Analysis Overview
SHA256
7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1
Threat Level: Known bad
The file f3f909238b26928d0587e272fc702866.elf was found to be: Known bad.
Malicious Activity Summary
Mirai family
Changes its process name
Deletes Audit logs
Deletes itself
Deletes system logs
Modifies Watchdog functionality
Deletes log files
Enumerates running processes
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 15:50
Signatures
Mirai family
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 15:50
Reported
2024-04-19 15:52
Platform
debian9-mipsel-20240226-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | js5obqsv58711n1wq514ssk5anbu2ueh | /tmp/f3f909238b26928d0587e272fc702866.elf | N/A |
Deletes Audit logs
| Description | Indicator | Process | Target |
| File deleted | /var/log/audit/audit.log | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/f3f909238b26928d0587e272fc702866.elf | N/A |
Deletes system logs
| Description | Indicator | Process | Target |
| File deleted | /var/log/syslog | N/A | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/f3f909238b26928d0587e272fc702866.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/f3f909238b26928d0587e272fc702866.elf | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/daemon.log | N/A | N/A |
Enumerates running processes
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/874/cmdline | N/A | N/A |
| File opened for reading | /proc/342/cmdline | N/A | N/A |
| File opened for reading | /proc/714/cmdline | N/A | N/A |
| File opened for reading | /proc/723/cmdline | N/A | N/A |
| File opened for reading | /proc/831/cmdline | N/A | N/A |
| File opened for reading | /proc/378/cmdline | N/A | N/A |
| File opened for reading | /proc/856/cmdline | N/A | N/A |
| File opened for reading | /proc/907/cmdline | N/A | N/A |
| File opened for reading | /proc/810/cmdline | N/A | N/A |
| File opened for reading | /proc/791/cmdline | N/A | N/A |
| File opened for reading | /proc/818/cmdline | N/A | N/A |
| File opened for reading | /proc/75/cmdline | N/A | N/A |
| File opened for reading | /proc/66/cmdline | N/A | N/A |
| File opened for reading | /proc/78/cmdline | N/A | N/A |
| File opened for reading | /proc/176/cmdline | N/A | N/A |
| File opened for reading | /proc/735/cmdline | N/A | N/A |
| File opened for reading | /proc/792/cmdline | N/A | N/A |
| File opened for reading | /proc/13/cmdline | N/A | N/A |
| File opened for reading | /proc/690/cmdline | N/A | N/A |
| File opened for reading | /proc/773/cmdline | N/A | N/A |
| File opened for reading | /proc/901/cmdline | N/A | N/A |
| File opened for reading | /proc/906/cmdline | N/A | N/A |
| File opened for reading | /proc/943/cmdline | N/A | N/A |
| File opened for reading | /proc/126/cmdline | N/A | N/A |
| File opened for reading | /proc/365/cmdline | N/A | N/A |
| File opened for reading | /proc/388/cmdline | N/A | N/A |
| File opened for reading | /proc/775/cmdline | N/A | N/A |
| File opened for reading | /proc/801/cmdline | N/A | N/A |
| File opened for reading | /proc/838/cmdline | N/A | N/A |
| File opened for reading | /proc/77/cmdline | N/A | N/A |
| File opened for reading | /proc/814/cmdline | N/A | N/A |
| File opened for reading | /proc/964/cmdline | N/A | N/A |
| File opened for reading | /proc/36/cmdline | N/A | N/A |
| File opened for reading | /proc/15/cmdline | N/A | N/A |
| File opened for reading | /proc/887/cmdline | N/A | N/A |
| File opened for reading | /proc/11/cmdline | N/A | N/A |
| File opened for reading | /proc/830/cmdline | N/A | N/A |
| File opened for reading | /proc/835/cmdline | N/A | N/A |
| File opened for reading | /proc/960/cmdline | N/A | N/A |
| File opened for reading | /proc/719/cmdline | N/A | N/A |
| File opened for reading | /proc/813/cmdline | N/A | N/A |
| File opened for reading | /proc/945/cmdline | N/A | N/A |
| File opened for reading | /proc/742/cmdline | N/A | N/A |
| File opened for reading | /proc/785/cmdline | N/A | N/A |
| File opened for reading | /proc/857/cmdline | N/A | N/A |
| File opened for reading | /proc/673/cmdline | N/A | N/A |
| File opened for reading | /proc/14/cmdline | N/A | N/A |
| File opened for reading | /proc/732/cmdline | N/A | N/A |
| File opened for reading | /proc/736/cmdline | N/A | N/A |
| File opened for reading | /proc/799/cmdline | N/A | N/A |
| File opened for reading | /proc/12/cmdline | N/A | N/A |
| File opened for reading | /proc/743/cmdline | N/A | N/A |
| File opened for reading | /proc/794/cmdline | N/A | N/A |
| File opened for reading | /proc/718/cmdline | N/A | N/A |
| File opened for reading | /proc/881/cmdline | N/A | N/A |
| File opened for reading | /proc/672/cmdline | N/A | N/A |
| File opened for reading | /proc/869/cmdline | N/A | N/A |
| File opened for reading | /proc/944/cmdline | N/A | N/A |
| File opened for reading | /proc/3/cmdline | N/A | N/A |
| File opened for reading | /proc/787/cmdline | N/A | N/A |
| File opened for reading | /proc/798/cmdline | N/A | N/A |
| File opened for reading | /proc/868/cmdline | N/A | N/A |
| File opened for reading | /proc/927/cmdline | N/A | N/A |
| File opened for reading | /proc/694/cmdline | N/A | N/A |
Processes
/tmp/f3f909238b26928d0587e272fc702866.elf
[/tmp/f3f909238b26928d0587e272fc702866.elf]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | tcpdown.su | udp |
| US | 1.1.1.1:53 | tcpdown.suE | udp |
| US | 1.1.1.1:53 | tcpdown.suE | udp |
| US | 1.1.1.1:53 | tcpdown.suE | udp |
| US | 1.1.1.1:53 | tcpdown.suE | udp |
| US | 1.1.1.1:53 | tcpdown.suE | udp |
| BG | 185.216.70.168:21425 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |