Analysis Overview
SHA256
241c94a3458c65a9bf658fa6ab5b21bb74547a1e01bff35bfe8311c85c5f3ce8
Threat Level: Known bad
The file 9ff2daaf1375355d4829ad206ac92e2c.elf was found to be: Known bad.
Malicious Activity Summary
Mirai
Modifies Watchdog functionality
Enumerates running processes
Writes file to system bin folder
UPX packed file
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 19:47
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 19:47
Reported
2024-10-13 19:49
Platform
debian9-mipsel-20240418-en
Max time kernel
135s
Max time network
149s
Command Line
Signatures
Mirai
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for modification | /bin/watchdog | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/154/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/713/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/2/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/3/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/9/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/18/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/82/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/323/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/672/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/4/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/19/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/73/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/75/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/208/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/355/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/10/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/21/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/7/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/16/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/20/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/71/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/74/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/111/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/710/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/37/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/70/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/79/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/322/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/378/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/671/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/6/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/150/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/716/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/8/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/13/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/77/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/376/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/718/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/14/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/24/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/36/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/72/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/121/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/668/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/721/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/15/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/17/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/23/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/325/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/383/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/711/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/5/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/22/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/122/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/320/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/714/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/12/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/76/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/318/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/717/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/1/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/78/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/665/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/11/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
Processes
/tmp/9ff2daaf1375355d4829ad206ac92e2c.elf
[/tmp/9ff2daaf1375355d4829ad206ac92e2c.elf]
Network
| Country | Destination | Domain | Proto |
| DE | 45.131.65.138:3778 | tcp | |
| DE | 45.131.65.138:3778 | tcp |
Files
memory/718-1-0x00400000-0x0043affc-memory.dmp