Overview

overview

10

Static

static

7

e049a4f5e8...bf.elf

debian-9-mipsel

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    42eca5af3ea9b13d88404974c1720197.bin

  • Size

    43KB

  • Sample

    230502-bsrsqahc69

  • MD5

    6d85a104ccda45cb5b98005653af7106

  • SHA1

    c4eff2b8f3883399e8f589ee823a4ee5dd62deb4

  • SHA256

    aa1c150c5db559da04672b4774e228a28f7e27cf5db770f5c5f41d764ee4417f

  • SHA512

    aa714957b92429e6ad0d219b989fb4b49ef7e77719ca17ffbe6bec4811dcbc5dab68cb34acc6743c77f27d35dc21ebea9c8fea988a2eee3358e3fb04ca2ae61e

  • SSDEEP

    768:kdzBbpHI4p8zYl3wTfyF5tveLHK8fpACmHwnH/wpvdf6a8d2eiGjIKAMI8Ye20:eRpHI4z1VF5tzKACmHC0wp2eiGjIKLIw

Score
10/10
miraikytonbotnetdiscoveryupx

Malware Config

Extracted

Family

mirai

Botnet

KYTON

Targets

    • Target

      e049a4f5e8bccb9767124feb8a4eb55ab4715194630efabfa66ff929a3217cbf.elf

    • Size

      44KB

    • MD5

      42eca5af3ea9b13d88404974c1720197

    • SHA1

      4caa835eefa6ad74817384123292814cad31149e

    • SHA256

      e049a4f5e8bccb9767124feb8a4eb55ab4715194630efabfa66ff929a3217cbf

    • SHA512

      763e72ac779f305d64b135f5a4bcf6feba4dbc5274b51236a2447f8f7aeb2613be0fdd3593fd1f596b30736c04011b7ffea9077244900e3c7a4205ead8ce96ec

    • SSDEEP

      768:fJS4GmW3BHKBa0BJXEALN5oSWgjYS62j5Zg3lyReMGXTUAiflWz:bGmqga0BJXEALNWghjaly0PTUAis

    Score
    10/10
    miraikytonbotnetdiscovery

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

      botnetmirai

    • Contacts a large (112444) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies the Watchdog daemon

      Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

    • Writes file to system bin folder

    • Changes its process name

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

1
T1574

Privilege Escalation

Hijack Execution Flow

1
T1574

Defense Evasion

Impair Defenses

1
T1562

Hijack Execution Flow

1
T1574

Credential Access

Discovery

Network Service Scanning

2
T1046

System Network Connections Discovery

1
T1049

System Network Configuration Discovery

1
T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks