Analysis Overview
SHA256
57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d
Threat Level: Known bad
The file 57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf was found to be: Known bad.
Malicious Activity Summary
Mirai family
Changes its process name
Deletes itself
Modifies Watchdog functionality
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 13:44
Signatures
Mirai family
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 13:44
Reported
2024-04-19 13:47
Platform
debian9-armhf-20240226-en
Max time kernel
132s
Max time network
148s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | c6v3kvp850tolu48kbqougvlm1n3 | /tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/222/cmdline | N/A | N/A |
| File opened for reading | /proc/6666�0/cmdline | N/A | N/A |
| File opened for reading | /proc/6666�4/cmdline | N/A | N/A |
| File opened for reading | /proc/444s�"/cmdline | N/A | N/A |
| File opened for reading | /proc/1111"-/cmdline | N/A | N/A |
| File opened for reading | /proc/1111�%/cmdline | N/A | N/A |
| File opened for reading | /proc/2222+/cmdline | N/A | N/A |
| File opened for reading | /proc/2222�,/cmdline | N/A | N/A |
| File opened for reading | /proc/3333/cmdline | N/A | N/A |
| File opened for reading | /proc/666644/cmdline | N/A | N/A |
| File opened for reading | /proc/6666�4/cmdline | N/A | N/A |
| File opened for reading | /proc/6666�4/cmdline | N/A | N/A |
| File opened for reading | /proc/6666�4/cmdline | N/A | N/A |
| File opened for reading | /proc/6666�4/cmdline | N/A | N/A |
| File opened for reading | /proc/66667/cmdline | N/A | N/A |
| File opened for reading | /proc/1111!-/cmdline | N/A | N/A |
| File opened for reading | /proc/1111#-/cmdline | N/A | N/A |
| File opened for reading | /proc/6666%1/cmdline | N/A | N/A |
| File opened for reading | /proc/999�"/cmdline | N/A | N/A |
| File opened for reading | /proc/2222�*/cmdline | N/A | N/A |
| File opened for reading | /proc/2222C+/cmdline | N/A | N/A |
| File opened for reading | /proc/5555�0/cmdline | N/A | N/A |
| File opened for reading | /proc/111m�"/cmdline | N/A | N/A |
| File opened for reading | /proc/222l�"/cmdline | N/A | N/A |
| File opened for reading | /proc/222s�"/cmdline | N/A | N/A |
| File opened for reading | /proc/1111�"/cmdline | N/A | N/A |
| File opened for reading | /proc/11/cmdline | N/A | N/A |
| File opened for reading | /proc/33/cmdline | N/A | N/A |
| File opened for reading | /proc/222�"/cmdline | N/A | N/A |
| File opened for reading | /proc/6666+1/cmdline | N/A | N/A |
| File opened for reading | /proc/6666�4/cmdline | N/A | N/A |
| File opened for reading | /proc/77/cmdline | N/A | N/A |
| File opened for reading | /proc/99/cmdline | N/A | N/A |
| File opened for reading | /proc/222v�"/cmdline | N/A | N/A |
| File opened for reading | /proc/6666�4/cmdline | N/A | N/A |
| File opened for reading | /proc/111�"/cmdline | N/A | N/A |
| File opened for reading | /proc/3333�,/cmdline | N/A | N/A |
| File opened for reading | /proc/66/cmdline | N/A | N/A |
| File opened for reading | /proc/111�"/cmdline | N/A | N/A |
| File opened for reading | /proc/1111�#/cmdline | N/A | N/A |
| File opened for reading | /proc/2222@*/cmdline | N/A | N/A |
| File opened for reading | /proc/3333�4/cmdline | N/A | N/A |
| File opened for reading | /proc/6666�4/cmdline | N/A | N/A |
| File opened for reading | /proc/222i�"/cmdline | N/A | N/A |
| File opened for reading | /proc/22/cmdline | N/A | N/A |
| File opened for reading | /proc/1111 -/cmdline | N/A | N/A |
| File opened for reading | /proc/111/cmdline | N/A | N/A |
| File opened for reading | /proc/111c�"/cmdline | N/A | N/A |
| File opened for reading | /proc/444/cmdline | N/A | N/A |
| File opened for reading | /proc/2222x+/cmdline | N/A | N/A |
| File opened for reading | /proc/6666�3/cmdline | N/A | N/A |
| File opened for reading | /proc/222�"/cmdline | N/A | N/A |
| File opened for reading | /proc/44/cmdline | N/A | N/A |
| File opened for reading | /proc/88ll�"/cmdline | N/A | N/A |
| File opened for reading | /proc/1111�"/cmdline | N/A | N/A |
| File opened for reading | /proc/55/cmdline | N/A | N/A |
| File opened for reading | /proc/111c�"/cmdline | N/A | N/A |
| File opened for reading | /proc/777s�"/cmdline | N/A | N/A |
| File opened for reading | /proc/1111$-/cmdline | N/A | N/A |
| File opened for reading | /proc/3333�,/cmdline | N/A | N/A |
| File opened for reading | /proc/6666�4/cmdline | N/A | N/A |
| File opened for reading | /proc/2222)/cmdline | N/A | N/A |
Processes
/tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf
[/tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | tcpdown.su | udp |
| US | 1.1.1.1:53 | tcpdown.su(x@ | udp |
| US | 1.1.1.1:53 | tcpdown.su(x@ | udp |
| US | 1.1.1.1:53 | tcpdown.su(x@ | udp |
| US | 1.1.1.1:53 | tcpdown.su(x@ | udp |
| US | 1.1.1.1:53 | tcpdown.su(x@ | udp |
| US | 198.12.124.76:21425 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |