Malware Analysis Report

2024-11-15 05:12

Sample ID 240419-q13mhseg9x
Target 57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf
SHA256 57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d
Tags
mirai mirai
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d

Threat Level: Known bad

The file 57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf was found to be: Known bad.

Malicious Activity Summary

mirai mirai

Mirai family

Changes its process name

Deletes itself

Modifies Watchdog functionality

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 13:44

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 13:44

Reported

2024-04-19 13:47

Platform

debian9-armhf-20240226-en

Max time kernel

132s

Max time network

148s

Command Line

[/tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself c6v3kvp850tolu48kbqougvlm1n3 /tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf N/A

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf N/A
File opened for modification /dev/misc/watchdog /tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/222/cmdline N/A N/A
File opened for reading /proc/6666�0/cmdline N/A N/A
File opened for reading /proc/6666�4/cmdline N/A N/A
File opened for reading /proc/444s�"/cmdline N/A N/A
File opened for reading /proc/1111"-/cmdline N/A N/A
File opened for reading /proc/1111�%/cmdline N/A N/A
File opened for reading /proc/2222 +/cmdline N/A N/A
File opened for reading /proc/2222�,/cmdline N/A N/A
File opened for reading /proc/3333/cmdline N/A N/A
File opened for reading /proc/666644/cmdline N/A N/A
File opened for reading /proc/6666�4/cmdline N/A N/A
File opened for reading /proc/6666�4/cmdline N/A N/A
File opened for reading /proc/6666�4/cmdline N/A N/A
File opened for reading /proc/6666�4/cmdline N/A N/A
File opened for reading /proc/66667/cmdline N/A N/A
File opened for reading /proc/1111!-/cmdline N/A N/A
File opened for reading /proc/1111#-/cmdline N/A N/A
File opened for reading /proc/6666%1/cmdline N/A N/A
File opened for reading /proc/999�"/cmdline N/A N/A
File opened for reading /proc/2222�*/cmdline N/A N/A
File opened for reading /proc/2222C+/cmdline N/A N/A
File opened for reading /proc/5555�0/cmdline N/A N/A
File opened for reading /proc/111m�"/cmdline N/A N/A
File opened for reading /proc/222l�"/cmdline N/A N/A
File opened for reading /proc/222s�"/cmdline N/A N/A
File opened for reading /proc/1111�"/cmdline N/A N/A
File opened for reading /proc/11/cmdline N/A N/A
File opened for reading /proc/33/cmdline N/A N/A
File opened for reading /proc/222�"/cmdline N/A N/A
File opened for reading /proc/6666+1/cmdline N/A N/A
File opened for reading /proc/6666�4/cmdline N/A N/A
File opened for reading /proc/77/cmdline N/A N/A
File opened for reading /proc/99/cmdline N/A N/A
File opened for reading /proc/222v�"/cmdline N/A N/A
File opened for reading /proc/6666�4/cmdline N/A N/A
File opened for reading /proc/111�"/cmdline N/A N/A
File opened for reading /proc/3333�,/cmdline N/A N/A
File opened for reading /proc/66/cmdline N/A N/A
File opened for reading /proc/111�"/cmdline N/A N/A
File opened for reading /proc/1111�#/cmdline N/A N/A
File opened for reading /proc/2222@*/cmdline N/A N/A
File opened for reading /proc/3333�4/cmdline N/A N/A
File opened for reading /proc/6666�4/cmdline N/A N/A
File opened for reading /proc/222i�"/cmdline N/A N/A
File opened for reading /proc/22/cmdline N/A N/A
File opened for reading /proc/1111 -/cmdline N/A N/A
File opened for reading /proc/111/cmdline N/A N/A
File opened for reading /proc/111c�"/cmdline N/A N/A
File opened for reading /proc/444/cmdline N/A N/A
File opened for reading /proc/2222x+/cmdline N/A N/A
File opened for reading /proc/6666�3/cmdline N/A N/A
File opened for reading /proc/222�"/cmdline N/A N/A
File opened for reading /proc/44/cmdline N/A N/A
File opened for reading /proc/88ll�"/cmdline N/A N/A
File opened for reading /proc/1111�"/cmdline N/A N/A
File opened for reading /proc/55/cmdline N/A N/A
File opened for reading /proc/111c�"/cmdline N/A N/A
File opened for reading /proc/777s�"/cmdline N/A N/A
File opened for reading /proc/1111$-/cmdline N/A N/A
File opened for reading /proc/3333�,/cmdline N/A N/A
File opened for reading /proc/6666�4/cmdline N/A N/A
File opened for reading /proc/2222)/cmdline N/A N/A

Processes

/tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf

[/tmp/57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d.elf]

Network

Country Destination Domain Proto
US 1.1.1.1:53 tcpdown.su udp
US 1.1.1.1:53 tcpdown.su(x@ udp
US 1.1.1.1:53 tcpdown.su(x@ udp
US 1.1.1.1:53 tcpdown.su(x@ udp
US 1.1.1.1:53 tcpdown.su(x@ udp
US 1.1.1.1:53 tcpdown.su(x@ udp
US 198.12.124.76:21425 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp

Files

N/A