Analysis
-
max time kernel
152s -
max time network
153s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20221111-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
10-05-2023 01:06
General
-
Target
21ba496a638eb57aeea8b90331f9913b7d92e223a97668a5e991be3910291e9f.elf
-
Size
27KB
-
MD5
11ac9d0f74690af6d613a7fd92001642
-
SHA1
b7d6b315a213655b32826bf512967bed8071a82c
-
SHA256
21ba496a638eb57aeea8b90331f9913b7d92e223a97668a5e991be3910291e9f
-
SHA512
cb2629bb621fa9da1234da07fa94309292224ab2d197daac4a9383e36fe759733757e5f8e84387b0f26ece2f54f382c6b6dbe307309a9a3067f621d1a992c271
-
SSDEEP
768:726A29MSaInDSzLWikmJR5rT0iRnKG1bEtl:C6n9DczJ/0iRndbE/
Malware Config
Extracted
mirai
BOTNET
pachoisgay.3utilities.com
Signatures
-
Contacts a large (110024) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Changes its process name 1 IoCs
Processes:
21ba496a638eb57aeea8b90331f9913b7d92e223a97668a5e991be3910291e9f.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself /var/Sofia 621 21ba496a638eb57aeea8b90331f9913b7d92e223a97668a5e991be3910291e9f.elf -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/27/cmdline File opened for reading /proc/80/cmdline File opened for reading /proc/85/cmdline File opened for reading /proc/7/cmdline File opened for reading /proc/11/cmdline File opened for reading /proc/13/cmdline File opened for reading /proc/23/cmdline File opened for reading /proc/167/cmdline File opened for reading /proc/360/cmdline File opened for reading /proc/2/cmdline File opened for reading /proc/25/cmdline File opened for reading /proc/36/cmdline File opened for reading /proc/89/cmdline File opened for reading /proc/195/cmdline File opened for reading /proc/353/cmdline File opened for reading /proc/12/cmdline File opened for reading /proc/24/cmdline File opened for reading /proc/34/cmdline File opened for reading /proc/165/cmdline File opened for reading /proc/231/cmdline File opened for reading /proc/10/cmdline File opened for reading /proc/32/cmdline File opened for reading /proc/84/cmdline File opened for reading /proc/172/cmdline File opened for reading /proc/354/cmdline File opened for reading /proc/26/cmdline File opened for reading /proc/28/cmdline File opened for reading /proc/158/cmdline File opened for reading /proc/164/cmdline File opened for reading /proc/352/cmdline File opened for reading /proc/363/cmdline File opened for reading /proc/398/cmdline File opened for reading /proc/592/cmdline File opened for reading /proc/5/cmdline File opened for reading /proc/35/cmdline File opened for reading /proc/81/cmdline File opened for reading /proc/169/cmdline File opened for reading /proc/348/cmdline File opened for reading /proc/6/cmdline File opened for reading /proc/79/cmdline File opened for reading /proc/98/cmdline File opened for reading /proc/161/cmdline File opened for reading /proc/472/cmdline File opened for reading /proc/1/cmdline File opened for reading /proc/22/cmdline File opened for reading /proc/171/cmdline File opened for reading /proc/362/cmdline File opened for reading /proc/304/cmdline File opened for reading /proc/374/cmdline File opened for reading /proc/625/cmdline File opened for reading /proc/78/cmdline File opened for reading /proc/156/cmdline File opened for reading /proc/159/cmdline File opened for reading /proc/168/cmdline File opened for reading /proc/194/cmdline File opened for reading /proc/445/cmdline File opened for reading /proc/619/cmdline File opened for reading /proc/8/cmdline File opened for reading /proc/82/cmdline File opened for reading /proc/115/cmdline File opened for reading /proc/160/cmdline File opened for reading /proc/17/cmdline File opened for reading /proc/29/cmdline File opened for reading /proc/166/cmdline
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/621-1-0x0000000008048000-0x00000000080587a0-memory.dmp