Malware Analysis Report

2025-03-15 01:51

Sample ID 240418-byfyeagf31
Target 7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060.elf
SHA256 7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060
Tags
botnet mirai
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060

Threat Level: Known bad

The file 7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060.elf was found to be: Known bad.

Malicious Activity Summary

botnet mirai

Mirai family

Deletes itself

Changes its process name

Enumerates running processes

Reads runtime system information

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-18 01:32

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 01:32

Reported

2024-04-18 01:36

Platform

ubuntu2004-amd64-20240221-en

Max time kernel

139s

Max time network

154s

Command Line

[/tmp/7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060.elf]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself httpd /tmp/7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060.elf N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates running processes

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/1005/cmdline N/A N/A
File opened for reading /proc/1101/cmdline N/A N/A
File opened for reading /proc/170/cmdline N/A N/A
File opened for reading /proc/639/cmdline N/A N/A
File opened for reading /proc/768/cmdline N/A N/A
File opened for reading /proc/444/cmdline N/A N/A
File opened for reading /proc/980/cmdline N/A N/A
File opened for reading /proc/1048/cmdline N/A N/A
File opened for reading /proc/1104/cmdline N/A N/A
File opened for reading /proc/159/cmdline N/A N/A
File opened for reading /proc/505/cmdline N/A N/A
File opened for reading /proc/1086/cmdline N/A N/A
File opened for reading /proc/1075/cmdline N/A N/A
File opened for reading /proc/91/cmdline N/A N/A
File opened for reading /proc/810/cmdline N/A N/A
File opened for reading /proc/1061/cmdline N/A N/A
File opened for reading /proc/807/cmdline N/A N/A
File opened for reading /proc/21/cmdline N/A N/A
File opened for reading /proc/116/cmdline N/A N/A
File opened for reading /proc/404/cmdline N/A N/A
File opened for reading /proc/899/cmdline N/A N/A
File opened for reading /proc/1035/cmdline N/A N/A
File opened for reading /proc/1089/cmdline N/A N/A
File opened for reading /proc/22/cmdline N/A N/A
File opened for reading /proc/177/cmdline N/A N/A
File opened for reading /proc/401/cmdline N/A N/A
File opened for reading /proc/168/cmdline N/A N/A
File opened for reading /proc/171/cmdline N/A N/A
File opened for reading /proc/201/cmdline N/A N/A
File opened for reading /proc/1004/cmdline N/A N/A
File opened for reading /proc/1040/cmdline N/A N/A
File opened for reading /proc/15/cmdline N/A N/A
File opened for reading /proc/16/cmdline N/A N/A
File opened for reading /proc/93/cmdline N/A N/A
File opened for reading /proc/446/cmdline N/A N/A
File opened for reading /proc/460/cmdline N/A N/A
File opened for reading /proc/815/cmdline N/A N/A
File opened for reading /proc/903/cmdline N/A N/A
File opened for reading /proc/923/cmdline N/A N/A
File opened for reading /proc/74/cmdline N/A N/A
File opened for reading /proc/79/cmdline N/A N/A
File opened for reading /proc/90/cmdline N/A N/A
File opened for reading /proc/400/cmdline N/A N/A
File opened for reading /proc/572/cmdline N/A N/A
File opened for reading /proc/242/cmdline N/A N/A
File opened for reading /proc/499/cmdline N/A N/A
File opened for reading /proc/834/cmdline N/A N/A
File opened for reading /proc/3/cmdline N/A N/A
File opened for reading /proc/70/cmdline N/A N/A
File opened for reading /proc/87/cmdline N/A N/A
File opened for reading /proc/790/cmdline N/A N/A
File opened for reading /proc/969/cmdline N/A N/A
File opened for reading /proc/1030/cmdline N/A N/A
File opened for reading /proc/164/cmdline N/A N/A
File opened for reading /proc/489/cmdline N/A N/A
File opened for reading /proc/700/cmdline N/A N/A
File opened for reading /proc/12/cmdline N/A N/A
File opened for reading /proc/13/cmdline N/A N/A
File opened for reading /proc/76/cmdline N/A N/A
File opened for reading /proc/160/cmdline N/A N/A
File opened for reading /proc/906/cmdline N/A N/A
File opened for reading /proc/23/cmdline N/A N/A
File opened for reading /proc/78/cmdline N/A N/A
File opened for reading /proc/119/cmdline N/A N/A

Processes

/tmp/7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060.elf

[/tmp/7f3e57bdde7a07c2adc37982642f42c1fe23be702b2d018bcdf41c97c0ac5060.elf]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 kovey.mezo-api.xyz udp
US 8.8.8.8:53 kovey.mezo-api.xyz udp
DE 45.131.111.219:33966 kovey.mezo-api.xyz tcp
NL 89.190.156.145:7733 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 _http._tcp.security.ubuntu.com udp
US 1.1.1.1:53 _http._tcp.nl.archive.ubuntu.com udp
US 1.1.1.1:53 _https._tcp.deb.nodesource.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 1.1.1.1:53 deb.nodesource.com udp
US 1.1.1.1:53 deb.nodesource.com udp
US 1.1.1.1:53 nl.archive.ubuntu.com udp
US 1.1.1.1:53 nl.archive.ubuntu.com udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
GB 185.125.190.39:80 security.ubuntu.com tcp
US 104.22.4.26:443 deb.nodesource.com tcp
US 151.101.194.49:443 cdn.fwupd.org tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
US 1.1.1.1:53 _https._tcp.motd.ubuntu.com udp
US 151.101.194.49:443 cdn.fwupd.org tcp
US 1.1.1.1:53 motd.ubuntu.com udp
US 1.1.1.1:53 motd.ubuntu.com udp
US 1.1.1.1:53 _https._tcp.esm.ubuntu.com udp
IE 54.171.230.55:443 motd.ubuntu.com tcp
US 1.1.1.1:53 esm.ubuntu.com udp
US 1.1.1.1:53 esm.ubuntu.com udp
US 91.189.91.47:443 esm.ubuntu.com tcp
IE 54.217.10.153:443 motd.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
IE 34.254.182.186:443 motd.ubuntu.com tcp
GB 185.125.190.39:80 security.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
US 8.8.8.8:53 kovey.mezo-api.xyz udp
US 8.8.8.8:53 kovey.mezo-api.xyz udp
DE 45.131.111.219:33966 kovey.mezo-api.xyz tcp
US 8.8.8.8:53 kovey.mezo-api.xyz udp
US 8.8.8.8:53 kovey.mezo-api.xyz udp
DE 45.131.111.219:33966 kovey.mezo-api.xyz tcp
US 8.8.8.8:53 kovey.mezo-api.xyz udp
US 8.8.8.8:53 kovey.mezo-api.xyz udp
DE 45.131.111.219:33966 kovey.mezo-api.xyz tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp

Files

N/A