mirai | da56797ce94edb327d27a38350f1ac81edc00e755c423064464c07d1c58f564c

Analysis

max time kernel
152s
max time network
154s
platform
linux_armhf
resource
debian9-armhf-en-20211208
resource tags

arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
30-04-2023 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf
Size

51KB
MD5

b03e2150d6fc9c256b4fad1f644ba3fb
SHA1

65466e5cd9cc1f3dbb0f47354258d6bea8f907de
SHA256

da56797ce94edb327d27a38350f1ac81edc00e755c423064464c07d1c58f564c
SHA512

f34ed32cf261e800e61388eea43d8721139356b47763defb06b6f2956650af0553d0e4e467610d615772432789c3a827f077e36305374795dd8aef2817251a21
SSDEEP

768:Jc5/VxsZBk6vdoxs3cEWkui8FTAI27PvbhTsr9iOFfyPGKX9q3UELah/dKZ5JF6e:u/VxOBRB3c5kumDza5iOp1LoKWl/giED

Score

10^/10

mirai unst botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

UNST

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (57733) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Enumerates active TCP sockets 1 TTPs 2 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

Processes:

SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf

description	ioc	process
File opened for reading	/proc/net/tcp	SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf
File opened for reading	/proc/net/tcp

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf

description	ioc	process
File opened for reading	/proc/net/tcp	SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf
File opened for reading	/proc/net/tcp

Reads runtime system information 22 IoCs

Reads data from /proc virtual filesystem.

Processes:

SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf

description	ioc
File opened for reading	/proc/228/fd
File opened for reading	/proc/306/fd
File opened for reading	/proc/301/fd
File opened for reading	/proc/344/fd
File opened for reading	/proc/350/fd
File opened for reading	/proc/364/exe
File opened for reading	/proc/1/fd
File opened for reading	/proc/225/fd
File opened for reading	/proc/233/fd
File opened for reading	/proc/275/fd
File opened for reading	/proc/356/fd
File opened for reading	/proc/207/fd
File opened for reading	/proc/230/fd
File opened for reading	/proc/271/fd
File opened for reading	/proc/285/fd
File opened for reading	/proc/304/fd
File opened for reading	/proc/307/fd
File opened for reading	/proc/352/fd
File opened for reading	/proc/self/exe	SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf
File opened for reading	/proc/131/fd
File opened for reading	/proc/164/fd
File opened for reading	/proc/276/fd

/tmp/SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf
/tmp/SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf
1⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:351

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/351-1-0x00008000-0x0002ad10-memory.dmp

Download