Malware Analysis Report

2025-03-15 03:10

Sample ID 240414-ssftwshe89
Target 04f257782ae8acc2109d56a432dd6ff9.elf
SHA256 fbde07f0582c954a0300e48cf4e70b54c155b05bc8780c04a34ad80c3e738ef8
Tags
botnet mirai
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fbde07f0582c954a0300e48cf4e70b54c155b05bc8780c04a34ad80c3e738ef8

Threat Level: Known bad

The file 04f257782ae8acc2109d56a432dd6ff9.elf was found to be: Known bad.

Malicious Activity Summary

botnet mirai

Mirai family

Changes its process name

Deletes itself

Enumerates running processes

Reads runtime system information

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-14 15:23

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 15:23

Reported

2024-04-14 15:25

Platform

ubuntu2004-amd64-20240221-en

Max time kernel

131s

Max time network

140s

Command Line

[/tmp/04f257782ae8acc2109d56a432dd6ff9.elf]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself httpd /tmp/04f257782ae8acc2109d56a432dd6ff9.elf N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates running processes

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/783/cmdline N/A N/A
File opened for reading /proc/803/cmdline N/A N/A
File opened for reading /proc/7/cmdline N/A N/A
File opened for reading /proc/21/cmdline N/A N/A
File opened for reading /proc/84/cmdline N/A N/A
File opened for reading /proc/86/cmdline N/A N/A
File opened for reading /proc/812/cmdline N/A N/A
File opened for reading /proc/952/cmdline N/A N/A
File opened for reading /proc/991/cmdline N/A N/A
File opened for reading /proc/6/cmdline N/A N/A
File opened for reading /proc/20/cmdline N/A N/A
File opened for reading /proc/79/cmdline N/A N/A
File opened for reading /proc/552/cmdline N/A N/A
File opened for reading /proc/272/cmdline N/A N/A
File opened for reading /proc/623/cmdline N/A N/A
File opened for reading /proc/1103/cmdline N/A N/A
File opened for reading /proc/24/cmdline N/A N/A
File opened for reading /proc/85/cmdline N/A N/A
File opened for reading /proc/93/cmdline N/A N/A
File opened for reading /proc/177/cmdline N/A N/A
File opened for reading /proc/160/cmdline N/A N/A
File opened for reading /proc/172/cmdline N/A N/A
File opened for reading /proc/456/cmdline N/A N/A
File opened for reading /proc/1045/cmdline N/A N/A
File opened for reading /proc/12/cmdline N/A N/A
File opened for reading /proc/71/cmdline N/A N/A
File opened for reading /proc/242/cmdline N/A N/A
File opened for reading /proc/1084/cmdline N/A N/A
File opened for reading /proc/1005/cmdline N/A N/A
File opened for reading /proc/1097/cmdline N/A N/A
File opened for reading /proc/88/cmdline N/A N/A
File opened for reading /proc/446/cmdline N/A N/A
File opened for reading /proc/643/cmdline N/A N/A
File opened for reading /proc/899/cmdline N/A N/A
File opened for reading /proc/159/cmdline N/A N/A
File opened for reading /proc/168/cmdline N/A N/A
File opened for reading /proc/275/cmdline N/A N/A
File opened for reading /proc/631/cmdline N/A N/A
File opened for reading /proc/1004/cmdline N/A N/A
File opened for reading /proc/1102/cmdline N/A N/A
File opened for reading /proc/673/cmdline N/A N/A
File opened for reading /proc/766/cmdline N/A N/A
File opened for reading /proc/969/cmdline N/A N/A
File opened for reading /proc/975/cmdline N/A N/A
File opened for reading /proc/91/cmdline N/A N/A
File opened for reading /proc/680/cmdline N/A N/A
File opened for reading /proc/938/cmdline N/A N/A
File opened for reading /proc/1031/cmdline N/A N/A
File opened for reading /proc/458/cmdline N/A N/A
File opened for reading /proc/481/cmdline N/A N/A
File opened for reading /proc/539/cmdline N/A N/A
File opened for reading /proc/1063/cmdline N/A N/A
File opened for reading /proc/9/cmdline N/A N/A
File opened for reading /proc/77/cmdline N/A N/A
File opened for reading /proc/78/cmdline N/A N/A
File opened for reading /proc/92/cmdline N/A N/A
File opened for reading /proc/949/cmdline N/A N/A
File opened for reading /proc/1053/cmdline N/A N/A
File opened for reading /proc/10/cmdline N/A N/A
File opened for reading /proc/111/cmdline N/A N/A
File opened for reading /proc/119/cmdline N/A N/A
File opened for reading /proc/164/cmdline N/A N/A
File opened for reading /proc/11/cmdline N/A N/A
File opened for reading /proc/626/cmdline N/A N/A

Processes

/tmp/04f257782ae8acc2109d56a432dd6ff9.elf

[/tmp/04f257782ae8acc2109d56a432dd6ff9.elf]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 raw.mezo-api.xyz udp
US 8.8.8.8:53 raw.mezo-api.xyz udp
NL 89.190.156.145:7733 tcp
DE 35.198.149.52:33966 raw.mezo-api.xyz tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 _https._tcp.deb.nodesource.com udp
US 1.1.1.1:53 _http._tcp.security.ubuntu.com udp
US 1.1.1.1:53 _http._tcp.nl.archive.ubuntu.com udp
US 1.1.1.1:53 deb.nodesource.com udp
US 1.1.1.1:53 deb.nodesource.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 1.1.1.1:53 nl.archive.ubuntu.com udp
US 1.1.1.1:53 nl.archive.ubuntu.com udp
US 172.67.10.205:443 deb.nodesource.com tcp
US 91.189.91.83:80 security.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.66.49:443 cdn.fwupd.org tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
US 1.1.1.1:53 _https._tcp.motd.ubuntu.com udp
US 1.1.1.1:53 motd.ubuntu.com udp
US 1.1.1.1:53 motd.ubuntu.com udp
IE 54.217.10.153:443 motd.ubuntu.com tcp
US 1.1.1.1:53 _https._tcp.esm.ubuntu.com udp
US 1.1.1.1:53 esm.ubuntu.com udp
US 1.1.1.1:53 esm.ubuntu.com udp
US 151.101.66.49:443 cdn.fwupd.org tcp
GB 185.125.190.24:443 esm.ubuntu.com tcp
IE 54.171.230.55:443 motd.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
IE 34.243.160.129:443 motd.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
US 8.8.8.8:53 raw.mezo-api.xyz udp
US 8.8.8.8:53 raw.mezo-api.xyz udp
DE 35.198.149.52:33966 raw.mezo-api.xyz tcp
US 8.8.8.8:53 raw.mezo-api.xyz udp
US 8.8.8.8:53 raw.mezo-api.xyz udp
DE 35.198.149.52:33966 raw.mezo-api.xyz tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp

Files

N/A