Analysis Overview
score
10/10
SHA256
82cac44937ab2d7c20d46e53b87a73594824457443a1946083df6cca33e324cf
Threat Level: Known bad
The file 91449c2830e32f60d5b4a1c4aaece84d.elf was found to be: Known bad.
Malicious Activity Summary
Mirai
UPX packed file
Deletes itself
Modifies Watchdog functionality
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-21 18:26
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-21 18:26
Reported
2024-07-21 18:29
Platform
debian12-armhf-20240221-en
Max time kernel
150s
Max time network
153s
Command Line
[/tmp/91449c2830e32f60d5b4a1c4aaece84d.elf]
Signatures
Mirai
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | sb4bdmq0rsbdo68mq8vw | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/222c�/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/33/stat | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/55cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/222cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/6666v7cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/99ssd/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/111/stat | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/111p/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/222�/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/333�/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/6666�:cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777v;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/6666/stat | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/333�/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/1111�/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/1111;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/77/stat | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/3333u4cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/3333�4cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/3333/stat | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/444cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/444d�/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/222m�/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777<cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/333s�/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/11/stat | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/2222�2cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/2222�3cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/6666�7cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/88/stat | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/self/exe | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/333s�/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/6666'8cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/2222/stat | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/44cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/66cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/6666�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/111cv/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/777k�/cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/666688cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
| File opened for reading | /proc/7777�;cmdline | /tmp/91449c2830e32f60d5b4a1c4aaece84d.elf | N/A |
Processes
/tmp/91449c2830e32f60d5b4a1c4aaece84d.elf
[/tmp/91449c2830e32f60d5b4a1c4aaece84d.elf]
Network
| Country | Destination | Domain | Proto |
| NL | 91.92.241.118:18129 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-12 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-12 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-12 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-12 | udp |
Files
memory/709-1-0x00008000-0x000297a4-memory.dmp