Malware Analysis Report

2024-10-10 11:00

Sample ID 240721-w269zsygma
Target f90653583ae7efbf695d8ee63045b743.elf
SHA256 682effde9a843d148b41ee802f86683c7b2c4310d6d2003b0dee381050e44633
Tags
mirai mirai botnet upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

682effde9a843d148b41ee802f86683c7b2c4310d6d2003b0dee381050e44633

Threat Level: Known bad

The file f90653583ae7efbf695d8ee63045b743.elf was found to be: Known bad.

Malicious Activity Summary

mirai mirai botnet upx

Mirai

Deletes itself

Modifies Watchdog functionality

UPX packed file

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 18:26

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 18:26

Reported

2024-07-21 18:28

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

[/tmp/f90653583ae7efbf695d8ee63045b743.elf]

Signatures

Mirai

botnet mirai

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for modification /dev/misc/watchdog /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself N/A /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/7cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/15cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/28cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/465cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/542cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/557cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1082cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1164cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1499cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1501cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/452cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/955cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1150cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/173cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/439cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/464cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/632cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/665cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/25cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/169cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1122cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1222cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1509cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/82cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/429cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/944cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1290cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1299cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/467cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/598cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/689cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/965cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1270cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/697cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1148cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1326cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/442cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1232cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/89cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/98cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/518cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/661cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1256cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1257cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/4cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/6cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/17cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/29cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/31cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/115cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1126cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/646cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1025cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/18cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/84cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/160cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/164cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/171cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/449cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/463cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/1178cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/3cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/163cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A
File opened for reading /proc/170cmdline /tmp/f90653583ae7efbf695d8ee63045b743.elf N/A

Processes

/tmp/f90653583ae7efbf695d8ee63045b743.elf

[/tmp/f90653583ae7efbf695d8ee63045b743.elf]

Network

Country Destination Domain Proto
NL 91.92.241.118:18129 tcp
N/A 224.0.0.251:5353 udp
US 151.101.193.91:443 tcp
GB 89.187.167.7:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.9:443 1527653184.rsc.cdn77.org tcp

Files

memory/1504-1-0x0000000008048000-0x000000000805b988-memory.dmp