Malware Analysis Report

2024-11-13 18:02

Sample ID 241109-erecsaxdmd
Target boatnet.arm7.elf
SHA256 aa1d49b1efb5790631b22235aab16ba9faaadbd5d4dddacf3fa9a647d153bc9a
Tags
mirai lzrd botnet defense_evasion discovery upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa1d49b1efb5790631b22235aab16ba9faaadbd5d4dddacf3fa9a647d153bc9a

Threat Level: Known bad

The file boatnet.arm7.elf was found to be: Known bad.

Malicious Activity Summary

mirai lzrd botnet defense_evasion discovery upx

Mirai

Mirai family

Modifies Watchdog functionality

Enumerates running processes

Writes file to system bin folder

UPX packed file

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 04:10

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 04:10

Reported

2024-11-09 04:12

Platform

debian9-armhf-20240611-en

Max time kernel

149s

Max time network

7s

Command Line

[/tmp/boatnet.arm7.elf]

Signatures

Mirai

botnet mirai

Mirai family

mirai

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/boatnet.arm7.elf N/A
File opened for modification /dev/misc/watchdog /tmp/boatnet.arm7.elf N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/boatnet.arm7.elf N/A
File opened for modification /bin/watchdog /tmp/boatnet.arm7.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/641/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/712/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/747/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/772/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/780/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/786/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/730/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/746/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/758/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/652/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/760/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/774/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/785/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/784/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/598/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/603/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/604/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/655/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/724/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/766/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/self/exe /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/595/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/716/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/765/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/778/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/588/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/647/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/648/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/776/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/646/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/656/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/768/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/770/cmdline /tmp/boatnet.arm7.elf N/A
File opened for reading /proc/782/cmdline /tmp/boatnet.arm7.elf N/A

Processes

/tmp/boatnet.arm7.elf

[/tmp/boatnet.arm7.elf]

Network

Country Destination Domain Proto
GB 77.221.151.63:3778 tcp

Files

memory/649-1-0x00008000-0x00026464-memory.dmp