Malware Analysis Report

2025-08-11 07:23

Sample ID 240802-ppvxvs1eqb
Target 132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf
SHA256 132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4
Tags
upx mirai lzrd botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4

Threat Level: Known bad

The file 132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai lzrd botnet

Mirai

UPX packed file

Modifies Watchdog functionality

Writes file to system bin folder

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-02 12:30

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-02 12:30

Reported

2024-08-02 12:33

Platform

debian9-mipsbe-20240418-en

Max time kernel

149s

Max time network

5s

Command Line

[/tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf]

Signatures

Mirai

botnet mirai

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for modification /dev/misc/watchdog /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for modification /bin/watchdog /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/743/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/755/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/837/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/701/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/698/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/732/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/738/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/792/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/420/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/705/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/731/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/745/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/799/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/803/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/810/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/811/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/667/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/720/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/736/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/737/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A
File opened for reading /proc/671/cmdline /tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf N/A

Processes

/tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf

[/tmp/132af342c14c21e6c3935ceadd7381d5ed84438523023eab55f7824839c45be4.elf]

Network

Country Destination Domain Proto
RU 213.171.4.129:3778 tcp

Files

memory/740-1-0x00400000-0x00451a58-memory.dmp