Malware Analysis Report

2024-11-15 05:16

Sample ID 240417-bgm1dshd28
Target 20d263bd6e0552cad17ec45eeff1844b.bin
SHA256 b89e29063ba0dbe95a2090399595668817473361c96ef622d143ec7980cddb1b
Tags
mirai mirai evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b89e29063ba0dbe95a2090399595668817473361c96ef622d143ec7980cddb1b

Threat Level: Known bad

The file 20d263bd6e0552cad17ec45eeff1844b.bin was found to be: Known bad.

Malicious Activity Summary

mirai mirai evasion

Mirai family

Changes its process name

Deletes Audit logs

Deletes itself

Modifies Watchdog functionality

Deletes journal logs

Deletes system logs

Reads CPU attributes

Enumerates running processes

Deletes log files

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 01:07

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 01:07

Reported

2024-04-17 01:09

Platform

ubuntu2004-amd64-20240221-en

Max time kernel

150s

Max time network

154s

Command Line

[/tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself mlf4pvwv560dntpv /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf N/A

Deletes Audit logs

evasion
Description Indicator Process Target
File deleted /var/log/audit/audit.log N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf N/A

Deletes journal logs

evasion
Description Indicator Process Target
File deleted /var/log/journal/4816dd152e8c48ff97e9117d197c13d8/system.journal N/A N/A

Deletes system logs

evasion
Description Indicator Process Target
File deleted /var/log/syslog N/A N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/misc/watchdog /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf N/A
File opened for modification /dev/watchdog /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf N/A

Deletes log files

Description Indicator Process Target
File deleted /var/log/auth.log N/A N/A
File deleted /var/log/ubuntu-advantage.log N/A N/A
File deleted /var/log/kern.log N/A N/A
File deleted /var/log/apport.log N/A N/A

Enumerates running processes

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/394/status /usr/bin/pkill N/A
File opened for reading /proc/494/cmdline /usr/bin/pkill N/A
File opened for reading /proc/81/cmdline N/A N/A
File opened for reading /proc/84/status /usr/bin/pkill N/A
File opened for reading /proc/201/cmdline /usr/bin/pkill N/A
File opened for reading /proc/70/status /usr/bin/pkill N/A
File opened for reading /proc/615/cmdline /usr/bin/pkill N/A
File opened for reading /proc/837/status /usr/bin/pkill N/A
File opened for reading /proc/913/status /usr/bin/pkill N/A
File opened for reading /proc/1103/status /usr/bin/pkill N/A
File opened for reading /proc/23/cmdline /usr/bin/pkill N/A
File opened for reading /proc/22/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1030/status /usr/bin/pkill N/A
File opened for reading /proc/21/status /usr/bin/pkill N/A
File opened for reading /proc/394/status /usr/bin/pkill N/A
File opened for reading /proc/168/status /usr/bin/pkill N/A
File opened for reading /proc/11/cmdline N/A N/A
File opened for reading /proc/622/status /usr/bin/pkill N/A
File opened for reading /proc/837/status /usr/bin/pkill N/A
File opened for reading /proc/1406/status /usr/bin/pkill N/A
File opened for reading /proc/1317/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1085/status /usr/bin/pkill N/A
File opened for reading /proc/20/status /usr/bin/pkill N/A
File opened for reading /proc/806/status /usr/bin/pkill N/A
File opened for reading /proc/612/status /usr/bin/pkill N/A
File opened for reading /proc/1294/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1074/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1030/status /usr/bin/pkill N/A
File opened for reading /proc/1473/status /usr/bin/pkill N/A
File opened for reading /proc/470/cmdline /usr/bin/pkill N/A
File opened for reading /proc/514/status /usr/bin/pkill N/A
File opened for reading /proc/158/status /usr/bin/pkill N/A
File opened for reading /proc/642/status /usr/bin/pkill N/A
File opened for reading /proc/978/cmdline /usr/bin/pkill N/A
File opened for reading /proc/75/cmdline N/A N/A
File opened for reading /proc/937/cmdline N/A N/A
File opened for reading /proc/1403/cmdline N/A N/A
File opened for reading /proc/612/status /usr/bin/pkill N/A
File opened for reading /proc/642/status /usr/bin/pkill N/A
File opened for reading /proc/781/status /usr/bin/pkill N/A
File opened for reading /proc/1085/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1406/cmdline /usr/bin/pkill N/A
File opened for reading /proc/75/status /usr/bin/pkill N/A
File opened for reading /proc/90/cmdline /usr/bin/pkill N/A
File opened for reading /proc/102/status /usr/bin/pkill N/A
File opened for reading /proc/1442/status /usr/bin/pkill N/A
File opened for reading /proc/1040/status /usr/bin/pkill N/A
File opened for reading /proc/4/status /usr/bin/pkill N/A
File opened for reading /proc/958/status /usr/bin/pkill N/A
File opened for reading /proc/668/cmdline /usr/bin/pkill N/A
File opened for reading /proc/969/status /usr/bin/pkill N/A
File opened for reading /proc/1144/cmdline /usr/bin/pkill N/A
File opened for reading /proc/93/cmdline N/A N/A
File opened for reading /proc/9/status /usr/bin/pkill N/A
File opened for reading /proc/73/cmdline /usr/bin/pkill N/A
File opened for reading /proc/556/cmdline /usr/bin/pkill N/A
File opened for reading /proc/494/status /usr/bin/pkill N/A
File opened for reading /proc/1478/status /usr/bin/pkill N/A
File opened for reading /proc/1482/cmdline /usr/bin/pkill N/A
File opened for reading /proc/201/status /usr/bin/pkill N/A
File opened for reading /proc/453/status /usr/bin/pkill N/A
File opened for reading /proc/1085/status /usr/bin/pkill N/A
File opened for reading /proc/84/status /usr/bin/pkill N/A
File opened for reading /proc/502/status /usr/bin/pkill N/A

Processes

/tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf

[/tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf]

/usr/local/sbin/pkill

[pkill tshark]

/usr/local/bin/pkill

[pkill tshark]

/usr/sbin/pkill

[pkill tshark]

/usr/bin/pkill

[pkill tshark]

/usr/local/sbin/pkill

[pkill tcpdump]

/usr/local/sbin/pkill

[pkill wireshark]

/usr/local/bin/pkill

[pkill tcpdump]

/usr/local/bin/pkill

[pkill wireshark]

/usr/sbin/pkill

[pkill tcpdump]

/usr/bin/pkill

[pkill tcpdump]

/usr/sbin/pkill

[pkill wireshark]

/usr/local/sbin/pkill

[pkill dumpcap]

/usr/bin/pkill

[pkill wireshark]

/usr/local/bin/pkill

[pkill dumpcap]

/usr/local/sbin/pkill

[pkill ettercap]

/usr/sbin/pkill

[pkill dumpcap]

/usr/local/bin/pkill

[pkill ettercap]

/usr/bin/pkill

[pkill dumpcap]

/usr/local/sbin/pkill

[pkill dsniff]

/usr/sbin/pkill

[pkill ettercap]

/usr/local/bin/pkill

[pkill dsniff]

/usr/bin/pkill

[pkill ettercap]

/usr/local/sbin/pkill

[pkill ngrep]

/usr/sbin/pkill

[pkill dsniff]

/usr/bin/pkill

[pkill dsniff]

/usr/local/bin/pkill

[pkill ngrep]

/usr/local/sbin/pkill

[pkill tcpflow]

/usr/sbin/pkill

[pkill ngrep]

/usr/bin/pkill

[pkill ngrep]

/usr/local/sbin/pkill

[pkill windump]

/usr/local/bin/pkill

[pkill tcpflow]

/usr/local/bin/pkill

[pkill windump]

/usr/local/sbin/pkill

[pkill netsniff-ng]

/usr/sbin/pkill

[pkill tcpflow]

/usr/sbin/pkill

[pkill windump]

/usr/bin/pkill

[pkill tcpflow]

/usr/bin/pkill

[pkill windump]

/usr/local/bin/pkill

[pkill netsniff-ng]

/usr/sbin/pkill

[pkill netsniff-ng]

/usr/bin/pkill

[pkill netsniff-ng]

/usr/local/sbin/rm

[rm -rf /usr/bin/ettercap]

/usr/local/sbin/rm

[rm -rf /usr/bin/dsniff]

/usr/local/sbin/rm

[rm -rf /usr/bin/ngrep]

/usr/local/sbin/rm

[rm -rf /usr/bin/tcpflow]

/usr/local/sbin/rm

[rm -rf /usr/bin/netsniff-ng]

/usr/local/sbin/rm

[rm -rf /usr/sbin/ngrep]

/usr/local/sbin/rm

[rm -rf /usr/sbin/tcpflow]

/usr/local/sbin/rm

[rm -rf /usr/sbin/windump]

/usr/local/sbin/rm

[rm -rf /usr/sbin/netsniff-ng]

/usr/local/sbin/rm

[rm -rf /usr/bin/tcpdump]

/usr/local/sbin/rm

[rm -rf /usr/bin/tshark]

/usr/local/sbin/rm

[rm -rf /usr/bin/wireshark]

/usr/local/sbin/rm

[rm -rf /usr/bin/dumpcap]

/usr/local/sbin/rm

[rm -rf /usr/bin/windump]

/usr/local/bin/rm

[rm -rf /usr/bin/windump]

/usr/local/bin/rm

[rm -rf /usr/bin/tcpflow]

/usr/local/bin/rm

[rm -rf /usr/bin/wireshark]

/usr/local/bin/rm

[rm -rf /usr/bin/ngrep]

/usr/local/bin/rm

[rm -rf /usr/sbin/ngrep]

/usr/local/bin/rm

[rm -rf /usr/bin/dumpcap]

/usr/local/bin/rm

[rm -rf /usr/bin/tcpdump]

/usr/local/bin/rm

[rm -rf /usr/sbin/windump]

/usr/local/bin/rm

[rm -rf /usr/bin/tshark]

/usr/local/bin/rm

[rm -rf /usr/bin/netsniff-ng]

/usr/local/bin/rm

[rm -rf /usr/sbin/tcpflow]

/usr/local/bin/rm

[rm -rf /usr/sbin/netsniff-ng]

/usr/local/bin/rm

[rm -rf /usr/bin/dsniff]

/usr/local/sbin/rm

[rm -rf /usr/sbin/dsniff]

/usr/local/bin/rm

[rm -rf /usr/bin/ettercap]

/usr/sbin/rm

[rm -rf /usr/sbin/windump]

/usr/sbin/rm

[rm -rf /usr/bin/dumpcap]

/usr/sbin/rm

[rm -rf /usr/bin/netsniff-ng]

/usr/sbin/rm

[rm -rf /usr/bin/ngrep]

/usr/sbin/rm

[rm -rf /usr/bin/tcpflow]

/usr/sbin/rm

[rm -rf /usr/bin/tcpdump]

/usr/sbin/rm

[rm -rf /usr/sbin/netsniff-ng]

/usr/sbin/rm

[rm -rf /usr/bin/wireshark]

/usr/sbin/rm

[rm -rf /usr/bin/tshark]

/usr/sbin/rm

[rm -rf /usr/sbin/ngrep]

/usr/sbin/rm

[rm -rf /usr/sbin/tcpflow]

/usr/sbin/rm

[rm -rf /usr/bin/dsniff]

/usr/sbin/rm

[rm -rf /usr/bin/windump]

/usr/sbin/rm

[rm -rf /usr/bin/ettercap]

/usr/local/bin/rm

[rm -rf /usr/sbin/dsniff]

/usr/bin/rm

[rm -rf /usr/bin/wireshark]

/usr/bin/rm

[rm -rf /usr/sbin/ngrep]

/usr/bin/rm

[rm -rf /usr/sbin/netsniff-ng]

/usr/bin/rm

[rm -rf /usr/bin/netsniff-ng]

/usr/bin/rm

[rm -rf /usr/bin/tshark]

/usr/bin/rm

[rm -rf /usr/bin/tcpdump]

/usr/bin/rm

[rm -rf /usr/sbin/tcpflow]

/usr/bin/rm

[rm -rf /usr/bin/tcpflow]

/usr/bin/rm

[rm -rf /usr/bin/dumpcap]

/usr/bin/rm

[rm -rf /usr/sbin/windump]

/usr/bin/rm

[rm -rf /usr/bin/dsniff]

/usr/bin/rm

[rm -rf /usr/bin/windump]

/usr/bin/rm

[rm -rf /usr/bin/ettercap]

/usr/bin/rm

[rm -rf /usr/bin/ngrep]

/usr/local/sbin/rm

[rm -rf /usr/sbin/ettercap]

/usr/sbin/rm

[rm -rf /usr/sbin/dsniff]

/usr/bin/rm

[rm -rf /usr/sbin/dsniff]

/usr/local/bin/rm

[rm -rf /usr/sbin/ettercap]

/usr/local/sbin/rm

[rm -rf /usr/sbin/wireshark]

/usr/sbin/rm

[rm -rf /usr/sbin/ettercap]

/usr/local/sbin/rm

[rm -rf /usr/sbin/dumpcap]

/usr/local/bin/rm

[rm -rf /usr/sbin/wireshark]

/usr/bin/rm

[rm -rf /usr/sbin/ettercap]

/usr/local/bin/rm

[rm -rf /usr/sbin/dumpcap]

/usr/sbin/rm

[rm -rf /usr/sbin/wireshark]

/usr/bin/rm

[rm -rf /usr/sbin/wireshark]

/usr/sbin/rm

[rm -rf /usr/sbin/dumpcap]

/usr/bin/rm

[rm -rf /usr/sbin/dumpcap]

/usr/local/sbin/rm

[rm -rf /usr/sbin/tshark]

/usr/local/bin/rm

[rm -rf /usr/sbin/tshark]

/usr/sbin/rm

[rm -rf /usr/sbin/tshark]

/usr/bin/rm

[rm -rf /usr/sbin/tshark]

/usr/local/sbin/rm

[rm -rf /usr/sbin/tcpdump]

/usr/local/bin/rm

[rm -rf /usr/sbin/tcpdump]

/usr/sbin/rm

[rm -rf /usr/sbin/tcpdump]

/usr/bin/rm

[rm -rf /usr/sbin/tcpdump]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 tcpdown.su udp
US 1.1.1.1:53 tcpdown.su udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 104.168.45.11:21425 tcpdown.su tcp
US 1.1.1.1:53 daisy.ubuntu.com udp
US 1.1.1.1:53 daisy.ubuntu.com udp
US 1.1.1.1:53 daisy.ubuntu.com udp
US 1.1.1.1:53 daisy.ubuntu.com udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.66.49:443 cdn.fwupd.org tcp
US 151.101.66.49:443 cdn.fwupd.org tcp
US 1.1.1.1:53 daisy.ubuntu.com udp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 1.1.1.1:53 _http._tcp.security.ubuntu.com udp
US 1.1.1.1:53 _https._tcp.deb.nodesource.com udp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 1.1.1.1:53 _https._tcp.motd.ubuntu.com udp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp

Files

N/A