mirai | 3f87eb0835bbb7fd5913d551b476cbd72837c4176bcbc0038ba898589a0f7888

Analysis

max time kernel
153s
max time network
153s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
29-04-2023 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nag.x86.elf
Size

24KB
MD5

385c82b44c2faea9bc27922489453bbc
SHA1

007431c8f2918833639bb37be1c668cba46b3a9a
SHA256

3f87eb0835bbb7fd5913d551b476cbd72837c4176bcbc0038ba898589a0f7888
SHA512

1c322c8b88af7e4dd480869cf50452bc73fb5572088f0b68f9a1bff22263deee8b326e63c31107d85956964a286193323e55dd22c3c1b800876a85a276b522cf
SSDEEP

768:I8/etIPotzrv6xFiHhCRpMiaqDanbcuyD7UyQRjI:StIUryxFiBKOFuanouy8yys

Score

10^/10

mirai botnet discovery

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (46394) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Changes its process name 1 IoCs

Processes:

nag.x86.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself /var/Sofia 596 nag.x86.elf
Deletes itself 1 IoCs

Processes:

nag.x86.elf

pid process

596 nag.x86.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/var/Sofia	596	nag.x86.elf

pid	process
596	nag.x86.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/81/cmdline
File opened for reading	/proc/706/cmdline
File opened for reading	/proc/29/cmdline
File opened for reading	/proc/612/cmdline
File opened for reading	/proc/637/cmdline
File opened for reading	/proc/596/cmdline
File opened for reading	/proc/618/cmdline
File opened for reading	/proc/12/cmdline
File opened for reading	/proc/14/cmdline
File opened for reading	/proc/203/cmdline
File opened for reading	/proc/166/cmdline
File opened for reading	/proc/19/cmdline
File opened for reading	/proc/23/cmdline
File opened for reading	/proc/115/cmdline
File opened for reading	/proc/2/cmdline
File opened for reading	/proc/34/cmdline
File opened for reading	/proc/331/cmdline
File opened for reading	/proc/366/cmdline
File opened for reading	/proc/698/cmdline
File opened for reading	/proc/24/cmdline
File opened for reading	/proc/25/cmdline
File opened for reading	/proc/177/cmdline
File opened for reading	/proc/357/cmdline
File opened for reading	/proc/178/cmdline
File opened for reading	/proc/333/cmdline
File opened for reading	/proc/565/cmdline
File opened for reading	/proc/202/cmdline
File opened for reading	/proc/607/cmdline
File opened for reading	/proc/4/cmdline
File opened for reading	/proc/17/cmdline
File opened for reading	/proc/174/cmdline
File opened for reading	/proc/16/cmdline
File opened for reading	/proc/78/cmdline
File opened for reading	/proc/716/cmdline
File opened for reading	/proc/424/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/180/cmdline
File opened for reading	/proc/250/cmdline
File opened for reading	/proc/619/cmdline
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/10/cmdline
File opened for reading	/proc/597/cmdline
File opened for reading	/proc/82/cmdline
File opened for reading	/proc/83/cmdline
File opened for reading	/proc/585/cmdline
File opened for reading	/proc/614/cmdline
File opened for reading	/proc/666/cmdline
File opened for reading	/proc/11/cmdline
File opened for reading	/proc/15/cmdline
File opened for reading	/proc/36/cmdline
File opened for reading	/proc/686/cmdline
File opened for reading	/proc/594/cmdline
File opened for reading	/proc/646/cmdline
File opened for reading	/proc/21/cmdline
File opened for reading	/proc/383/cmdline
File opened for reading	/proc/591/cmdline
File opened for reading	/proc/98/cmdline
File opened for reading	/proc/8/cmdline
File opened for reading	/proc/31/cmdline
File opened for reading	/proc/85/cmdline
File opened for reading	/proc/167/cmdline
File opened for reading	/proc/367/cmdline
File opened for reading	/proc/22/cmdline
File opened for reading	/proc/28/cmdline

/tmp/nag.x86.elf
/tmp/nag.x86.elf
1⤵
- Changes its process name
- Deletes itself
PID:596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-1-0x0000000008048000-0x00000000080567e0-memory.dmp

Download