Analysis Overview
SHA256
648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b
Threat Level: Known bad
The file 648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf was found to be: Known bad.
Malicious Activity Summary
Mirai family
Changes its process name
Deletes itself
Deletes system logs
Deletes Audit logs
Deletes journal logs
Modifies Watchdog functionality
Reads CPU attributes
Enumerates running processes
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 13:34
Signatures
Mirai family
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 13:34
Reported
2024-04-17 13:44
Platform
ubuntu1804-amd64-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | 5awto8gpm0ftqfwr60cwiafpkigt7u5t | /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf | N/A |
Deletes Audit logs
| Description | Indicator | Process | Target |
| File deleted | /var/log/audit/audit.log | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf | N/A |
Deletes journal logs
| Description | Indicator | Process | Target |
| File deleted | /var/log/journal/11c67417355f45d397f6be11f62e85a6/system.journal | N/A | N/A |
Deletes system logs
| Description | Indicator | Process | Target |
| File deleted | /var/log/syslog | N/A | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf | N/A |
Enumerates running processes
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/83/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/466/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1043/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1113/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/6/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/408/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1318/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/13/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/653/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/722/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/155/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1127/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1161/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/26/cmdline | N/A | N/A |
| File opened for reading | /proc/414/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/13/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/666/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/722/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/19/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/472/cmdline | N/A | N/A |
| File opened for reading | /proc/162/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/653/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1523/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1567/cmdline | N/A | N/A |
| File opened for reading | /proc/547/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/466/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/947/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1169/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1191/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/156/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/30/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/411/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1512/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1513/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/30/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1191/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/165/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/248/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1099/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1154/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1182/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/547/cmdline | N/A | N/A |
| File opened for reading | /proc/157/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1115/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1525/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/78/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1295/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1288/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1512/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/958/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/165/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/268/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1288/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/161/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1244/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1431/cmdline | N/A | N/A |
| File opened for reading | /proc/22/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/167/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/509/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1191/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1318/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/248/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/2/cmdline | /usr/bin/pkill | N/A |
Processes
/tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf
[/tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf]
/usr/local/sbin/pkill
[pkill dumpcap]
/usr/local/bin/pkill
[pkill dumpcap]
/usr/sbin/pkill
[pkill dumpcap]
/usr/bin/pkill
[pkill dumpcap]
/usr/local/sbin/pkill
[pkill ettercap]
/usr/local/bin/pkill
[pkill ettercap]
/usr/sbin/pkill
[pkill ettercap]
/usr/bin/pkill
[pkill ettercap]
/usr/local/sbin/pkill
[pkill wireshark]
/usr/local/bin/pkill
[pkill wireshark]
/usr/sbin/pkill
[pkill wireshark]
/usr/bin/pkill
[pkill wireshark]
/usr/local/sbin/pkill
[pkill dsniff]
/usr/local/bin/pkill
[pkill dsniff]
/usr/sbin/pkill
[pkill dsniff]
/usr/bin/pkill
[pkill dsniff]
/usr/local/sbin/pkill
[pkill ngrep]
/usr/local/bin/pkill
[pkill ngrep]
/usr/sbin/pkill
[pkill ngrep]
/usr/bin/pkill
[pkill ngrep]
/usr/local/sbin/pkill
[pkill tshark]
/usr/local/bin/pkill
[pkill tshark]
/usr/sbin/pkill
[pkill tshark]
/usr/bin/pkill
[pkill tshark]
/usr/local/sbin/pkill
[pkill tcpflow]
/usr/local/bin/pkill
[pkill tcpflow]
/usr/sbin/pkill
[pkill tcpflow]
/usr/local/sbin/pkill
[pkill windump]
/usr/local/sbin/pkill
[pkill netsniff-ng]
/usr/bin/pkill
[pkill tcpflow]
/usr/local/bin/pkill
[pkill windump]
/usr/local/bin/pkill
[pkill netsniff-ng]
/usr/sbin/pkill
[pkill windump]
/usr/sbin/pkill
[pkill netsniff-ng]
/usr/bin/pkill
[pkill windump]
/usr/bin/pkill
[pkill netsniff-ng]
/usr/local/sbin/pkill
[pkill tcpdump]
/usr/local/bin/pkill
[pkill tcpdump]
/usr/sbin/pkill
[pkill tcpdump]
/usr/bin/pkill
[pkill tcpdump]
/usr/local/sbin/rm
[rm -rf /usr/bin/ettercap]
/usr/local/bin/rm
[rm -rf /usr/bin/ettercap]
/usr/sbin/rm
[rm -rf /usr/bin/ettercap]
/usr/bin/rm
[rm -rf /usr/bin/ettercap]
/sbin/rm
[rm -rf /usr/bin/ettercap]
/bin/rm
[rm -rf /usr/bin/ettercap]
/usr/local/sbin/rm
[rm -rf /usr/bin/dsniff]
/usr/local/bin/rm
[rm -rf /usr/bin/dsniff]
/usr/sbin/rm
[rm -rf /usr/bin/dsniff]
/usr/bin/rm
[rm -rf /usr/bin/dsniff]
/sbin/rm
[rm -rf /usr/bin/dsniff]
/bin/rm
[rm -rf /usr/bin/dsniff]
/usr/local/sbin/rm
[rm -rf /usr/bin/ngrep]
/usr/local/bin/rm
[rm -rf /usr/bin/ngrep]
/usr/sbin/rm
[rm -rf /usr/bin/ngrep]
/usr/bin/rm
[rm -rf /usr/bin/ngrep]
/sbin/rm
[rm -rf /usr/bin/ngrep]
/bin/rm
[rm -rf /usr/bin/ngrep]
/usr/local/sbin/rm
[rm -rf /usr/bin/tcpflow]
/usr/local/bin/rm
[rm -rf /usr/bin/tcpflow]
/usr/sbin/rm
[rm -rf /usr/bin/tcpflow]
/usr/bin/rm
[rm -rf /usr/bin/tcpflow]
/sbin/rm
[rm -rf /usr/bin/tcpflow]
/bin/rm
[rm -rf /usr/bin/tcpflow]
/usr/local/sbin/rm
[rm -rf /usr/bin/netsniff-ng]
/usr/local/bin/rm
[rm -rf /usr/bin/netsniff-ng]
/usr/sbin/rm
[rm -rf /usr/bin/netsniff-ng]
/usr/bin/rm
[rm -rf /usr/bin/netsniff-ng]
/sbin/rm
[rm -rf /usr/bin/netsniff-ng]
/bin/rm
[rm -rf /usr/bin/netsniff-ng]
/usr/local/sbin/rm
[rm -rf /usr/sbin/ngrep]
/usr/local/bin/rm
[rm -rf /usr/sbin/ngrep]
/usr/sbin/rm
[rm -rf /usr/sbin/ngrep]
/usr/bin/rm
[rm -rf /usr/sbin/ngrep]
/sbin/rm
[rm -rf /usr/sbin/ngrep]
/bin/rm
[rm -rf /usr/sbin/ngrep]
/usr/local/sbin/rm
[rm -rf /usr/sbin/tcpflow]
/usr/local/bin/rm
[rm -rf /usr/sbin/tcpflow]
/usr/sbin/rm
[rm -rf /usr/sbin/tcpflow]
/usr/bin/rm
[rm -rf /usr/sbin/tcpflow]
/sbin/rm
[rm -rf /usr/sbin/tcpflow]
/bin/rm
[rm -rf /usr/sbin/tcpflow]
/usr/local/sbin/rm
[rm -rf /usr/sbin/windump]
/usr/local/bin/rm
[rm -rf /usr/sbin/windump]
/usr/sbin/rm
[rm -rf /usr/sbin/windump]
/usr/bin/rm
[rm -rf /usr/sbin/windump]
/sbin/rm
[rm -rf /usr/sbin/windump]
/bin/rm
[rm -rf /usr/sbin/windump]
/usr/local/sbin/rm
[rm -rf /usr/sbin/netsniff-ng]
/usr/local/bin/rm
[rm -rf /usr/sbin/netsniff-ng]
/usr/sbin/rm
[rm -rf /usr/sbin/netsniff-ng]
/usr/bin/rm
[rm -rf /usr/sbin/netsniff-ng]
/sbin/rm
[rm -rf /usr/sbin/netsniff-ng]
/bin/rm
[rm -rf /usr/sbin/netsniff-ng]
/usr/local/sbin/rm
[rm -rf /usr/bin/tcpdump]
/usr/local/bin/rm
[rm -rf /usr/bin/tcpdump]
/usr/sbin/rm
[rm -rf /usr/bin/tcpdump]
/usr/bin/rm
[rm -rf /usr/bin/tcpdump]
/sbin/rm
[rm -rf /usr/bin/tcpdump]
/bin/rm
[rm -rf /usr/bin/tcpdump]
/usr/local/sbin/rm
[rm -rf /usr/bin/tshark]
/usr/local/bin/rm
[rm -rf /usr/bin/tshark]
/usr/sbin/rm
[rm -rf /usr/bin/tshark]
/usr/bin/rm
[rm -rf /usr/bin/tshark]
/sbin/rm
[rm -rf /usr/bin/tshark]
/bin/rm
[rm -rf /usr/bin/tshark]
/usr/local/sbin/rm
[rm -rf /usr/bin/wireshark]
/usr/local/bin/rm
[rm -rf /usr/bin/wireshark]
/usr/sbin/rm
[rm -rf /usr/bin/wireshark]
/usr/bin/rm
[rm -rf /usr/bin/wireshark]
/sbin/rm
[rm -rf /usr/bin/wireshark]
/bin/rm
[rm -rf /usr/bin/wireshark]
/usr/local/sbin/rm
[rm -rf /usr/bin/dumpcap]
/usr/local/bin/rm
[rm -rf /usr/bin/dumpcap]
/usr/sbin/rm
[rm -rf /usr/bin/dumpcap]
/usr/bin/rm
[rm -rf /usr/bin/dumpcap]
/sbin/rm
[rm -rf /usr/bin/dumpcap]
/bin/rm
[rm -rf /usr/bin/dumpcap]
/usr/local/sbin/rm
[rm -rf /usr/bin/windump]
/usr/local/bin/rm
[rm -rf /usr/bin/windump]
/usr/sbin/rm
[rm -rf /usr/bin/windump]
/usr/bin/rm
[rm -rf /usr/bin/windump]
/sbin/rm
[rm -rf /usr/bin/windump]
/bin/rm
[rm -rf /usr/bin/windump]
/usr/local/sbin/rm
[rm -rf /usr/sbin/dsniff]
/usr/local/bin/rm
[rm -rf /usr/sbin/dsniff]
/usr/sbin/rm
[rm -rf /usr/sbin/dsniff]
/usr/bin/rm
[rm -rf /usr/sbin/dsniff]
/sbin/rm
[rm -rf /usr/sbin/dsniff]
/bin/rm
[rm -rf /usr/sbin/dsniff]
/usr/local/sbin/rm
[rm -rf /usr/sbin/ettercap]
/usr/local/bin/rm
[rm -rf /usr/sbin/ettercap]
/usr/sbin/rm
[rm -rf /usr/sbin/ettercap]
/usr/bin/rm
[rm -rf /usr/sbin/ettercap]
/sbin/rm
[rm -rf /usr/sbin/ettercap]
/bin/rm
[rm -rf /usr/sbin/ettercap]
/usr/local/sbin/rm
[rm -rf /usr/sbin/dumpcap]
/usr/local/bin/rm
[rm -rf /usr/sbin/dumpcap]
/usr/sbin/rm
[rm -rf /usr/sbin/dumpcap]
/usr/bin/rm
[rm -rf /usr/sbin/dumpcap]
/sbin/rm
[rm -rf /usr/sbin/dumpcap]
/bin/rm
[rm -rf /usr/sbin/dumpcap]
/usr/local/sbin/rm
[rm -rf /usr/sbin/wireshark]
/usr/local/bin/rm
[rm -rf /usr/sbin/wireshark]
/usr/sbin/rm
[rm -rf /usr/sbin/wireshark]
/usr/bin/rm
[rm -rf /usr/sbin/wireshark]
/sbin/rm
[rm -rf /usr/sbin/wireshark]
/bin/rm
[rm -rf /usr/sbin/wireshark]
/usr/local/sbin/rm
[rm -rf /usr/sbin/tshark]
/usr/local/bin/rm
[rm -rf /usr/sbin/tshark]
/usr/sbin/rm
[rm -rf /usr/sbin/tshark]
/usr/bin/rm
[rm -rf /usr/sbin/tshark]
/sbin/rm
[rm -rf /usr/sbin/tshark]
/bin/rm
[rm -rf /usr/sbin/tshark]
/usr/local/sbin/rm
[rm -rf /usr/sbin/tcpdump]
/usr/local/bin/rm
[rm -rf /usr/sbin/tcpdump]
/usr/sbin/rm
[rm -rf /usr/sbin/tcpdump]
/usr/bin/rm
[rm -rf /usr/sbin/tcpdump]
/sbin/rm
[rm -rf /usr/sbin/tcpdump]
/bin/rm
[rm -rf /usr/sbin/tcpdump]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | tcpdown.su | udp |
| US | 1.1.1.1:53 | tcpdown.su | udp |
| US | 104.168.32.17:21425 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 151.101.130.49:443 | tcp | |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.194.49:443 | cdn.fwupd.org | tcp |
| US | 151.101.1.91:443 | tcp | |
| GB | 89.187.167.3:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 151.101.1.91:443 | tcp | |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 195.181.164.19:443 | 1527653184.rsc.cdn77.org | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |