Malware Analysis Report

2024-11-15 05:12

Sample ID 240422-b2z6fsdg57
Target 80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969.elf
SHA256 80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969
Tags
mirai mirai evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969

Threat Level: Known bad

The file 80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969.elf was found to be: Known bad.

Malicious Activity Summary

mirai mirai evasion

Mirai family

Deletes Audit logs

Deletes itself

Deletes system logs

Modifies Watchdog functionality

Deletes log files

Changes its process name

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-22 01:39

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-22 01:39

Reported

2024-04-22 01:41

Platform

debian9-armhf-20240226-en

Max time kernel

132s

Max time network

151s

Command Line

[/tmp/80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969.elf]

Signatures

Deletes Audit logs

evasion
Description Indicator Process Target
File deleted /var/log/audit/audit.log /tmp/80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969.elf N/A

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969.elf N/A

Deletes system logs

evasion
Description Indicator Process Target
File deleted /var/log/syslog /tmp/80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969.elf N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969.elf N/A
File opened for modification /dev/misc/watchdog /tmp/80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969.elf N/A

Deletes log files

Description Indicator Process Target
File deleted /var/log/daemon.log /tmp/80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself uiobwsm3rq4b2s5f1rbv /tmp/80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969.elf N/A

Processes

/tmp/80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969.elf

[/tmp/80be879b8377c8c269c366c456d2fcc0336825b0424bee4c20e129e2e1ed8969.elf]

Network

Country Destination Domain Proto
US 1.1.1.1:53 tcpdown.su udp
US 1.1.1.1:53 tcpdown.su|q� udp
US 1.1.1.1:53 tcpdown.su|q� udp
US 1.1.1.1:53 tcpdown.su|q� udp
US 1.1.1.1:53 tcpdown.su|q� udp
US 1.1.1.1:53 tcpdown.su|q� udp
US 104.168.32.17:21425 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp
US 104.168.45.11:7722 tcpdown.su tcp

Files

N/A