Analysis Overview
SHA256
c3ae1058890bf151d5d464a608b68e2c377d4d31043e3883efb0d8a20685ab15
Threat Level: Known bad
The file 62e0ec59f989335be5fbf630a49da4ea.elf was found to be: Known bad.
Malicious Activity Summary
Mirai
Mirai family
Modifies Watchdog functionality
Enumerates running processes
Writes file to system bin folder
UPX packed file
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 09:13
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 09:13
Reported
2024-11-09 09:15
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
137s
Max time network
138s
Command Line
Signatures
Mirai
Mirai family
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
Enumerates running processes
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for modification | /bin/watchdog | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/636/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1162/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1166/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/414/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/613/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/4/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/20/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/23/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/76/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/203/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/837/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1075/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1155/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1221/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1183/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1373/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/3/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/110/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/586/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/590/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1084/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1563/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/197/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1482/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/228/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/676/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/991/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1053/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1176/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/17/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/776/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/782/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1062/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1224/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1245/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/16/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/213/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/217/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/714/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/747/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1082/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1251/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1533/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/93/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/98/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/415/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/635/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1140/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1359/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/7/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/19/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/209/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/315/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/763/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/972/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/79/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/771/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/992/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1157/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/1303/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/80/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/86/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
| File opened for reading | /proc/207/status | /tmp/62e0ec59f989335be5fbf630a49da4ea.elf | N/A |
Processes
/tmp/62e0ec59f989335be5fbf630a49da4ea.elf
[/tmp/62e0ec59f989335be5fbf630a49da4ea.elf]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 198.12.107.126:3778 | tcp | |
| US | 198.12.107.126:3778 | tcp |
Files
memory/1560-1-0x0000000000400000-0x00000000005156e8-memory.dmp