Analysis Overview
SHA256
241c94a3458c65a9bf658fa6ab5b21bb74547a1e01bff35bfe8311c85c5f3ce8
Threat Level: Known bad
The file 9ff2daaf1375355d4829ad206ac92e2c.elf was found to be: Known bad.
Malicious Activity Summary
Mirai
Modifies Watchdog functionality
Enumerates running processes
Writes file to system bin folder
UPX packed file
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 19:49
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 19:49
Reported
2024-10-13 19:52
Platform
debian12-mipsel-20240221-en
Max time kernel
139s
Max time network
162s
Command Line
Signatures
Mirai
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for modification | /bin/watchdog | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/748/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/21/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/23/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/48/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/137/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/718/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/34/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/118/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/180/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/631/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/10/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/15/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/20/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/26/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/3/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/13/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/58/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/711/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/5/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/27/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/29/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/421/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/694/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/2/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/33/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/136/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/202/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/42/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/113/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/397/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/630/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/11/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/16/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/19/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/32/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/30/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/635/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/714/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/720/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/733/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/4/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/8/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/114/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/396/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/747/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/407/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/712/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/732/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/6/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/7/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/9/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/53/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/411/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/690/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/692/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/17/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/28/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/31/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/404/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/736/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/24/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/25/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/59/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
| File opened for reading | /proc/112/status | /tmp/9ff2daaf1375355d4829ad206ac92e2c.elf | N/A |
Processes
/tmp/9ff2daaf1375355d4829ad206ac92e2c.elf
[/tmp/9ff2daaf1375355d4829ad206ac92e2c.elf]
Network
| Country | Destination | Domain | Proto |
| DE | 45.131.65.138:3778 | tcp | |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-4 | udp |
| DE | 45.131.65.138:3778 | tcp |
Files
memory/743-1-0x00400000-0x0043affc-memory.dmp