Malware Analysis Report

2024-10-10 10:57

Sample ID 240721-w26nfsyglc
Target 0ffd6d09e8af81175747c1830ae43f68.elf
SHA256 0e522a4e196ddaf33ce74f7ff55a14711f00a249f413de0e4d0a8cd17e8058cb
Tags
mirai mirai botnet upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e522a4e196ddaf33ce74f7ff55a14711f00a249f413de0e4d0a8cd17e8058cb

Threat Level: Known bad

The file 0ffd6d09e8af81175747c1830ae43f68.elf was found to be: Known bad.

Malicious Activity Summary

mirai mirai botnet upx

Mirai

Deletes itself

Modifies Watchdog functionality

UPX packed file

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 18:26

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 18:26

Reported

2024-07-21 18:28

Platform

debian9-mipsel-20240611-en

Max time kernel

133s

Max time network

150s

Command Line

[/tmp/0ffd6d09e8af81175747c1830ae43f68.elf]

Signatures

Mirai

botnet mirai

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for modification /dev/misc/watchdog /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself 6shue7wcf78aumnm6gsb23av8gvj /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/804cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/37cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/78cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/144cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/733cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/790cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/786cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/702cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/716cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/719cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/744cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/764cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/150cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/367cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/761cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/18cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/670cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/782cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/788cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/805cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/729cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/739cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/740cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/71cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/165cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/225cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/713cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/727cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/762cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/765cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/778cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/789cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/13cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/36cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/331cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/726cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/796cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/802cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/809cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/14cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/704cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/746cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/747cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/784cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/751cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/752cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/19cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/20cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/75cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/329cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/665cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/16cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/678cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/694cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/728cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/738cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/3cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/24cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/712cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/718cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/756cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/9cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/10cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A
File opened for reading /proc/792cmdline /tmp/0ffd6d09e8af81175747c1830ae43f68.elf N/A

Processes

/tmp/0ffd6d09e8af81175747c1830ae43f68.elf

[/tmp/0ffd6d09e8af81175747c1830ae43f68.elf]

Network

Country Destination Domain Proto
NL 91.92.241.118:18129 tcp

Files

memory/700-1-0x00400000-0x0042dbe0-memory.dmp