Malware Analysis Report

2024-12-07 19:17

Sample ID 241114-dbkdestdmb
Target 991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf
SHA256 991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc
Tags
mirai credential_access defense_evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc

Threat Level: Known bad

The file 991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf was found to be: Known bad.

Malicious Activity Summary

mirai credential_access defense_evasion

Mirai family

Modifies Watchdog functionality

Enumerates running processes

Reads process memory

Changes its process name

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 02:50

Signatures

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 02:50

Reported

2024-11-14 02:52

Platform

debian9-armhf-20240611-en

Max time kernel

149s

Max time network

147s

Command Line

[/tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf]

Signatures

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for modification /dev/misc/watchdog /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A

Enumerates running processes

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/660/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/776/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/783/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/599/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/658/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/729/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/764/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/785/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/595/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/608/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/648/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/669/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/793/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/607/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/775/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/777/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/779/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/787/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/717/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/771/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/601/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/655/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/721/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/791/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/766/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/789/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/647/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/653/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/654/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/773/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A
File opened for reading /proc/781/maps /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself a /tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf N/A

Processes

/tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf

[/tmp/991eb0bf723fb0bb950547e2ba9478b05b5542a161296e259caa0c9b76c43ebc.elf]

Network

Country Destination Domain Proto
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 8.8.8.8:53 193.84.71.119 udp
US 193.84.71.119:38241 tcp

Files

N/A