Analysis
-
max time kernel
42s -
max time network
149s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
27-12-2024 08:29
Behavioral task
behavioral1
Sample
db0fa4b8db0333367e9bda3ab68b8042.i686.elf
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
9 signatures
150 seconds
General
-
Target
db0fa4b8db0333367e9bda3ab68b8042.i686.elf
-
Size
35KB
-
MD5
f90ab1fd5ab0f76081d0d6997a07a02a
-
SHA1
c2b6f7d75db7ae6f86d139720b3ce161199ddcc4
-
SHA256
3eeef157ce71f7573fb593d73bcd340ef4b1c5b8ac24ed8655233cdd55016d11
-
SHA512
9536416cc4031197031b8ab461eddbd91e71182088ca8e5dcf56424ce5bf3458afc1c8c5cd02c7c52178c69408d339909571a1423628466ac160ee838536bfbc
-
SSDEEP
768:34/GG5zY0VG0zQbHkMwWYoLehOnpLbmonVp8WsoQxOuGnbcuyD7Ufyq7:I1zY0c0zujwWYl0RbmQL8WsfTGnouy8H
Score
10/10
Malware Config
Extracted
Family
mirai
Botnet
UNSTABLE
Signatures
-
Mirai family
-
Contacts a large (200702) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for modification /dev/misc/watchdog db0fa4b8db0333367e9bda3ab68b8042.i686.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 2 IoCs
description ioc Process File opened for modification /bin/watchdog db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for modification /sbin/watchdog db0fa4b8db0333367e9bda3ab68b8042.i686.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself a 1502 db0fa4b8db0333367e9bda3ab68b8042.i686.elf -
description ioc Process File opened for reading /proc/996/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1073/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1270/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1384/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1496/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1103/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1111/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/491/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/497/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/769/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1004/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1053/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1080/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1154/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1175/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1176/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1194/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1066/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1115/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/444/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/468/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/543/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/566/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/610/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/960/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1193/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1508/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1198/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1303/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/677/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/688/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/911/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1090/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1129/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1169/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1505/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1529/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1235/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1498/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1500/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1234/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/463/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/479/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/579/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1037/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1143/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1158/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1361/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1481/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/417/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/699/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1148/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1172/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1190/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1300/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1497/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1260/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1310/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/self/exe db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/424/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/494/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/658/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1018/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf File opened for reading /proc/1258/cmdline db0fa4b8db0333367e9bda3ab68b8042.i686.elf