Malware Analysis Report

2024-11-15 05:12

Sample ID 240419-s9wxfagc58
Target f3f909238b26928d0587e272fc702866.elf
SHA256 7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1
Tags
mirai mirai evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1

Threat Level: Known bad

The file f3f909238b26928d0587e272fc702866.elf was found to be: Known bad.

Malicious Activity Summary

mirai mirai evasion

Mirai family

Changes its process name

Deletes Audit logs

Deletes itself

Deletes system logs

Modifies Watchdog functionality

Deletes log files

Enumerates running processes

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 15:50

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 15:50

Reported

2024-04-19 15:52

Platform

debian9-mipsel-20240226-en

Max time kernel

150s

Max time network

148s

Command Line

[/tmp/f3f909238b26928d0587e272fc702866.elf]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself js5obqsv58711n1wq514ssk5anbu2ueh /tmp/f3f909238b26928d0587e272fc702866.elf N/A

Deletes Audit logs

evasion
Description Indicator Process Target
File deleted /var/log/audit/audit.log N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/f3f909238b26928d0587e272fc702866.elf N/A

Deletes system logs

evasion
Description Indicator Process Target
File deleted /var/log/syslog N/A N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/f3f909238b26928d0587e272fc702866.elf N/A
File opened for modification /dev/misc/watchdog /tmp/f3f909238b26928d0587e272fc702866.elf N/A

Deletes log files

Description Indicator Process Target
File deleted /var/log/daemon.log N/A N/A

Enumerates running processes

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/874/cmdline N/A N/A
File opened for reading /proc/342/cmdline N/A N/A
File opened for reading /proc/714/cmdline N/A N/A
File opened for reading /proc/723/cmdline N/A N/A
File opened for reading /proc/831/cmdline N/A N/A
File opened for reading /proc/378/cmdline N/A N/A
File opened for reading /proc/856/cmdline N/A N/A
File opened for reading /proc/907/cmdline N/A N/A
File opened for reading /proc/810/cmdline N/A N/A
File opened for reading /proc/791/cmdline N/A N/A
File opened for reading /proc/818/cmdline N/A N/A
File opened for reading /proc/75/cmdline N/A N/A
File opened for reading /proc/66/cmdline N/A N/A
File opened for reading /proc/78/cmdline N/A N/A
File opened for reading /proc/176/cmdline N/A N/A
File opened for reading /proc/735/cmdline N/A N/A
File opened for reading /proc/792/cmdline N/A N/A
File opened for reading /proc/13/cmdline N/A N/A
File opened for reading /proc/690/cmdline N/A N/A
File opened for reading /proc/773/cmdline N/A N/A
File opened for reading /proc/901/cmdline N/A N/A
File opened for reading /proc/906/cmdline N/A N/A
File opened for reading /proc/943/cmdline N/A N/A
File opened for reading /proc/126/cmdline N/A N/A
File opened for reading /proc/365/cmdline N/A N/A
File opened for reading /proc/388/cmdline N/A N/A
File opened for reading /proc/775/cmdline N/A N/A
File opened for reading /proc/801/cmdline N/A N/A
File opened for reading /proc/838/cmdline N/A N/A
File opened for reading /proc/77/cmdline N/A N/A
File opened for reading /proc/814/cmdline N/A N/A
File opened for reading /proc/964/cmdline N/A N/A
File opened for reading /proc/36/cmdline N/A N/A
File opened for reading /proc/15/cmdline N/A N/A
File opened for reading /proc/887/cmdline N/A N/A
File opened for reading /proc/11/cmdline N/A N/A
File opened for reading /proc/830/cmdline N/A N/A
File opened for reading /proc/835/cmdline N/A N/A
File opened for reading /proc/960/cmdline N/A N/A
File opened for reading /proc/719/cmdline N/A N/A
File opened for reading /proc/813/cmdline N/A N/A
File opened for reading /proc/945/cmdline N/A N/A
File opened for reading /proc/742/cmdline N/A N/A
File opened for reading /proc/785/cmdline N/A N/A
File opened for reading /proc/857/cmdline N/A N/A
File opened for reading /proc/673/cmdline N/A N/A
File opened for reading /proc/14/cmdline N/A N/A
File opened for reading /proc/732/cmdline N/A N/A
File opened for reading /proc/736/cmdline N/A N/A
File opened for reading /proc/799/cmdline N/A N/A
File opened for reading /proc/12/cmdline N/A N/A
File opened for reading /proc/743/cmdline N/A N/A
File opened for reading /proc/794/cmdline N/A N/A
File opened for reading /proc/718/cmdline N/A N/A
File opened for reading /proc/881/cmdline N/A N/A
File opened for reading /proc/672/cmdline N/A N/A
File opened for reading /proc/869/cmdline N/A N/A
File opened for reading /proc/944/cmdline N/A N/A
File opened for reading /proc/3/cmdline N/A N/A
File opened for reading /proc/787/cmdline N/A N/A
File opened for reading /proc/798/cmdline N/A N/A
File opened for reading /proc/868/cmdline N/A N/A
File opened for reading /proc/927/cmdline N/A N/A
File opened for reading /proc/694/cmdline N/A N/A

Processes

/tmp/f3f909238b26928d0587e272fc702866.elf

[/tmp/f3f909238b26928d0587e272fc702866.elf]

Network

Country Destination Domain Proto
US 1.1.1.1:53 tcpdown.su udp
US 1.1.1.1:53 tcpdown.suE udp
US 1.1.1.1:53 tcpdown.suE udp
US 1.1.1.1:53 tcpdown.suE udp
US 1.1.1.1:53 tcpdown.suE udp
US 1.1.1.1:53 tcpdown.suE udp
BG 185.216.70.168:21425 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp

Files

N/A