Malware Analysis Report

2024-10-10 10:57

Sample ID 240721-w26y8aygld
Target b0b0f87e748ba4842aa5020739b4007c.elf
SHA256 4a1934d87decdfad56645d354bd208458619c8281f3bec5a161406811c3ed032
Tags
upx mirai mirai botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a1934d87decdfad56645d354bd208458619c8281f3bec5a161406811c3ed032

Threat Level: Known bad

The file b0b0f87e748ba4842aa5020739b4007c.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai mirai botnet

Mirai

UPX packed file

Deletes itself

Modifies Watchdog functionality

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 18:26

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 18:26

Reported

2024-07-21 18:28

Platform

debian9-mipsbe-20240418-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/b0b0f87e748ba4842aa5020739b4007c.elf]

Signatures

Mirai

botnet mirai

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for modification /dev/misc/watchdog /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself w7vhmg67bvvi /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/72cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/751cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/796cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/8cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/36cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/364cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/753cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/754cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/769cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/794cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/839cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/7cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/9cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/840cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/20cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/758cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/764cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/825cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/4cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/17cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/772cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/776cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/781cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/808cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/763cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/766cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/824cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/770cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/774cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/786cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/809cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/391cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/748cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/822cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/161cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/674cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/381cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/734cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/755cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/802cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/23cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/74cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/762cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/820cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/677cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/730cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/798cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/815cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/838cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/332cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/756cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/681cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/740cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/749cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/773cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/5cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/78cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/14cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/780cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/784cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/793cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/811cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/812cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A
File opened for reading /proc/1cmdline /tmp/b0b0f87e748ba4842aa5020739b4007c.elf N/A

Processes

/tmp/b0b0f87e748ba4842aa5020739b4007c.elf

[/tmp/b0b0f87e748ba4842aa5020739b4007c.elf]

Network

Country Destination Domain Proto
NL 91.92.241.118:18129 tcp

Files

memory/735-1-0x00400000-0x0042d9e0-memory.dmp