mirai | 94b52bc89ed00de10ab8000993e5ef73555ea909881964a6431e0ab3df1569f3 | Triage

Submit
Reports

Overview

overview

Static

static

17ed9be38a...49e69d

linux_amd64

9

17ed9be38a...49e69d

linux_mipsel

17ed9be38a...49e69d

linux_mips

Sharing

General

Target

17ed9be38ad2b7f10e293dda3b49e69d
Size

65KB
Sample

210223-y4brtyevra
MD5

17ed9be38ad2b7f10e293dda3b49e69d
SHA1

f70d13d704408060d60425fda3d5b32a4293f2dc
SHA256

94b52bc89ed00de10ab8000993e5ef73555ea909881964a6431e0ab3df1569f3
SHA512

6dfdb02e255302ba6212461ce078b7fd6c1dcad51c09164baba4e0e9992a30c60bac8f02770b0cdfc1b4bba90053d12de51217684fea29865942e929ad6dbe40

Score

10^/10

mirai mirai_x86corona antivm linux persistence

Static task

static1

mirai_x86corona mirai

Behavioral task

behavioral1

Sample

17ed9be38ad2b7f10e293dda3b49e69d

Resource

ubuntu-amd64

antivm persistence

linux_amd64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

17ed9be38ad2b7f10e293dda3b49e69d

Resource

debian9-mipsel

linux_mipsel

0 signatures

0 seconds

Behavioral task

behavioral3

Sample

17ed9be38ad2b7f10e293dda3b49e69d

Resource

debian9-mipsbe

linux_mips

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  17ed9be38ad2b7f10e293dda3b49e69d
- Size
  
  65KB
- MD5
  
  17ed9be38ad2b7f10e293dda3b49e69d
- SHA1
  
  f70d13d704408060d60425fda3d5b32a4293f2dc
- SHA256
  
  94b52bc89ed00de10ab8000993e5ef73555ea909881964a6431e0ab3df1569f3
- SHA512
  
  6dfdb02e255302ba6212461ce078b7fd6c1dcad51c09164baba4e0e9992a30c60bac8f02770b0cdfc1b4bba90053d12de51217684fea29865942e929ad6dbe40
Score

9^/10

antivm persistence
- Attempts to identify VMWare/VirtualBox via SCSI settings
  antivm
- Attempts to identify hypervisor via CPU configuration
  Checks CPU information for indicators that the system is a virtual machine.
  antivm
- Deletes system logs
- Writes file to system bin folder
- Modifies hosts file
  Adds to hosts file used for mapping hosts to IP addresses.
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Write file to user bin folder
- Reads CPU attributes
- Enumerates kernel/hardware configuration
  Reads contents of /sys virtual filesystem to enumerate system information.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Hijack Execution Flow

Scheduled Task

Privilege Escalation

Hijack Execution Flow

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Indicator Removal on Host

Hijack Execution Flow

Credential Access

Discovery

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

Impact

Tasks

static1

mirai_x86coronamirai

behavioral1

antivmpersistence

behavioral2

behavioral3

© 2018-2024

Terms | Privacy