Malware Analysis Report

2024-11-13 18:03

Sample ID 241109-eqwwfaxdma
Target fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf
SHA256 fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c
Tags
upx mirai lzrd botnet defense_evasion discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c

Threat Level: Known bad

The file fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai lzrd botnet defense_evasion discovery

Mirai family

Mirai

Modifies Watchdog functionality

Enumerates running processes

Writes file to system bin folder

UPX packed file

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 04:09

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 04:09

Reported

2024-11-09 04:11

Platform

debian9-armhf-20240418-en

Max time kernel

149s

Max time network

5s

Command Line

[/tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf]

Signatures

Mirai

botnet mirai

Mirai family

mirai

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for modification /dev/misc/watchdog /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for modification /bin/watchdog /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/600/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/764/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/774/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/777/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/775/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/783/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/self/exe /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/582/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/723/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/757/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/768/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/772/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/645/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/654/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/766/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/596/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/640/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/770/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/778/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/602/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/647/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/714/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/603/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/711/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/747/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/646/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/779/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/785/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/653/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/659/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/715/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/759/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A
File opened for reading /proc/781/cmdline /tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf N/A

Processes

/tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf

[/tmp/fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf]

Network

Country Destination Domain Proto
DE 147.45.42.138:3778 tcp

Files

memory/648-1-0x00008000-0x00026464-memory.dmp