Analysis Overview
SHA256
b89e29063ba0dbe95a2090399595668817473361c96ef622d143ec7980cddb1b
Threat Level: Known bad
The file 20d263bd6e0552cad17ec45eeff1844b.bin was found to be: Known bad.
Malicious Activity Summary
Mirai family
Changes its process name
Deletes Audit logs
Deletes itself
Modifies Watchdog functionality
Deletes journal logs
Deletes system logs
Reads CPU attributes
Enumerates running processes
Deletes log files
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 01:07
Signatures
Mirai family
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 01:07
Reported
2024-04-17 01:09
Platform
ubuntu2004-amd64-20240221-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | mlf4pvwv560dntpv | /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf | N/A |
Deletes Audit logs
| Description | Indicator | Process | Target |
| File deleted | /var/log/audit/audit.log | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf | N/A |
Deletes journal logs
| Description | Indicator | Process | Target |
| File deleted | /var/log/journal/4816dd152e8c48ff97e9117d197c13d8/system.journal | N/A | N/A |
Deletes system logs
| Description | Indicator | Process | Target |
| File deleted | /var/log/syslog | N/A | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/misc/watchdog | /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf | N/A |
| File opened for modification | /dev/watchdog | /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/auth.log | N/A | N/A |
| File deleted | /var/log/ubuntu-advantage.log | N/A | N/A |
| File deleted | /var/log/kern.log | N/A | N/A |
| File deleted | /var/log/apport.log | N/A | N/A |
Enumerates running processes
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/394/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/494/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/81/cmdline | N/A | N/A |
| File opened for reading | /proc/84/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/201/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/70/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/615/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/837/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/913/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1103/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/23/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/22/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1030/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/21/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/394/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/168/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/11/cmdline | N/A | N/A |
| File opened for reading | /proc/622/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/837/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1406/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1317/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1085/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/20/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/806/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/612/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1294/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1074/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1030/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1473/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/470/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/514/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/158/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/642/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/978/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/75/cmdline | N/A | N/A |
| File opened for reading | /proc/937/cmdline | N/A | N/A |
| File opened for reading | /proc/1403/cmdline | N/A | N/A |
| File opened for reading | /proc/612/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/642/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/781/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1085/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1406/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/75/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/90/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/102/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1442/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1040/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/4/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/958/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/668/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/969/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1144/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/93/cmdline | N/A | N/A |
| File opened for reading | /proc/9/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/73/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/556/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/494/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1478/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1482/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/201/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/453/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1085/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/84/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/502/status | /usr/bin/pkill | N/A |
Processes
/tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf
[/tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf]
/usr/local/sbin/pkill
[pkill tshark]
/usr/local/bin/pkill
[pkill tshark]
/usr/sbin/pkill
[pkill tshark]
/usr/bin/pkill
[pkill tshark]
/usr/local/sbin/pkill
[pkill tcpdump]
/usr/local/sbin/pkill
[pkill wireshark]
/usr/local/bin/pkill
[pkill tcpdump]
/usr/local/bin/pkill
[pkill wireshark]
/usr/sbin/pkill
[pkill tcpdump]
/usr/bin/pkill
[pkill tcpdump]
/usr/sbin/pkill
[pkill wireshark]
/usr/local/sbin/pkill
[pkill dumpcap]
/usr/bin/pkill
[pkill wireshark]
/usr/local/bin/pkill
[pkill dumpcap]
/usr/local/sbin/pkill
[pkill ettercap]
/usr/sbin/pkill
[pkill dumpcap]
/usr/local/bin/pkill
[pkill ettercap]
/usr/bin/pkill
[pkill dumpcap]
/usr/local/sbin/pkill
[pkill dsniff]
/usr/sbin/pkill
[pkill ettercap]
/usr/local/bin/pkill
[pkill dsniff]
/usr/bin/pkill
[pkill ettercap]
/usr/local/sbin/pkill
[pkill ngrep]
/usr/sbin/pkill
[pkill dsniff]
/usr/bin/pkill
[pkill dsniff]
/usr/local/bin/pkill
[pkill ngrep]
/usr/local/sbin/pkill
[pkill tcpflow]
/usr/sbin/pkill
[pkill ngrep]
/usr/bin/pkill
[pkill ngrep]
/usr/local/sbin/pkill
[pkill windump]
/usr/local/bin/pkill
[pkill tcpflow]
/usr/local/bin/pkill
[pkill windump]
/usr/local/sbin/pkill
[pkill netsniff-ng]
/usr/sbin/pkill
[pkill tcpflow]
/usr/sbin/pkill
[pkill windump]
/usr/bin/pkill
[pkill tcpflow]
/usr/bin/pkill
[pkill windump]
/usr/local/bin/pkill
[pkill netsniff-ng]
/usr/sbin/pkill
[pkill netsniff-ng]
/usr/bin/pkill
[pkill netsniff-ng]
/usr/local/sbin/rm
[rm -rf /usr/bin/ettercap]
/usr/local/sbin/rm
[rm -rf /usr/bin/dsniff]
/usr/local/sbin/rm
[rm -rf /usr/bin/ngrep]
/usr/local/sbin/rm
[rm -rf /usr/bin/tcpflow]
/usr/local/sbin/rm
[rm -rf /usr/bin/netsniff-ng]
/usr/local/sbin/rm
[rm -rf /usr/sbin/ngrep]
/usr/local/sbin/rm
[rm -rf /usr/sbin/tcpflow]
/usr/local/sbin/rm
[rm -rf /usr/sbin/windump]
/usr/local/sbin/rm
[rm -rf /usr/sbin/netsniff-ng]
/usr/local/sbin/rm
[rm -rf /usr/bin/tcpdump]
/usr/local/sbin/rm
[rm -rf /usr/bin/tshark]
/usr/local/sbin/rm
[rm -rf /usr/bin/wireshark]
/usr/local/sbin/rm
[rm -rf /usr/bin/dumpcap]
/usr/local/sbin/rm
[rm -rf /usr/bin/windump]
/usr/local/bin/rm
[rm -rf /usr/bin/windump]
/usr/local/bin/rm
[rm -rf /usr/bin/tcpflow]
/usr/local/bin/rm
[rm -rf /usr/bin/wireshark]
/usr/local/bin/rm
[rm -rf /usr/bin/ngrep]
/usr/local/bin/rm
[rm -rf /usr/sbin/ngrep]
/usr/local/bin/rm
[rm -rf /usr/bin/dumpcap]
/usr/local/bin/rm
[rm -rf /usr/bin/tcpdump]
/usr/local/bin/rm
[rm -rf /usr/sbin/windump]
/usr/local/bin/rm
[rm -rf /usr/bin/tshark]
/usr/local/bin/rm
[rm -rf /usr/bin/netsniff-ng]
/usr/local/bin/rm
[rm -rf /usr/sbin/tcpflow]
/usr/local/bin/rm
[rm -rf /usr/sbin/netsniff-ng]
/usr/local/bin/rm
[rm -rf /usr/bin/dsniff]
/usr/local/sbin/rm
[rm -rf /usr/sbin/dsniff]
/usr/local/bin/rm
[rm -rf /usr/bin/ettercap]
/usr/sbin/rm
[rm -rf /usr/sbin/windump]
/usr/sbin/rm
[rm -rf /usr/bin/dumpcap]
/usr/sbin/rm
[rm -rf /usr/bin/netsniff-ng]
/usr/sbin/rm
[rm -rf /usr/bin/ngrep]
/usr/sbin/rm
[rm -rf /usr/bin/tcpflow]
/usr/sbin/rm
[rm -rf /usr/bin/tcpdump]
/usr/sbin/rm
[rm -rf /usr/sbin/netsniff-ng]
/usr/sbin/rm
[rm -rf /usr/bin/wireshark]
/usr/sbin/rm
[rm -rf /usr/bin/tshark]
/usr/sbin/rm
[rm -rf /usr/sbin/ngrep]
/usr/sbin/rm
[rm -rf /usr/sbin/tcpflow]
/usr/sbin/rm
[rm -rf /usr/bin/dsniff]
/usr/sbin/rm
[rm -rf /usr/bin/windump]
/usr/sbin/rm
[rm -rf /usr/bin/ettercap]
/usr/local/bin/rm
[rm -rf /usr/sbin/dsniff]
/usr/bin/rm
[rm -rf /usr/bin/wireshark]
/usr/bin/rm
[rm -rf /usr/sbin/ngrep]
/usr/bin/rm
[rm -rf /usr/sbin/netsniff-ng]
/usr/bin/rm
[rm -rf /usr/bin/netsniff-ng]
/usr/bin/rm
[rm -rf /usr/bin/tshark]
/usr/bin/rm
[rm -rf /usr/bin/tcpdump]
/usr/bin/rm
[rm -rf /usr/sbin/tcpflow]
/usr/bin/rm
[rm -rf /usr/bin/tcpflow]
/usr/bin/rm
[rm -rf /usr/bin/dumpcap]
/usr/bin/rm
[rm -rf /usr/sbin/windump]
/usr/bin/rm
[rm -rf /usr/bin/dsniff]
/usr/bin/rm
[rm -rf /usr/bin/windump]
/usr/bin/rm
[rm -rf /usr/bin/ettercap]
/usr/bin/rm
[rm -rf /usr/bin/ngrep]
/usr/local/sbin/rm
[rm -rf /usr/sbin/ettercap]
/usr/sbin/rm
[rm -rf /usr/sbin/dsniff]
/usr/bin/rm
[rm -rf /usr/sbin/dsniff]
/usr/local/bin/rm
[rm -rf /usr/sbin/ettercap]
/usr/local/sbin/rm
[rm -rf /usr/sbin/wireshark]
/usr/sbin/rm
[rm -rf /usr/sbin/ettercap]
/usr/local/sbin/rm
[rm -rf /usr/sbin/dumpcap]
/usr/local/bin/rm
[rm -rf /usr/sbin/wireshark]
/usr/bin/rm
[rm -rf /usr/sbin/ettercap]
/usr/local/bin/rm
[rm -rf /usr/sbin/dumpcap]
/usr/sbin/rm
[rm -rf /usr/sbin/wireshark]
/usr/bin/rm
[rm -rf /usr/sbin/wireshark]
/usr/sbin/rm
[rm -rf /usr/sbin/dumpcap]
/usr/bin/rm
[rm -rf /usr/sbin/dumpcap]
/usr/local/sbin/rm
[rm -rf /usr/sbin/tshark]
/usr/local/bin/rm
[rm -rf /usr/sbin/tshark]
/usr/sbin/rm
[rm -rf /usr/sbin/tshark]
/usr/bin/rm
[rm -rf /usr/sbin/tshark]
/usr/local/sbin/rm
[rm -rf /usr/sbin/tcpdump]
/usr/local/bin/rm
[rm -rf /usr/sbin/tcpdump]
/usr/sbin/rm
[rm -rf /usr/sbin/tcpdump]
/usr/bin/rm
[rm -rf /usr/sbin/tcpdump]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | tcpdown.su | udp |
| US | 1.1.1.1:53 | tcpdown.su | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 104.168.45.11:21425 | tcpdown.su | tcp |
| US | 1.1.1.1:53 | daisy.ubuntu.com | udp |
| US | 1.1.1.1:53 | daisy.ubuntu.com | udp |
| US | 1.1.1.1:53 | daisy.ubuntu.com | udp |
| US | 1.1.1.1:53 | daisy.ubuntu.com | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.66.49:443 | cdn.fwupd.org | tcp |
| US | 151.101.66.49:443 | cdn.fwupd.org | tcp |
| US | 1.1.1.1:53 | daisy.ubuntu.com | udp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 1.1.1.1:53 | _http._tcp.security.ubuntu.com | udp |
| US | 1.1.1.1:53 | _https._tcp.deb.nodesource.com | udp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 1.1.1.1:53 | _https._tcp.motd.ubuntu.com | udp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |