mirai | 4beb12afef07d5bbe0049879a09a72309e63f75cf8f3d11bb9f092f7c56b0982

Analysis

max time kernel
152s
max time network
154s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
30-04-2023 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x86.elf
Size

34KB
MD5

a0035af8d827c209a89cea5ae60d5110
SHA1

a25665b7268adcca0619acff19055053da6c64f0
SHA256

4beb12afef07d5bbe0049879a09a72309e63f75cf8f3d11bb9f092f7c56b0982
SHA512

5f773ac1679ece6d45848891f4a0d306a65ea1957f3bee0475a84e0eadf32f480c7975ce3a6ee953aaedc8e9430975517a1f007006316a4a8254eb179a72b9d6
SSDEEP

768:dDHUts8wX6+D1UCjLVyghoa0m5Budg8OGbn5/QenbcuyD7UGQRjF:d4uCW1J3ogaCuOoz9Qenouy8Gy5

Score

10^/10

mirai kyton botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

KYTON

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (103353) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /bin/watchdog
Changes its process name 1 IoCs

Processes:

x86.elf

description pid process

Changes the process name, possibly in an attempt to hide itself 581 x86.elf
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

File opened for reading /proc/net/tcp
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

description ioc

File opened for reading /proc/net/tcp
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

description ioc

File opened for reading /proc/585/exe

description	ioc
File opened for modification	/bin/watchdog

description	pid	process
Changes the process name, possibly in an attempt to hide itself	581	x86.elf

description	ioc
File opened for reading	/proc/net/tcp

description	ioc
File opened for reading	/proc/net/tcp

description	ioc
File opened for reading	/proc/585/exe

/tmp/x86.elf
/tmp/x86.elf
1⤵
- Changes its process name
PID:581

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

Network Service Scanning

T1046

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/581-1-0x0000000008048000-0x0000000008060bc4-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads