Analysis
-
max time kernel
149s -
max time network
152s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
28-12-2024 19:21
Behavioral task
behavioral1
Sample
db0fa4b8db0333367e9bda3ab68b8042.x86.elf
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
9 signatures
150 seconds
General
-
Target
db0fa4b8db0333367e9bda3ab68b8042.x86.elf
-
Size
33KB
-
MD5
aab63e2b34877cb76f62b1aaaa786760
-
SHA1
247fbe9563a8d89c38f09acd1fef97b52bfc8f86
-
SHA256
57aef1df1475e4e6805afbdf05c7992482384fdae7258988c116e70eb571f9b0
-
SHA512
b4d298aca02eed357a0e353c135fe67c30c6f6c12ba29f56358ad3c0944a196296525121f99271624ef3d374b2b53aa9c1dceb677e3e04a006da6c40e4a699af
-
SSDEEP
768:Am5QiX/H16FyxFM9VEmj1qxZGhmPhABw3BKlVlfxMnbcuyD7UiyqI:d5QoVkyxFUVEmjuZGhcRKlVl2nouy8ZT
Score
10/10
Malware Config
Extracted
Family
mirai
Botnet
UNSTABLE
Signatures
-
Mirai family
-
Contacts a large (190935) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for modification /dev/misc/watchdog db0fa4b8db0333367e9bda3ab68b8042.x86.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 2 IoCs
description ioc Process File opened for modification /sbin/watchdog db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for modification /bin/watchdog db0fa4b8db0333367e9bda3ab68b8042.x86.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself a 1596 db0fa4b8db0333367e9bda3ab68b8042.x86.elf -
description ioc Process File opened for reading /proc/734/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1092/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1099/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1129/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1680/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/498/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/588/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/750/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1138/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1607/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/584/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1410/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1634/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1056/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1153/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1193/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/590/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/633/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1150/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1602/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1678/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/425/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/777/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1530/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/408/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/833/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1070/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1176/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1212/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1601/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/645/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/968/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1010/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1199/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1572/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1154/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1322/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1630/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/413/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1321/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1681/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/self/exe db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/779/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1156/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1296/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1329/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1549/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1600/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/446/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/599/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/606/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/629/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/838/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1599/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/522/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/763/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/953/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1107/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/634/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/745/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/959/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/1462/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/520/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf File opened for reading /proc/738/cmdline db0fa4b8db0333367e9bda3ab68b8042.x86.elf