Malware Analysis Report

2024-12-07 17:31

Sample ID 241112-dh81cstdjc
Target d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf
SHA256 d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866
Tags
mirai credential_access defense_evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866

Threat Level: Known bad

The file d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf was found to be: Known bad.

Malicious Activity Summary

mirai credential_access defense_evasion

Mirai family

Modifies Watchdog functionality

Enumerates running processes

Reads process memory

Changes its process name

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 03:01

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 03:01

Reported

2024-11-12 03:04

Platform

debian9-armhf-20240729-en

Max time kernel

149s

Max time network

147s

Command Line

[/tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf]

Signatures

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for modification /dev/misc/watchdog /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A

Enumerates running processes

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/644/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/648/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/598/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/601/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/765/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/773/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/580/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/600/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/657/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/767/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/595/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/755/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/763/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/645/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/779/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/709/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/749/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/762/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/764/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/769/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/771/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/783/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/643/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/650/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/678/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/757/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/775/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/777/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/781/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/638/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A
File opened for reading /proc/713/maps /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself a /tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf N/A

Processes

/tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf

[/tmp/d683ac0fa9513e0a7f14ef083e3c49a7816f1cfd5ad61919dc37f7e45d57c866.elf]

Network

Country Destination Domain Proto
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 193.84.71.119:38241 tcp

Files

N/A