Malware Analysis Report

2024-11-15 05:45

Sample ID 240626-vebdcstcne
Target shindeVarm7
SHA256 5f2ac36fa105fc60d0d98a559a34ebbcde4a7198138bce3f58658d0508de24b0
Tags
mirai
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f2ac36fa105fc60d0d98a559a34ebbcde4a7198138bce3f58658d0508de24b0

Threat Level: Known bad

The file shindeVarm7 was found to be: Known bad.

Malicious Activity Summary

mirai

Mirai family

Deletes itself

Modifies Watchdog functionality

Enumerates running processes

Writes file to system bin folder

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 16:53

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 16:53

Reported

2024-06-26 16:56

Platform

debian9-armhf-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

[/tmp/shindeVarm7]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/shindeVarm7 N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/shindeVarm7 N/A
File opened for modification /dev/misc/watchdog /tmp/shindeVarm7 N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/shindeVarm7 N/A
File opened for modification /bin/watchdog /tmp/shindeVarm7 N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself /bin/sh /tmp/shindeVarm7 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/662/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/879/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/880/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/704/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/796/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/799/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/810/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/822/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/847/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/222/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/330/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/663/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/788/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/807/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/839/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/870/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/612/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/811/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/823/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/825/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/291/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/849/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/852/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/858/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/860/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/874/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/708/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/789/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/798/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/824/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/837/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/868/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/885/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/277/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/288/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/845/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/865/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/869/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/877/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/318/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/699/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/809/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/836/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/838/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/855/fd /tmp/shindeVarm7 N/A
File opened for reading /proc/859/fd /tmp/shindeVarm7 N/A

Processes

/tmp/shindeVarm7

[/tmp/shindeVarm7]

Network

Country Destination Domain Proto
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:59666 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 1.1.1.1:53 debian9-armhf-20240611-en-1 udp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 1.1.1.1:53 debian9-armhf-20240611-en-1 udp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 1.1.1.1:53 debian9-armhf-20240611-en-1 udp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 1.1.1.1:53 debian9-armhf-20240611-en-1 udp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 1.1.1.1:53 debian9-armhf-20240611-en-1 udp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 1.1.1.1:53 debian9-armhf-20240611-en-1 udp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 1.1.1.1:53 debian9-armhf-20240611-en-1 udp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 1.1.1.1:53 debian9-armhf-20240611-en-1 udp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 1.1.1.1:53 debian9-armhf-20240611-en-1 udp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp
US 8.8.8.8:53 clients.kaitenc2.de udp
NL 45.90.13.207:7777 clients.kaitenc2.de tcp

Files

N/A