Analysis Overview
SHA256
978e62b2ce1ae0248f7ffd4da6692d4de2b2cb20d084ed27007196b0b744eb0b
Threat Level: Known bad
The file 6f1b1ef99ca4f554de499ccc6f9ba19a.elf was found to be: Known bad.
Malicious Activity Summary
Mirai family
Modifies Watchdog functionality
Deletes Audit logs
Deletes itself
Deletes journal logs
Deletes system logs
Deletes log files
Enumerates running processes
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-21 00:08
Signatures
Mirai family
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 00:08
Reported
2024-04-21 00:10
Platform
ubuntu2004-amd64-20240221-en
Max time kernel
148s
Max time network
142s
Command Line
Signatures
Deletes Audit logs
| Description | Indicator | Process | Target |
| File deleted | /var/log/audit/audit.log | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
Deletes journal logs
| Description | Indicator | Process | Target |
| File deleted | /var/log/journal/4816dd152e8c48ff97e9117d197c13d8/system.journal | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
Deletes system logs
| Description | Indicator | Process | Target |
| File deleted | /var/log/syslog | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/auth.log | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File deleted | /var/log/ubuntu-advantage.log | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
Enumerates running processes
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1187/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1397/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1544/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1586/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/201/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1076/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1572/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1718/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1720/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1740/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1742/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/442/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/507/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/14/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/70/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/159/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1103/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1474/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1588/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/2/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/4/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1721/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/102/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/164/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1407/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1408/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1515/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/16/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/85/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/980/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/13/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/18/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/778/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1075/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1141/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1411/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1657/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/89/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/176/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/441/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1406/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1600/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1659/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1713/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1732/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/23/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/86/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1117/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1172/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1430/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1535/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1550/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1559/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/520/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1021/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1591/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1470/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1509/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/9/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/174/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1403/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1549/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1674/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
| File opened for reading | /proc/1756/cmdline | /tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf | N/A |
Processes
/tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf
[/tmp/6f1b1ef99ca4f554de499ccc6f9ba19a.elf]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | tcpdown.su | udp |
| US | 1.1.1.1:53 | daisy.ubuntu.com | udp |
| US | 1.1.1.1:53 | daisy.ubuntu.com | udp |
| US | 1.1.1.1:53 | daisy.ubuntu.com | udp |
| US | 1.1.1.1:53 | daisy.ubuntu.com | udp |
| US | 1.1.1.1:53 | daisy.ubuntu.com | udp |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 1.1.1.1:53 | _http._tcp.security.ubuntu.com | udp |
| US | 1.1.1.1:53 | _http._tcp.nl.archive.ubuntu.com | udp |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 1.1.1.1:53 | _https._tcp.motd.ubuntu.com | udp |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 104.168.45.11:7722 | tcp | |
| US | 1.1.1.1:53 | _https._tcp.esm.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | tcpdown.su | udp |
| US | 1.1.1.1:53 | tcpdown.su | udp |
| US | 1.1.1.1:53 | tcpdown.suxS�hS�>� | udp |
| US | 1.1.1.1:53 | security.ubuntu.com | udp |
| US | 1.1.1.1:53 | security.ubuntu.com | udp |
| US | 1.1.1.1:53 | nl.archive.ubuntu.com | udp |
| US | 1.1.1.1:53 | nl.archive.ubuntu.com | udp |
| GB | 185.125.190.36:80 | security.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| GB | 185.125.190.39:80 | security.ubuntu.com | tcp |
| US | 91.189.91.81:80 | security.ubuntu.com | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 1.1.1.1:53 | tcpdown.suxS�hS�>� | udp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 1.1.1.1:53 | tcpdown.suxS�hS�>� | udp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 104.168.45.11:7722 | tcpdown.su | tcp |
| US | 1.1.1.1:53 | tcpdown.suxS�hS�>� | udp |
| US | 1.1.1.1:53 | tcpdown.suxS�hS�>� | udp |
| BG | 185.216.70.168:21425 | tcpdown.su | tcp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |