Analysis Overview
SHA256
7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060
Threat Level: Known bad
The file 7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060.elf was found to be: Known bad.
Malicious Activity Summary
Mirai family
Deletes itself
Changes its process name
Enumerates running processes
Reads runtime system information
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-18 01:32
Signatures
Mirai family
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-18 01:32
Reported
2024-04-18 01:36
Platform
ubuntu2004-amd64-20240221-en
Max time kernel
139s
Max time network
154s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | httpd | /tmp/7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060.elf | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates running processes
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1005/cmdline | N/A | N/A |
| File opened for reading | /proc/1101/cmdline | N/A | N/A |
| File opened for reading | /proc/170/cmdline | N/A | N/A |
| File opened for reading | /proc/639/cmdline | N/A | N/A |
| File opened for reading | /proc/768/cmdline | N/A | N/A |
| File opened for reading | /proc/444/cmdline | N/A | N/A |
| File opened for reading | /proc/980/cmdline | N/A | N/A |
| File opened for reading | /proc/1048/cmdline | N/A | N/A |
| File opened for reading | /proc/1104/cmdline | N/A | N/A |
| File opened for reading | /proc/159/cmdline | N/A | N/A |
| File opened for reading | /proc/505/cmdline | N/A | N/A |
| File opened for reading | /proc/1086/cmdline | N/A | N/A |
| File opened for reading | /proc/1075/cmdline | N/A | N/A |
| File opened for reading | /proc/91/cmdline | N/A | N/A |
| File opened for reading | /proc/810/cmdline | N/A | N/A |
| File opened for reading | /proc/1061/cmdline | N/A | N/A |
| File opened for reading | /proc/807/cmdline | N/A | N/A |
| File opened for reading | /proc/21/cmdline | N/A | N/A |
| File opened for reading | /proc/116/cmdline | N/A | N/A |
| File opened for reading | /proc/404/cmdline | N/A | N/A |
| File opened for reading | /proc/899/cmdline | N/A | N/A |
| File opened for reading | /proc/1035/cmdline | N/A | N/A |
| File opened for reading | /proc/1089/cmdline | N/A | N/A |
| File opened for reading | /proc/22/cmdline | N/A | N/A |
| File opened for reading | /proc/177/cmdline | N/A | N/A |
| File opened for reading | /proc/401/cmdline | N/A | N/A |
| File opened for reading | /proc/168/cmdline | N/A | N/A |
| File opened for reading | /proc/171/cmdline | N/A | N/A |
| File opened for reading | /proc/201/cmdline | N/A | N/A |
| File opened for reading | /proc/1004/cmdline | N/A | N/A |
| File opened for reading | /proc/1040/cmdline | N/A | N/A |
| File opened for reading | /proc/15/cmdline | N/A | N/A |
| File opened for reading | /proc/16/cmdline | N/A | N/A |
| File opened for reading | /proc/93/cmdline | N/A | N/A |
| File opened for reading | /proc/446/cmdline | N/A | N/A |
| File opened for reading | /proc/460/cmdline | N/A | N/A |
| File opened for reading | /proc/815/cmdline | N/A | N/A |
| File opened for reading | /proc/903/cmdline | N/A | N/A |
| File opened for reading | /proc/923/cmdline | N/A | N/A |
| File opened for reading | /proc/74/cmdline | N/A | N/A |
| File opened for reading | /proc/79/cmdline | N/A | N/A |
| File opened for reading | /proc/90/cmdline | N/A | N/A |
| File opened for reading | /proc/400/cmdline | N/A | N/A |
| File opened for reading | /proc/572/cmdline | N/A | N/A |
| File opened for reading | /proc/242/cmdline | N/A | N/A |
| File opened for reading | /proc/499/cmdline | N/A | N/A |
| File opened for reading | /proc/834/cmdline | N/A | N/A |
| File opened for reading | /proc/3/cmdline | N/A | N/A |
| File opened for reading | /proc/70/cmdline | N/A | N/A |
| File opened for reading | /proc/87/cmdline | N/A | N/A |
| File opened for reading | /proc/790/cmdline | N/A | N/A |
| File opened for reading | /proc/969/cmdline | N/A | N/A |
| File opened for reading | /proc/1030/cmdline | N/A | N/A |
| File opened for reading | /proc/164/cmdline | N/A | N/A |
| File opened for reading | /proc/489/cmdline | N/A | N/A |
| File opened for reading | /proc/700/cmdline | N/A | N/A |
| File opened for reading | /proc/12/cmdline | N/A | N/A |
| File opened for reading | /proc/13/cmdline | N/A | N/A |
| File opened for reading | /proc/76/cmdline | N/A | N/A |
| File opened for reading | /proc/160/cmdline | N/A | N/A |
| File opened for reading | /proc/906/cmdline | N/A | N/A |
| File opened for reading | /proc/23/cmdline | N/A | N/A |
| File opened for reading | /proc/78/cmdline | N/A | N/A |
| File opened for reading | /proc/119/cmdline | N/A | N/A |
Processes
/tmp/7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060.elf
[/tmp/7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060.elf]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | kovey.mezo-api.xyz | udp |
| US | 8.8.8.8:53 | kovey.mezo-api.xyz | udp |
| DE | 45.131.111.219:33966 | kovey.mezo-api.xyz | tcp |
| NL | 89.190.156.145:7733 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | _http._tcp.security.ubuntu.com | udp |
| US | 1.1.1.1:53 | _http._tcp.nl.archive.ubuntu.com | udp |
| US | 1.1.1.1:53 | _https._tcp.deb.nodesource.com | udp |
| US | 1.1.1.1:53 | security.ubuntu.com | udp |
| US | 1.1.1.1:53 | security.ubuntu.com | udp |
| US | 1.1.1.1:53 | deb.nodesource.com | udp |
| US | 1.1.1.1:53 | deb.nodesource.com | udp |
| US | 1.1.1.1:53 | nl.archive.ubuntu.com | udp |
| US | 1.1.1.1:53 | nl.archive.ubuntu.com | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| GB | 185.125.190.39:80 | security.ubuntu.com | tcp |
| US | 104.22.4.26:443 | deb.nodesource.com | tcp |
| US | 151.101.194.49:443 | cdn.fwupd.org | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| US | 1.1.1.1:53 | _https._tcp.motd.ubuntu.com | udp |
| US | 151.101.194.49:443 | cdn.fwupd.org | tcp |
| US | 1.1.1.1:53 | motd.ubuntu.com | udp |
| US | 1.1.1.1:53 | motd.ubuntu.com | udp |
| US | 1.1.1.1:53 | _https._tcp.esm.ubuntu.com | udp |
| IE | 54.171.230.55:443 | motd.ubuntu.com | tcp |
| US | 1.1.1.1:53 | esm.ubuntu.com | udp |
| US | 1.1.1.1:53 | esm.ubuntu.com | udp |
| US | 91.189.91.47:443 | esm.ubuntu.com | tcp |
| IE | 54.217.10.153:443 | motd.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| IE | 34.254.182.186:443 | motd.ubuntu.com | tcp |
| GB | 185.125.190.39:80 | security.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| US | 8.8.8.8:53 | kovey.mezo-api.xyz | udp |
| US | 8.8.8.8:53 | kovey.mezo-api.xyz | udp |
| DE | 45.131.111.219:33966 | kovey.mezo-api.xyz | tcp |
| US | 8.8.8.8:53 | kovey.mezo-api.xyz | udp |
| US | 8.8.8.8:53 | kovey.mezo-api.xyz | udp |
| DE | 45.131.111.219:33966 | kovey.mezo-api.xyz | tcp |
| US | 8.8.8.8:53 | kovey.mezo-api.xyz | udp |
| US | 8.8.8.8:53 | kovey.mezo-api.xyz | udp |
| DE | 45.131.111.219:33966 | kovey.mezo-api.xyz | tcp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |