Malware Analysis Report

2025-06-15 23:21

Sample ID 241013-yhjexszbjr
Target 3cd0d2b3c9359e95d6522fb18508ec5f.elf
SHA256 e094fa55e07372a8937b51387f98b3a995980d4727a78480203ed31f783d1cf4
Tags
upx mirai lzrd botnet defense_evasion discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e094fa55e07372a8937b51387f98b3a995980d4727a78480203ed31f783d1cf4

Threat Level: Known bad

The file 3cd0d2b3c9359e95d6522fb18508ec5f.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai lzrd botnet defense_evasion discovery

Mirai

Modifies Watchdog functionality

Enumerates running processes

Writes file to system bin folder

UPX packed file

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 19:47

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 19:47

Reported

2024-10-13 19:49

Platform

debian12-armhf-20240221-en

Max time kernel

136s

Max time network

155s

Command Line

[/tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf]

Signatures

Mirai

botnet mirai

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for modification /dev/misc/watchdog /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for modification /bin/watchdog /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/680/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/8/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/12/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/14/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/38/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/703/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/710/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/6/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/16/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/27/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/188/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/705/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/709/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/1/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/31/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/35/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/684/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/45/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/249/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/339/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/2/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/25/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/679/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/11/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/26/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/57/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/484/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/3/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/32/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/52/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/199/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/20/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/346/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/34/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/219/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/706/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/self/exe /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/19/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/43/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/316/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/24/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/74/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/309/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/342/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/5/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/9/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/13/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/21/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/488/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/701/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/29/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/47/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/58/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/308/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/4/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/46/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/143/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/638/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/353/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/665/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/692/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/695/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/7/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A
File opened for reading /proc/15/status /tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf N/A

Processes

/tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf

[/tmp/3cd0d2b3c9359e95d6522fb18508ec5f.elf]

Network

Country Destination Domain Proto
DE 45.131.65.138:3778 tcp
US 1.1.1.1:53 debian12-armhf-20240221-en-6 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-6 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-6 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-6 udp
DE 45.131.65.138:3778 tcp

Files

memory/703-1-0x00008000-0x00020b48-memory.dmp