Malware Analysis Report

2024-10-10 11:00

Sample ID 240722-adrzhatgql
Target d308611c459eb18bd3d7391f76beba1d.elf
SHA256 9a01f605497a1a40e7afbd45817f0766cbe4f933003336c5da3b44d9e36a8025
Tags
upx mirai mirai botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a01f605497a1a40e7afbd45817f0766cbe4f933003336c5da3b44d9e36a8025

Threat Level: Known bad

The file d308611c459eb18bd3d7391f76beba1d.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai mirai botnet

Mirai

Modifies Watchdog functionality

UPX packed file

Deletes itself

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 00:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 00:06

Reported

2024-07-22 00:08

Platform

debian12-mipsel-20240221-en

Max time kernel

154s

Max time network

166s

Command Line

[/tmp/d308611c459eb18bd3d7391f76beba1d.elf]

Signatures

Mirai

botnet mirai

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for modification /dev/misc/watchdog /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself r56gnkohsgnsrgwpwodh /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/787cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/15cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/731cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/58cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/751cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/768cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/1cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/9cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/33cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/114cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/17cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/24cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/42cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/119cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/12cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/37cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/411cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/758cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/3cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/138cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/770cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/786cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/19cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/35cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/656cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/404cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/705cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/757cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/29cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/387cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/20cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/111cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/710cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/783cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/4cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/5cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/334cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/734cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/14cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/27cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/775cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/8cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/742cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/769cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/23cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/110cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/746cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/755cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/763cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/772cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/774cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/7cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/181cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/388cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/748cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/765cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/32cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/48cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/780cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/28cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/325cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/116cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/11cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A
File opened for reading /proc/59cmdline /tmp/d308611c459eb18bd3d7391f76beba1d.elf N/A

Processes

/tmp/d308611c459eb18bd3d7391f76beba1d.elf

[/tmp/d308611c459eb18bd3d7391f76beba1d.elf]

Network

Country Destination Domain Proto
US 162.33.179.3:18129 tcp
US 1.1.1.1:53 debian12-mipsel-20240221-en-5 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-5 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-5 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-5 udp

Files

memory/740-1-0x00400000-0x00458ce0-memory.dmp