Malware Analysis Report

2024-11-13 18:02

Sample ID 241109-j1kclstmfm
Target boatnet.mips.elf
SHA256 e1766773026ed9e92778b034e9428c1861d01021f40a351ac5a44aff59c930ce
Tags
upx mirai lzrd botnet defense_evasion discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1766773026ed9e92778b034e9428c1861d01021f40a351ac5a44aff59c930ce

Threat Level: Known bad

The file boatnet.mips.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai lzrd botnet defense_evasion discovery

Mirai

Mirai family

Modifies Watchdog functionality

Enumerates running processes

Writes file to system bin folder

UPX packed file

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 08:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 08:08

Reported

2024-11-09 08:10

Platform

debian9-mipsbe-20240611-en

Max time kernel

150s

Max time network

12s

Command Line

[/tmp/boatnet.mips.elf]

Signatures

Mirai

botnet mirai

Mirai family

mirai

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/boatnet.mips.elf N/A
File opened for modification /dev/misc/watchdog /tmp/boatnet.mips.elf N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/boatnet.mips.elf N/A
File opened for modification /bin/watchdog /tmp/boatnet.mips.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/698/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/709/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/731/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/753/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/767/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/478/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/702/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/764/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/805/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/691/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/754/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/759/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/760/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/794/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/450/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/455/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/696/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/772/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/793/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/479/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/690/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/748/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/727/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/735/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/736/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/781/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/787/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/697/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/747/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/676/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/705/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/768/cmdline /tmp/boatnet.mips.elf N/A
File opened for reading /proc/806/cmdline /tmp/boatnet.mips.elf N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/boatnet.mips.elf N/A

Processes

/tmp/boatnet.mips.elf

[/tmp/boatnet.mips.elf]

Network

Country Destination Domain Proto
GB 37.230.62.25:3778 tcp

Files

memory/699-1-0x00400000-0x00451a58-memory.dmp