatures

N/A

Processes

/tmp/89.42.133.67/sh4

[/tmp/89.42.133.67/sh4]

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:43

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Max time network

153s

Command Line

[/tmp/89.42.133.67/i586]

Signatures

N/A

Processes

/tmp/89.42.133.67/i586

[/tmp/89.42.133.67/i586]

Network

Country Destination Domain Proto
RO 89.42.133.67:123 tcp
CN 42.133.67.123:123 tcp
JP 133.67.123.0:123 tcp
US 67.123.0.0:123 tcp
RO 89.42.133.67:123 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/m68k]

Signatures

N/A

Processes

/tmp/89.42.133.67/m68k

[/tmp/89.42.133.67/m68k]

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

debian9-armhf-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/powerpc]

Signatures

N/A

Processes

/tmp/89.42.133.67/powerpc

[/tmp/89.42.133.67/powerpc]

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/sh4]

Signatures

N/A

Processes

/tmp/89.42.133.67/sh4

[/tmp/89.42.133.67/sh4]

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

debian9-mipsel-en-20211208

Max time kernel

0s

Command Line

[/tmp/89.42.133.67/sparc]

Signatures

N/A

Processes

/tmp/89.42.133.67/sparc

[/tmp/89.42.133.67/sparc]

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:44

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Max time network

152s

Command Line

[/tmp/89.42.133.67/x86]

Signatures

Modifies the Watchdog daemon

Reads system routing table

Description Indicator Process Target
/proc/net/route /proc/net/route /tmp/89.42.133.67/x86 N/A

Reads system network configuration

Description Indicator Process Target
/proc/net/route /proc/net/route /tmp/89.42.133.67/x86 N/A

Processes

/tmp/89.42.133.67/x86

[/tmp/89.42.133.67/x86]

Network

Country Destination Domain Proto
RO 89.42.133.67:123 tcp
CN 42.133.67.123:123 tcp
JP 133.67.123.0:123 tcp
US 67.123.0.0:123 tcp
RO 89.42.133.67:123 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:43

Platform

ubuntu1804-amd64-en-20211208

Max time network

153s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
RO 89.42.133.67:123 tcp
CN 42.133.67.123:123 tcp
JP 133.67.123.0:123 tcp
US 67.123.0.0:123 tcp
RO 89.42.133.67:123 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:43

Platform

debian9-mipsbe-en-20211208

Max time kernel

19172s

Max time network

154s

Command Line

[/tmp/89.42.133.67/mips]

Signatures

Modifies the Watchdog daemon

Reads system routing table

Description Indicator Process Target
/proc/net/route /proc/net/route /tmp/89.42.133.67/mips N/A

Reads system network configuration

Description Indicator Process Target
/proc/net/route /proc/net/route /tmp/89.42.133.67/mips N/A

Processes

/tmp/89.42.133.67/mips

[/tmp/89.42.133.67/mips]

Network

Country Destination Domain Proto
RO 89.42.133.67:123 tcp
CN 42.133.67.123:123 tcp
JP 133.67.123.2:123 tcp
US 67.123.3.0:123 tcp
RO 89.42.133.67:123 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:43

Platform

debian9-mipsel-en-20211208

Max time kernel

19172s

Max time network

153s

Command Line

[/tmp/89.42.133.67/mipsel]

Signatures

Modifies the Watchdog daemon

Reads system routing table

Description Indicator Process Target
/proc/net/route /proc/net/route /tmp/89.42.133.67/mipsel N/A

Reads system network configuration

Description Indicator Process Target
/proc/net/route /proc/net/route /tmp/89.42.133.67/mipsel N/A

Processes

/tmp/89.42.133.67/mipsel

[/tmp/89.42.133.67/mipsel]

Network

Country Destination Domain Proto
RO 89.42.133.67:123 tcp
CN 42.133.67.123:123 tcp
JP 133.67.123.2:123 tcp
US 67.123.3.0:123 tcp
RO 89.42.133.67:123 tcp
CN 42.133.67.123:123 tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2022-07-18 14:41

Reported

2022-07-18 14:41

Platform

debian9-mipsbe-en-20211208

Command Line

[/tmp/89.42.133.67/sh4]

Signatures

N/A

Processes

/tmp/89.42.133.67/sh4

[/tmp/89.42.133.67/sh4]

Network

N/A

Files

N/A