Malware Analysis Report

2025-03-15 01:50

Sample ID 240417-zw6ytaeb35
Target 9aa40bc92960f7ac9e5c82ea281c8a4f.elf
SHA256 f098d12665d98ff11f90248d91a601163e410a423bb9b2d1c4be297b8b3a00bc
Tags
botnet mirai
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f098d12665d98ff11f90248d91a601163e410a423bb9b2d1c4be297b8b3a00bc

Threat Level: Known bad

The file 9aa40bc92960f7ac9e5c82ea281c8a4f.elf was found to be: Known bad.

Malicious Activity Summary

botnet mirai

Mirai family

Changes its process name

Deletes itself

Enumerates running processes

Reads runtime system information

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-17 21:05

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 21:05

Reported

2024-04-17 21:07

Platform

ubuntu1804-amd64-20240226-en

Max time kernel

133s

Max time network

145s

Command Line

[/tmp/9aa40bc92960f7ac9e5c82ea281c8a4f.elf]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself httpd /tmp/9aa40bc92960f7ac9e5c82ea281c8a4f.elf N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates running processes

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/740/cmdline N/A N/A
File opened for reading /proc/1080/cmdline N/A N/A
File opened for reading /proc/1162/cmdline N/A N/A
File opened for reading /proc/172/cmdline N/A N/A
File opened for reading /proc/542/cmdline N/A N/A
File opened for reading /proc/1042/cmdline N/A N/A
File opened for reading /proc/665/cmdline N/A N/A
File opened for reading /proc/905/cmdline N/A N/A
File opened for reading /proc/80/cmdline N/A N/A
File opened for reading /proc/423/cmdline N/A N/A
File opened for reading /proc/509/cmdline N/A N/A
File opened for reading /proc/475/cmdline N/A N/A
File opened for reading /proc/685/cmdline N/A N/A
File opened for reading /proc/25/cmdline N/A N/A
File opened for reading /proc/170/cmdline N/A N/A
File opened for reading /proc/211/cmdline N/A N/A
File opened for reading /proc/484/cmdline N/A N/A
File opened for reading /proc/1095/cmdline N/A N/A
File opened for reading /proc/4/cmdline N/A N/A
File opened for reading /proc/19/cmdline N/A N/A
File opened for reading /proc/171/cmdline N/A N/A
File opened for reading /proc/175/cmdline N/A N/A
File opened for reading /proc/336/cmdline N/A N/A
File opened for reading /proc/1071/cmdline N/A N/A
File opened for reading /proc/12/cmdline N/A N/A
File opened for reading /proc/82/cmdline N/A N/A
File opened for reading /proc/169/cmdline N/A N/A
File opened for reading /proc/570/cmdline N/A N/A
File opened for reading /proc/1157/cmdline N/A N/A
File opened for reading /proc/16/cmdline N/A N/A
File opened for reading /proc/182/cmdline N/A N/A
File opened for reading /proc/183/cmdline N/A N/A
File opened for reading /proc/35/cmdline N/A N/A
File opened for reading /proc/543/cmdline N/A N/A
File opened for reading /proc/552/cmdline N/A N/A
File opened for reading /proc/81/cmdline N/A N/A
File opened for reading /proc/84/cmdline N/A N/A
File opened for reading /proc/212/cmdline N/A N/A
File opened for reading /proc/168/cmdline N/A N/A
File opened for reading /proc/619/cmdline N/A N/A
File opened for reading /proc/1127/cmdline N/A N/A
File opened for reading /proc/1132/cmdline N/A N/A
File opened for reading /proc/30/cmdline N/A N/A
File opened for reading /proc/34/cmdline N/A N/A
File opened for reading /proc/83/cmdline N/A N/A
File opened for reading /proc/436/cmdline N/A N/A
File opened for reading /proc/448/cmdline N/A N/A
File opened for reading /proc/8/cmdline N/A N/A
File opened for reading /proc/20/cmdline N/A N/A
File opened for reading /proc/173/cmdline N/A N/A
File opened for reading /proc/11/cmdline N/A N/A
File opened for reading /proc/18/cmdline N/A N/A
File opened for reading /proc/558/cmdline N/A N/A
File opened for reading /proc/5/cmdline N/A N/A
File opened for reading /proc/1099/cmdline N/A N/A
File opened for reading /proc/1136/cmdline N/A N/A
File opened for reading /proc/10/cmdline N/A N/A
File opened for reading /proc/186/cmdline N/A N/A
File opened for reading /proc/332/cmdline N/A N/A
File opened for reading /proc/253/cmdline N/A N/A
File opened for reading /proc/444/cmdline N/A N/A
File opened for reading /proc/691/cmdline N/A N/A
File opened for reading /proc/36/cmdline N/A N/A
File opened for reading /proc/98/cmdline N/A N/A

Processes

/tmp/9aa40bc92960f7ac9e5c82ea281c8a4f.elf

[/tmp/9aa40bc92960f7ac9e5c82ea281c8a4f.elf]

Network

Country Destination Domain Proto
US 8.8.8.8:53 kovey.mezo-api.xyz udp
NL 89.190.156.145:7733 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 151.101.194.49:443 tcp
DE 45.131.111.219:33966 kovey.mezo-api.xyz tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
US 151.101.129.91:443 tcp
GB 89.187.167.3:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 45.131.111.219:33966 kovey.mezo-api.xyz tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 45.131.111.219:33966 kovey.mezo-api.xyz tcp

Files

N/A