Malware Analysis Report

2025-06-15 23:21

Sample ID 241013-lqp68avcjp
Target a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf
SHA256 a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc
Tags
upx mirai lzrd botnet defense_evasion discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc

Threat Level: Known bad

The file a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai lzrd botnet defense_evasion discovery

Mirai

Modifies Watchdog functionality

Writes file to system bin folder

UPX packed file

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 09:44

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 09:44

Reported

2024-10-13 09:47

Platform

debian9-mipsbe-20240418-en

Max time kernel

149s

Max time network

7s

Command Line

[/tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf]

Signatures

Mirai

botnet mirai

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for modification /dev/misc/watchdog /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for modification /bin/watchdog /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/663/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/669/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/719/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/774/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/810/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/811/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/422/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/718/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/724/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/733/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/798/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/666/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/670/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/730/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/732/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/786/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/791/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/704/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/723/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/725/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/773/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A
File opened for reading /proc/790/cmdline /tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf N/A

Processes

/tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf

[/tmp/a9645840ed9e516a7929525539cb3f750e2176ee5a63a6ab5edc67b9857e85cc.elf]

Network

Country Destination Domain Proto
BG 93.123.109.160:3778 tcp

Files

memory/726-1-0x00400000-0x00451a58-memory.dmp