Malware Analysis Report

2024-11-15 05:15

Sample ID 240417-qve92abc81
Target 648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf
SHA256 648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b
Tags
mirai mirai evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b

Threat Level: Known bad

The file 648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf was found to be: Known bad.

Malicious Activity Summary

mirai mirai evasion

Mirai family

Changes its process name

Deletes itself

Deletes system logs

Deletes Audit logs

Deletes journal logs

Modifies Watchdog functionality

Reads CPU attributes

Enumerates running processes

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 13:34

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 13:34

Reported

2024-04-17 13:44

Platform

ubuntu1804-amd64-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

[/tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself 5awto8gpm0ftqfwr60cwiafpkigt7u5t /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf N/A

Deletes Audit logs

evasion
Description Indicator Process Target
File deleted /var/log/audit/audit.log N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf N/A

Deletes journal logs

evasion
Description Indicator Process Target
File deleted /var/log/journal/11c67417355f45d397f6be11f62e85a6/system.journal N/A N/A

Deletes system logs

evasion
Description Indicator Process Target
File deleted /var/log/syslog N/A N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf N/A
File opened for modification /dev/misc/watchdog /tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf N/A

Enumerates running processes

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/83/cmdline /usr/bin/pkill N/A
File opened for reading /proc/466/status /usr/bin/pkill N/A
File opened for reading /proc/1043/status /usr/bin/pkill N/A
File opened for reading /proc/1113/cmdline /usr/bin/pkill N/A
File opened for reading /proc/6/cmdline /usr/bin/pkill N/A
File opened for reading /proc/408/status /usr/bin/pkill N/A
File opened for reading /proc/1318/cmdline /usr/bin/pkill N/A
File opened for reading /proc/13/cmdline /usr/bin/pkill N/A
File opened for reading /proc/653/status /usr/bin/pkill N/A
File opened for reading /proc/722/cmdline /usr/bin/pkill N/A
File opened for reading /proc/155/status /usr/bin/pkill N/A
File opened for reading /proc/1127/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1161/status /usr/bin/pkill N/A
File opened for reading /proc/26/cmdline N/A N/A
File opened for reading /proc/414/status /usr/bin/pkill N/A
File opened for reading /proc/13/status /usr/bin/pkill N/A
File opened for reading /proc/666/status /usr/bin/pkill N/A
File opened for reading /proc/722/status /usr/bin/pkill N/A
File opened for reading /proc/19/status /usr/bin/pkill N/A
File opened for reading /proc/472/cmdline N/A N/A
File opened for reading /proc/162/status /usr/bin/pkill N/A
File opened for reading /proc/653/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1523/status /usr/bin/pkill N/A
File opened for reading /proc/1567/cmdline N/A N/A
File opened for reading /proc/547/cmdline /usr/bin/pkill N/A
File opened for reading /proc/466/cmdline /usr/bin/pkill N/A
File opened for reading /proc/947/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1169/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1191/status /usr/bin/pkill N/A
File opened for reading /proc/156/status /usr/bin/pkill N/A
File opened for reading /proc/30/cmdline /usr/bin/pkill N/A
File opened for reading /proc/411/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1512/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1513/cmdline /usr/bin/pkill N/A
File opened for reading /proc/30/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1191/status /usr/bin/pkill N/A
File opened for reading /proc/165/status /usr/bin/pkill N/A
File opened for reading /proc/248/status /usr/bin/pkill N/A
File opened for reading /proc/1099/status /usr/bin/pkill N/A
File opened for reading /proc/1154/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1182/cmdline /usr/bin/pkill N/A
File opened for reading /proc/547/cmdline N/A N/A
File opened for reading /proc/157/status /usr/bin/pkill N/A
File opened for reading /proc/1115/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1525/cmdline /usr/bin/pkill N/A
File opened for reading /proc/78/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1295/status /usr/bin/pkill N/A
File opened for reading /proc/1288/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1512/cmdline /usr/bin/pkill N/A
File opened for reading /proc/958/cmdline /usr/bin/pkill N/A
File opened for reading /proc/165/cmdline /usr/bin/pkill N/A
File opened for reading /proc/268/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1288/cmdline /usr/bin/pkill N/A
File opened for reading /proc/161/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1244/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1431/cmdline N/A N/A
File opened for reading /proc/22/cmdline /usr/bin/pkill N/A
File opened for reading /proc/167/cmdline /usr/bin/pkill N/A
File opened for reading /proc/509/status /usr/bin/pkill N/A
File opened for reading /proc/1191/status /usr/bin/pkill N/A
File opened for reading /proc/1/status /usr/bin/pkill N/A
File opened for reading /proc/1318/status /usr/bin/pkill N/A
File opened for reading /proc/248/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2/cmdline /usr/bin/pkill N/A

Processes

/tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf

[/tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf]

/usr/local/sbin/pkill

[pkill dumpcap]

/usr/local/bin/pkill

[pkill dumpcap]

/usr/sbin/pkill

[pkill dumpcap]

/usr/bin/pkill

[pkill dumpcap]

/usr/local/sbin/pkill

[pkill ettercap]

/usr/local/bin/pkill

[pkill ettercap]

/usr/sbin/pkill

[pkill ettercap]

/usr/bin/pkill

[pkill ettercap]

/usr/local/sbin/pkill

[pkill wireshark]

/usr/local/bin/pkill

[pkill wireshark]

/usr/sbin/pkill

[pkill wireshark]

/usr/bin/pkill

[pkill wireshark]

/usr/local/sbin/pkill

[pkill dsniff]

/usr/local/bin/pkill

[pkill dsniff]

/usr/sbin/pkill

[pkill dsniff]

/usr/bin/pkill

[pkill dsniff]

/usr/local/sbin/pkill

[pkill ngrep]

/usr/local/bin/pkill

[pkill ngrep]

/usr/sbin/pkill

[pkill ngrep]

/usr/bin/pkill

[pkill ngrep]

/usr/local/sbin/pkill

[pkill tshark]

/usr/local/bin/pkill

[pkill tshark]

/usr/sbin/pkill

[pkill tshark]

/usr/bin/pkill

[pkill tshark]

/usr/local/sbin/pkill

[pkill tcpflow]

/usr/local/bin/pkill

[pkill tcpflow]

/usr/sbin/pkill

[pkill tcpflow]

/usr/local/sbin/pkill

[pkill windump]

/usr/local/sbin/pkill

[pkill netsniff-ng]

/usr/bin/pkill

[pkill tcpflow]

/usr/local/bin/pkill

[pkill windump]

/usr/local/bin/pkill

[pkill netsniff-ng]

/usr/sbin/pkill

[pkill windump]

/usr/sbin/pkill

[pkill netsniff-ng]

/usr/bin/pkill

[pkill windump]

/usr/bin/pkill

[pkill netsniff-ng]

/usr/local/sbin/pkill

[pkill tcpdump]

/usr/local/bin/pkill

[pkill tcpdump]

/usr/sbin/pkill

[pkill tcpdump]

/usr/bin/pkill

[pkill tcpdump]

/usr/local/sbin/rm

[rm -rf /usr/bin/ettercap]

/usr/local/bin/rm

[rm -rf /usr/bin/ettercap]

/usr/sbin/rm

[rm -rf /usr/bin/ettercap]

/usr/bin/rm

[rm -rf /usr/bin/ettercap]

/sbin/rm

[rm -rf /usr/bin/ettercap]

/bin/rm

[rm -rf /usr/bin/ettercap]

/usr/local/sbin/rm

[rm -rf /usr/bin/dsniff]

/usr/local/bin/rm

[rm -rf /usr/bin/dsniff]

/usr/sbin/rm

[rm -rf /usr/bin/dsniff]

/usr/bin/rm

[rm -rf /usr/bin/dsniff]

/sbin/rm

[rm -rf /usr/bin/dsniff]

/bin/rm

[rm -rf /usr/bin/dsniff]

/usr/local/sbin/rm

[rm -rf /usr/bin/ngrep]

/usr/local/bin/rm

[rm -rf /usr/bin/ngrep]

/usr/sbin/rm

[rm -rf /usr/bin/ngrep]

/usr/bin/rm

[rm -rf /usr/bin/ngrep]

/sbin/rm

[rm -rf /usr/bin/ngrep]

/bin/rm

[rm -rf /usr/bin/ngrep]

/usr/local/sbin/rm

[rm -rf /usr/bin/tcpflow]

/usr/local/bin/rm

[rm -rf /usr/bin/tcpflow]

/usr/sbin/rm

[rm -rf /usr/bin/tcpflow]

/usr/bin/rm

[rm -rf /usr/bin/tcpflow]

/sbin/rm

[rm -rf /usr/bin/tcpflow]

/bin/rm

[rm -rf /usr/bin/tcpflow]

/usr/local/sbin/rm

[rm -rf /usr/bin/netsniff-ng]

/usr/local/bin/rm

[rm -rf /usr/bin/netsniff-ng]

/usr/sbin/rm

[rm -rf /usr/bin/netsniff-ng]

/usr/bin/rm

[rm -rf /usr/bin/netsniff-ng]

/sbin/rm

[rm -rf /usr/bin/netsniff-ng]

/bin/rm

[rm -rf /usr/bin/netsniff-ng]

/usr/local/sbin/rm

[rm -rf /usr/sbin/ngrep]

/usr/local/bin/rm

[rm -rf /usr/sbin/ngrep]

/usr/sbin/rm

[rm -rf /usr/sbin/ngrep]

/usr/bin/rm

[rm -rf /usr/sbin/ngrep]

/sbin/rm

[rm -rf /usr/sbin/ngrep]

/bin/rm

[rm -rf /usr/sbin/ngrep]

/usr/local/sbin/rm

[rm -rf /usr/sbin/tcpflow]

/usr/local/bin/rm

[rm -rf /usr/sbin/tcpflow]

/usr/sbin/rm

[rm -rf /usr/sbin/tcpflow]

/usr/bin/rm

[rm -rf /usr/sbin/tcpflow]

/sbin/rm

[rm -rf /usr/sbin/tcpflow]

/bin/rm

[rm -rf /usr/sbin/tcpflow]

/usr/local/sbin/rm

[rm -rf /usr/sbin/windump]

/usr/local/bin/rm

[rm -rf /usr/sbin/windump]

/usr/sbin/rm

[rm -rf /usr/sbin/windump]

/usr/bin/rm

[rm -rf /usr/sbin/windump]

/sbin/rm

[rm -rf /usr/sbin/windump]

/bin/rm

[rm -rf /usr/sbin/windump]

/usr/local/sbin/rm

[rm -rf /usr/sbin/netsniff-ng]

/usr/local/bin/rm

[rm -rf /usr/sbin/netsniff-ng]

/usr/sbin/rm

[rm -rf /usr/sbin/netsniff-ng]

/usr/bin/rm

[rm -rf /usr/sbin/netsniff-ng]

/sbin/rm

[rm -rf /usr/sbin/netsniff-ng]

/bin/rm

[rm -rf /usr/sbin/netsniff-ng]

/usr/local/sbin/rm

[rm -rf /usr/bin/tcpdump]

/usr/local/bin/rm

[rm -rf /usr/bin/tcpdump]

/usr/sbin/rm

[rm -rf /usr/bin/tcpdump]

/usr/bin/rm

[rm -rf /usr/bin/tcpdump]

/sbin/rm

[rm -rf /usr/bin/tcpdump]

/bin/rm

[rm -rf /usr/bin/tcpdump]

/usr/local/sbin/rm

[rm -rf /usr/bin/tshark]

/usr/local/bin/rm

[rm -rf /usr/bin/tshark]

/usr/sbin/rm

[rm -rf /usr/bin/tshark]

/usr/bin/rm

[rm -rf /usr/bin/tshark]

/sbin/rm

[rm -rf /usr/bin/tshark]

/bin/rm

[rm -rf /usr/bin/tshark]

/usr/local/sbin/rm

[rm -rf /usr/bin/wireshark]

/usr/local/bin/rm

[rm -rf /usr/bin/wireshark]

/usr/sbin/rm

[rm -rf /usr/bin/wireshark]

/usr/bin/rm

[rm -rf /usr/bin/wireshark]

/sbin/rm

[rm -rf /usr/bin/wireshark]

/bin/rm

[rm -rf /usr/bin/wireshark]

/usr/local/sbin/rm

[rm -rf /usr/bin/dumpcap]

/usr/local/bin/rm

[rm -rf /usr/bin/dumpcap]

/usr/sbin/rm

[rm -rf /usr/bin/dumpcap]

/usr/bin/rm

[rm -rf /usr/bin/dumpcap]

/sbin/rm

[rm -rf /usr/bin/dumpcap]

/bin/rm

[rm -rf /usr/bin/dumpcap]

/usr/local/sbin/rm

[rm -rf /usr/bin/windump]

/usr/local/bin/rm

[rm -rf /usr/bin/windump]

/usr/sbin/rm

[rm -rf /usr/bin/windump]

/usr/bin/rm

[rm -rf /usr/bin/windump]

/sbin/rm

[rm -rf /usr/bin/windump]

/bin/rm

[rm -rf /usr/bin/windump]

/usr/local/sbin/rm

[rm -rf /usr/sbin/dsniff]

/usr/local/bin/rm

[rm -rf /usr/sbin/dsniff]

/usr/sbin/rm

[rm -rf /usr/sbin/dsniff]

/usr/bin/rm

[rm -rf /usr/sbin/dsniff]

/sbin/rm

[rm -rf /usr/sbin/dsniff]

/bin/rm

[rm -rf /usr/sbin/dsniff]

/usr/local/sbin/rm

[rm -rf /usr/sbin/ettercap]

/usr/local/bin/rm

[rm -rf /usr/sbin/ettercap]

/usr/sbin/rm

[rm -rf /usr/sbin/ettercap]

/usr/bin/rm

[rm -rf /usr/sbin/ettercap]

/sbin/rm

[rm -rf /usr/sbin/ettercap]

/bin/rm

[rm -rf /usr/sbin/ettercap]

/usr/local/sbin/rm

[rm -rf /usr/sbin/dumpcap]

/usr/local/bin/rm

[rm -rf /usr/sbin/dumpcap]

/usr/sbin/rm

[rm -rf /usr/sbin/dumpcap]

/usr/bin/rm

[rm -rf /usr/sbin/dumpcap]

/sbin/rm

[rm -rf /usr/sbin/dumpcap]

/bin/rm

[rm -rf /usr/sbin/dumpcap]

/usr/local/sbin/rm

[rm -rf /usr/sbin/wireshark]

/usr/local/bin/rm

[rm -rf /usr/sbin/wireshark]

/usr/sbin/rm

[rm -rf /usr/sbin/wireshark]

/usr/bin/rm

[rm -rf /usr/sbin/wireshark]

/sbin/rm

[rm -rf /usr/sbin/wireshark]

/bin/rm

[rm -rf /usr/sbin/wireshark]

/usr/local/sbin/rm

[rm -rf /usr/sbin/tshark]

/usr/local/bin/rm

[rm -rf /usr/sbin/tshark]

/usr/sbin/rm

[rm -rf /usr/sbin/tshark]

/usr/bin/rm

[rm -rf /usr/sbin/tshark]

/sbin/rm

[rm -rf /usr/sbin/tshark]

/bin/rm

[rm -rf /usr/sbin/tshark]

/usr/local/sbin/rm

[rm -rf /usr/sbin/tcpdump]

/usr/local/bin/rm

[rm -rf /usr/sbin/tcpdump]

/usr/sbin/rm

[rm -rf /usr/sbin/tcpdump]

/usr/bin/rm

[rm -rf /usr/sbin/tcpdump]

/sbin/rm

[rm -rf /usr/sbin/tcpdump]

/bin/rm

[rm -rf /usr/sbin/tcpdump]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 tcpdown.su udp
US 1.1.1.1:53 tcpdown.su udp
US 104.168.32.17:21425 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 151.101.130.49:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
US 151.101.1.91:443 tcp
GB 89.187.167.3:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 151.101.1.91:443 tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 195.181.164.19:443 1527653184.rsc.cdn77.org tcp
US 104.168.45.11:7722 tcpdown.su tcp

Files

N/A