General

  • Target

    robinbot

  • Size

    130KB

  • Sample

    221129-ss7mlsef31

  • MD5

    500009d8f68330a8f82b59884a9afe47

  • SHA1

    575f5e6894b1a2f7a728435487666acdb9758f83

  • SHA256

    a46770913fba87921b56d789396e07cdfd68a846b2e80a77aa07e1c62f9304d6

  • SHA512

    ec62621ec2e037cb9f3890486ff4fb127ee6b34657ee7c2b1e3401de5d7fa2bb554e62d5c378dd93c43a3bb0bf4d210556cf8e67c0ff8449d0c615262e94dfba

  • SSDEEP

    3072:xffIDJOocVBUbd8A2W3M/fvLUpANet2xBTd:xgDAtVmB8sM/fvLUpANet2xBTd

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Targets

    • Target

      robinbot

    • Size

      130KB

    • MD5

      500009d8f68330a8f82b59884a9afe47

    • SHA1

      575f5e6894b1a2f7a728435487666acdb9758f83

    • SHA256

      a46770913fba87921b56d789396e07cdfd68a846b2e80a77aa07e1c62f9304d6

    • SHA512

      ec62621ec2e037cb9f3890486ff4fb127ee6b34657ee7c2b1e3401de5d7fa2bb554e62d5c378dd93c43a3bb0bf4d210556cf8e67c0ff8449d0c615262e94dfba

    • SSDEEP

      3072:xffIDJOocVBUbd8A2W3M/fvLUpANet2xBTd:xgDAtVmB8sM/fvLUpANet2xBTd

    Score
    9/10
    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Modifies the Watchdog daemon

      Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

    • Modifies hosts file

      Adds to hosts file used for mapping hosts to IP addresses.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Impair Defenses

1
T1562

Discovery

Network Service Scanning

1
T1046

System Network Connections Discovery

1
T1049

System Network Configuration Discovery

1
T1016

Tasks