Overview

overview

10

Static

static

7

00d9fe0a6b...e5.elf

debian-9-armhf

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    98520685bcb57b1e7c903aa5b64e2d97.bin

  • Size

    67KB

  • Sample

    230502-b9f3jshd34

  • MD5

    0c36ed73e97aadf97c4ddf492991ad0c

  • SHA1

    522ed750b04dbe7ac15b5991993c7e42ad01937b

  • SHA256

    bf501dd5a3e9982aaed53b36eab1c08a620a923bfa37f3e4f1a17490578d756e

  • SHA512

    cea5b5ab265ab4db12f4923bc5dd245fb45981060948fee16f43d5c16689225963ab5a1210820e3c4dddbab8c3e16e16eca6f423616bcb6b8f9fab7df3055249

  • SSDEEP

    1536:VO7jGu3KxosmRlTpLsEBhDT7Zs7Ii+HCJcEEA:VKjBEoJT9sEBJeF+HPE7

Score
10/10
miraikytonbotnetdiscoveryupx

Malware Config

Extracted

Family

mirai

Botnet

KYTON

Targets

    • Target

      00d9fe0a6bb4c16c51af172afcd42df3da3ac918af723d4c89465c80b74824e5.elf

    • Size

      68KB

    • MD5

      98520685bcb57b1e7c903aa5b64e2d97

    • SHA1

      6c7e69c20c02e498acd803863207646ef965a1fa

    • SHA256

      00d9fe0a6bb4c16c51af172afcd42df3da3ac918af723d4c89465c80b74824e5

    • SHA512

      396d9badc38762fe160985ea5e7b27e1ec4891eb20db321e28892eba46bc0491bf7b91b732566649fc435a7380b6bfb208ac6e027e0b5cb8249855c8d3cb2a63

    • SSDEEP

      1536:bmuRtG/R7HiIb+wkqER7/kpevPyJTD/Lh1mhIJXXwi1zqP:blw/sIWPt/+eva5bLh1mCJXX/hO

    Score
    10/10
    miraikytonbotnetdiscovery

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

      botnetmirai

    • Contacts a large (81808) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies the Watchdog daemon

      Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

    • Writes file to system bin folder

    • Changes its process name

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

1
T1574

Privilege Escalation

Hijack Execution Flow

1
T1574

Defense Evasion

Impair Defenses

1
T1562

Hijack Execution Flow

1
T1574

Credential Access

Discovery

Network Service Scanning

2
T1046

System Network Connections Discovery

1
T1049

System Network Configuration Discovery

1
T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks