Malware Analysis Report

2024-12-07 17:31

Sample ID 241112-mrebsa1bqn
Target 66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf
SHA256 66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68
Tags
mirai credential_access defense_evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68

Threat Level: Known bad

The file 66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf was found to be: Known bad.

Malicious Activity Summary

mirai credential_access defense_evasion

Mirai family

Modifies Watchdog functionality

Enumerates running processes

Reads process memory

Changes its process name

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 10:41

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 10:41

Reported

2024-11-12 10:44

Platform

debian9-armhf-20240611-en

Max time kernel

149s

Max time network

183s

Command Line

[/tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf]

Signatures

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for modification /dev/misc/watchdog /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A

Enumerates running processes

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/669/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/641/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/654/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/599/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/602/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/766/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/768/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/595/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/717/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/659/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/785/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/783/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/787/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/789/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/793/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/765/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/779/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/652/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/653/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/729/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/773/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/781/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/601/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/647/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/721/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/775/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/791/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/581/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/657/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A
File opened for reading /proc/777/maps /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself a /tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf N/A

Processes

/tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf

[/tmp/66c8a4f5d7545e468edfe848609a9a2fd8e7aeb7a85f3fdda70674034b13eb68.elf]

Network

Country Destination Domain Proto
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 193.84.71.119:38241 tcp

Files

N/A