Malware Analysis Report

2024-12-07 16:36

Sample ID 241114-cv736asmgw
Target 501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf
SHA256 501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef
Tags
defense_evasion discovery lzrd mirai
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef

Threat Level: Known bad

The file 501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery lzrd mirai

Mirai family

Modifies Watchdog functionality

Enumerates running processes

Writes file to system bin folder

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 02:24

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 02:24

Reported

2024-11-14 02:27

Platform

debian9-armhf-20240611-en

Max time kernel

148s

Max time network

150s

Command Line

[/tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf]

Signatures

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for modification /dev/misc/watchdog /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A

Enumerates running processes

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/watchdog /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for modification /bin/watchdog /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/286/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/599/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/16/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/29/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/108/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/98/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/27/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/145/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/267/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/636/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/1/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/5/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/20/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/138/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/149/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/642/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/647/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/13/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/76/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/137/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/266/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/18/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/105/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/212/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/637/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/644/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/4/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/41/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/147/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/107/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/271/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/312/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/596/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/643/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/24/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/26/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/43/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/166/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/2/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/22/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/25/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/21/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/300/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/19/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/630/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/9/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/10/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/15/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/3/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/287/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/303/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/28/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/42/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/639/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/6/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/11/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/17/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/578/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/593/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/598/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/641/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/7/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/8/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A
File opened for reading /proc/14/status /tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf N/A

Processes

/tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf

[/tmp/501f1c58d1f02c1509ce69b664eee87f9a810ea9da36dd2dae8dfde57b2830ef.elf]

Network

Country Destination Domain Proto
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp
DE 45.137.70.156:3778 tcp

Files

N/A