Analysis Overview
SHA256
e094fa55e07372a8937b51387f98b3a995980d4727a78480203ed31f783d1cf4
Threat Level: Known bad
The file 3cd0d2b3c9359e95d6522fb18508ec5f.elf was found to be: Known bad.
Malicious Activity Summary
Mirai
Modifies Watchdog functionality
Enumerates running processes
Writes file to system bin folder
UPX packed file
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 19:47
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 19:47
Reported
2024-10-13 19:49
Platform
debian12-armhf-20240221-en
Max time kernel
136s
Max time network
155s
Command Line
Signatures
Mirai
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for modification | /bin/watchdog | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/680/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/8/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/12/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/14/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/38/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/703/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/710/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/6/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/16/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/27/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/188/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/705/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/709/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/1/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/31/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/35/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/684/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/45/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/249/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/339/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/2/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/25/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/679/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/11/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/26/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/57/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/484/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/3/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/32/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/52/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/199/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/20/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/346/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/34/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/219/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/706/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/self/exe | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/19/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/43/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/316/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/24/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/74/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/309/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/342/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/5/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/9/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/13/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/21/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/488/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/701/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/29/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/47/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/58/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/308/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/4/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/46/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/143/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/638/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/353/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/665/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/692/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/695/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/7/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
| File opened for reading | /proc/15/status | /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf | N/A |
Processes
/tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf
[/tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf]
Network
| Country | Destination | Domain | Proto |
| DE | 45.131.65.138:3778 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-6 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-6 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-6 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-6 | udp |
| DE | 45.131.65.138:3778 | tcp |
Files
memory/703-1-0x00008000-0x00020b48-memory.dmp