Malware Analysis Report

2024-11-13 18:02

Sample ID 241109-erecsaxdmc
Target boatnet.x86.elf
SHA256 e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4
Tags
upx mirai lzrd botnet defense_evasion discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4

Threat Level: Known bad

The file boatnet.x86.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai lzrd botnet defense_evasion discovery

Mirai

Mirai family

Modifies Watchdog functionality

Enumerates running processes

Writes file to system bin folder

UPX packed file

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 04:10

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 04:10

Reported

2024-11-09 04:12

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

130s

Command Line

[/tmp/boatnet.x86.elf]

Signatures

Mirai

botnet mirai

Mirai family

mirai

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/boatnet.x86.elf N/A
File opened for modification /dev/misc/watchdog /tmp/boatnet.x86.elf N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/watchdog /tmp/boatnet.x86.elf N/A
File opened for modification /sbin/watchdog /tmp/boatnet.x86.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/416/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/642/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/771/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/831/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/965/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1039/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1044/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1201/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1323/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1059/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1290/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/639/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/997/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/414/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1129/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1187/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/671/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/744/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/959/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1164/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1495/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/773/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/874/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1170/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/532/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/726/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/862/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1245/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1367/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1457/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/619/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/636/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1426/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/410/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/504/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/667/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1060/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1107/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1230/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1305/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1375/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/637/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/643/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1019/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1166/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1216/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1086/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1320/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/778/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1174/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1192/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1444/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1515/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/611/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/740/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/992/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1168/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/427/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/608/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1092/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1167/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1269/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/693/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/870/cmdline /tmp/boatnet.x86.elf N/A

Processes

/tmp/boatnet.x86.elf

[/tmp/boatnet.x86.elf]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 77.221.151.63:3778 tcp

Files

memory/1574-1-0x0000000008048000-0x00000000080547a0-memory.dmp