Analysis Overview
SHA256
c299fcbb537bcaafbff331bf5369858ffa3a6a7d988884bffe8d6d0facb86921
Threat Level: Known bad
The file 1588011ef23105ad68b4168534175d84.elf was found to be: Known bad.
Malicious Activity Summary
Mirai
UPX packed file
Modifies Watchdog functionality
Enumerates running processes
Writes file to system bin folder
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-20 19:17
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 19:17
Reported
2024-05-20 19:19
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
149s
Max time network
131s
Command Line
Signatures
Mirai
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for modification | /bin/watchdog | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/485/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1050/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1276/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1305/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1526/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/647/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1166/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1246/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/475/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/523/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1573/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1506/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1507/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1115/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1128/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1263/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1124/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1579/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/650/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/673/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1030/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1044/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1597/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/422/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1288/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1609/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1314/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1532/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/414/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/661/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1187/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1356/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/703/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1150/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1192/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1136/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1100/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1155/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1173/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1200/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1549/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/605/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/684/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/959/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1159/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/553/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/723/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1063/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/966/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1509/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1561/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1172/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1515/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/456/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/486/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1119/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1585/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1071/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1087/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1232/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/462/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/976/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1025/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
| File opened for reading | /proc/1591/cmdline | /tmp/1588011ef23105ad68b4168534175d84.elf | N/A |
Processes
/tmp/1588011ef23105ad68b4168534175d84.elf
[/tmp/1588011ef23105ad68b4168534175d84.elf]
Network
| Country | Destination | Domain | Proto |
| NL | 185.150.26.232:3778 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 1.1.1.1:53 | ocp-ingress.fastly.gnome.org | udp |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.20:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 195.181.164.16:443 | 1527653184.rsc.cdn77.org | tcp |
Files
memory/1511-1-0x0000000008048000-0x0000000008059830-memory.dmp