Malware Analysis Report

2024-11-13 18:02

Sample ID 241109-et1nsswqgt
Target boatnet.x86.elf
SHA256 e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4
Tags
upx mirai lzrd botnet defense_evasion discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2a04bd1fb1e7ed211e3ee19b08337b6361d695278417d5a21ba602ca7eb99b4

Threat Level: Known bad

The file boatnet.x86.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai lzrd botnet defense_evasion discovery

Mirai family

Mirai

Modifies Watchdog functionality

Enumerates running processes

Writes file to system bin folder

UPX packed file

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 04:14

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 04:14

Reported

2024-11-09 04:17

Platform

ubuntu2204-amd64-20240522.1-en

Max time kernel

149s

Max time network

129s

Command Line

[/tmp/boatnet.x86.elf]

Signatures

Mirai

botnet mirai

Mirai family

mirai

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/misc/watchdog /tmp/boatnet.x86.elf N/A
File opened for modification /dev/watchdog /tmp/boatnet.x86.elf N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/boatnet.x86.elf N/A
File opened for modification /bin/watchdog /tmp/boatnet.x86.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/589/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1068/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1190/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/771/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1034/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/739/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/748/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/796/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1279/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1426/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/427/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/740/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1275/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1394/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/992/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1057/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/415/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/634/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/789/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1123/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1184/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/416/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1232/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1241/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1318/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1556/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/794/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/638/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/664/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/772/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1175/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/518/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/613/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/452/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1096/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/633/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/984/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1117/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1147/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1555/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/731/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1135/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1363/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1493/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/735/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/761/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1166/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1183/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1389/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1085/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1159/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/593/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/609/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/612/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1106/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/587/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/689/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1054/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1160/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1205/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/413/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/845/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/588/cmdline /tmp/boatnet.x86.elf N/A
File opened for reading /proc/1045/cmdline /tmp/boatnet.x86.elf N/A

Processes

/tmp/boatnet.x86.elf

[/tmp/boatnet.x86.elf]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp
GB 77.221.151.63:3778 tcp

Files

memory/1552-1-0x0000000008048000-0x00000000080547a0-memory.dmp