Malware Analysis Report

2024-11-13 18:02

Sample ID 241109-eqstsaxdlf
Target boatnet.mpsl.elf
SHA256 6fcec39c841467b8ef53dab6f9acada11898ba46b5eeefde95132dcd88f23782
Tags
upx mirai lzrd botnet defense_evasion discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6fcec39c841467b8ef53dab6f9acada11898ba46b5eeefde95132dcd88f23782

Threat Level: Known bad

The file boatnet.mpsl.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai lzrd botnet defense_evasion discovery

Mirai

Mirai family

Modifies Watchdog functionality

Writes file to system bin folder

UPX packed file

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 04:09

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 04:09

Reported

2024-11-09 04:11

Platform

debian12-mipsel-20240221-en

Max time kernel

150s

Max time network

10s

Command Line

[/tmp/boatnet.mpsl.elf]

Signatures

Mirai

botnet mirai

Mirai family

mirai

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/misc/watchdog /tmp/boatnet.mpsl.elf N/A
File opened for modification /dev/watchdog /tmp/boatnet.mpsl.elf N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/boatnet.mpsl.elf N/A
File opened for modification /bin/watchdog /tmp/boatnet.mpsl.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/716/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/717/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/720/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/732/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/745/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/414/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/710/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/666/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/697/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/750/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/679/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/680/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/733/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/668/cmdline /tmp/boatnet.mpsl.elf N/A
File opened for reading /proc/695/cmdline /tmp/boatnet.mpsl.elf N/A

Processes

/tmp/boatnet.mpsl.elf

[/tmp/boatnet.mpsl.elf]

Network

Country Destination Domain Proto
GB 77.221.151.63:3778 tcp
US 1.1.1.1:53 debian12-mipsel-20240221-en-13 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-13 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-13 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-13 udp

Files

memory/740-1-0x00400000-0x00452a58-memory.dmp