Analysis
-
max time kernel
99s -
max time network
153s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
30-12-2024 01:45
Behavioral task
behavioral1
Sample
ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf
-
Size
35KB
-
MD5
b51646a8513eeee446c6291d0783a654
-
SHA1
80539eb3962e6588041e78785947b6ebe34f5ce2
-
SHA256
ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5
-
SHA512
7a767042004dd70f8e8cc520cbc24ad138d392cd25cc34af138d70d1ea25a2d394653cd66b7678b3783ed7479c6bed3e063185fb6d310f108f88da963d88f077
-
SSDEEP
768:m4/GG5zY0VG0zQbHkMwWYoLehOnpLbmonVp8WsoQ3kVnbcuyD7Ufyqm:h1zY0c0zujwWYl0RbmQL8WsRgnouy8qF
Malware Config
Extracted
mirai
UNSTABLE
Signatures
-
Mirai family
-
Contacts a large (191417) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for modification /dev/watchdog ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 2 IoCs
description ioc Process File opened for modification /sbin/watchdog ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for modification /bin/watchdog ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself a 1588 ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf -
description ioc Process File opened for reading /proc/1099/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1010/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/987/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1138/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1153/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/645/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/833/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/763/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/772/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/779/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1122/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1402/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/602/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1599/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1154/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1030/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/863/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/446/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1193/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1322/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1570/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/522/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/754/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1050/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/582/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/838/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/959/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/968/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1338/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1399/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/410/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/589/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/606/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1129/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1299/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1321/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1329/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/497/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/980/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/953/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/590/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/988/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1056/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1164/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1212/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1289/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/498/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1111/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1268/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1462/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1591/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1594/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/767/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/660/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1157/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/669/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/777/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/745/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1332/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/629/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/411/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/588/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/693/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf File opened for reading /proc/1035/cmdline ff9e993a9375a2b6a099fd8ddcd201e1e50c75b47020576513f2068605b4dea5.elf