Malware Analysis Report

2024-11-13 18:02

Sample ID 241109-epjjqazmhm
Target fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf
SHA256 fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022
Tags
upx mirai lzrd botnet defense_evasion discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022

Threat Level: Known bad

The file fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai lzrd botnet defense_evasion discovery

Mirai family

Mirai

Modifies Watchdog functionality

Writes file to system bin folder

UPX packed file

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 04:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 04:06

Reported

2024-11-09 04:09

Platform

debian12-mipsel-20240221-en

Max time kernel

150s

Max time network

10s

Command Line

[/tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf]

Signatures

Mirai

botnet mirai

Mirai family

mirai

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for modification /dev/misc/watchdog /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for modification /bin/watchdog /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/667/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/679/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/710/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/401/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/716/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/721/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/731/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/748/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/695/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/697/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/732/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/431/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/680/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A
File opened for reading /proc/744/cmdline /tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf N/A

Processes

/tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf

[/tmp/fe5588b0f78092776e450f18344c39fe4559b5130d2b946906790b2d37545022.elf]

Network

Country Destination Domain Proto
GB 37.230.62.25:3778 tcp
US 1.1.1.1:53 debian12-mipsel-20240221-en-2 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-2 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-2 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-2 udp

Files

memory/740-1-0x00400000-0x00452a58-memory.dmp