Malware Analysis Report

2024-11-13 18:02

Sample ID 241109-erecsawqbx
Target boatnet.mips.elf
SHA256 cdf3f41e3ad38f3081c882ac25d15d03b9e85b7b7021cbd32a6c504acd353aab
Tags
upx mirai lzrd botnet defense_evasion discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdf3f41e3ad38f3081c882ac25d15d03b9e85b7b7021cbd32a6c504acd353aab

Threat Level: Known bad

The file boatnet.mips.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai lzrd botnet defense_evasion discovery

Mirai

Mirai family

Modifies Watchdog functionality

Enumerates running processes

Writes file to system bin folder

UPX packed file

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 04:10

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 04:10

Reported

2024-11-09 04:12

Platform

debian9-mipsbe-20240611-en

Max time kernel

150s

Max time network

11s

Command Line

[/tmp/boatnet.mips.elf]

Signatures

Mirai

botnet mirai

Mirai family

mirai

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/boatnet.mips.elf N/A
File opened for modification /dev/misc/watchdog /tmp/boatnet.mips.elf N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/boatnet.mips.elf N/A
File opened for modification /bin/watchdog /tmp/boatnet.mips.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/774/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/463/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/691/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/769/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/771/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/790/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/493/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/748/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/701/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/703/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/708/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/456/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/690/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/763/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/778/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/804/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/494/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/736/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/759/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/768/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/807/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/696/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/726/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/784/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/697/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/760/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/742/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/676/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/695/cmdline /tmp/boatnet.mips.elf N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/boatnet.mips.elf N/A

Processes

/tmp/boatnet.mips.elf

[/tmp/boatnet.mips.elf]

Network

Country Destination Domain Proto
GB 77.221.151.63:3778 tcp

Files

memory/698-1-0x00400000-0x00451a58-memory.dmp