mirai | b8e7275225b044f5f6a2b96341e61731fd1791daa599e6aa819c759f3d6ceb71

Analysis

max time kernel
150s
max time network
153s
platform
linux_mipsel
resource
debian9-mipsel-en-20211208
resource tags

arch:mipselimage:debian9-mipsel-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
03-05-2023 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3e3ce2457cb9250c1859c8111cf2e14.elf
Size

27KB
MD5

a3e3ce2457cb9250c1859c8111cf2e14
SHA1

875e7131f699802f06c0c05748f69dd7fb56d7f8
SHA256

b8e7275225b044f5f6a2b96341e61731fd1791daa599e6aa819c759f3d6ceb71
SHA512

0f27ba21b227c5904a68f1c09e5f2ad5220aa2a54482f1659b5ae6f2ea909d5ada977cc915c19542edcb580dff9d8037083a5122765d7dd3adabeee946fd5400
SSDEEP

768:O1Jnr9HMs0aNafCBtoGKYF3cTXmfhulIKWy:c9lpSli3ce9K

Score

10^/10

mirai botnet botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

cnc.kintaro.cc

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (97491) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Changes its process name 1 IoCs

Processes:

a3e3ce2457cb9250c1859c8111cf2e14.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself /var/Sofia 329 a3e3ce2457cb9250c1859c8111cf2e14.elf
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

a3e3ce2457cb9250c1859c8111cf2e14.elf

description ioc process

File opened for reading /proc/net/tcp a3e3ce2457cb9250c1859c8111cf2e14.elf
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

a3e3ce2457cb9250c1859c8111cf2e14.elf

description ioc process

File opened for reading /proc/net/tcp a3e3ce2457cb9250c1859c8111cf2e14.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/var/Sofia	329	a3e3ce2457cb9250c1859c8111cf2e14.elf

description	ioc	process
File opened for reading	/proc/net/tcp	a3e3ce2457cb9250c1859c8111cf2e14.elf

description	ioc	process
File opened for reading	/proc/net/tcp	a3e3ce2457cb9250c1859c8111cf2e14.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/12/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/116/cmdline
File opened for reading	/proc/300/cmdline
File opened for reading	/proc/306/cmdline
File opened for reading	/proc/17/cmdline
File opened for reading	/proc/21/cmdline
File opened for reading	/proc/2/cmdline
File opened for reading	/proc/13/cmdline
File opened for reading	/proc/80/cmdline
File opened for reading	/proc/142/cmdline
File opened for reading	/proc/260/cmdline
File opened for reading	/proc/409/cmdline
File opened for reading	/proc/1/cmdline
File opened for reading	/proc/4/cmdline
File opened for reading	/proc/5/cmdline
File opened for reading	/proc/82/cmdline
File opened for reading	/proc/307/cmdline
File opened for reading	/proc/401/cmdline
File opened for reading	/proc/252/cmdline
File opened for reading	/proc/324/cmdline
File opened for reading	/proc/256/cmdline
File opened for reading	/proc/269/cmdline
File opened for reading	/proc/346/cmdline
File opened for reading	/proc/23/cmdline
File opened for reading	/proc/105/cmdline
File opened for reading	/proc/328/cmdline
File opened for reading	/proc/3/cmdline
File opened for reading	/proc/36/cmdline
File opened for reading	/proc/69/cmdline
File opened for reading	/proc/235/cmdline
File opened for reading	/proc/325/cmdline
File opened for reading	/proc/337/cmdline
File opened for reading	/proc/20/cmdline
File opened for reading	/proc/74/cmdline
File opened for reading	/proc/78/cmdline
File opened for reading	/proc/364/cmdline
File opened for reading	/proc/24/cmdline
File opened for reading	/proc/72/cmdline
File opened for reading	/proc/157/cmdline
File opened for reading	/proc/219/cmdline
File opened for reading	/proc/342/cmdline
File opened for reading	/proc/427/cmdline
File opened for reading	/proc/8/cmdline
File opened for reading	/proc/10/cmdline
File opened for reading	/proc/11/cmdline
File opened for reading	/proc/76/cmdline
File opened for reading	/proc/293/cmdline
File opened for reading	/proc/397/cmdline
File opened for reading	/proc/71/cmdline
File opened for reading	/proc/77/cmdline
File opened for reading	/proc/9/cmdline
File opened for reading	/proc/14/cmdline
File opened for reading	/proc/15/cmdline
File opened for reading	/proc/16/cmdline
File opened for reading	/proc/22/cmdline
File opened for reading	/proc/70/cmdline
File opened for reading	/proc/146/cmdline
File opened for reading	/proc/208/cmdline
File opened for reading	/proc/330/cmdline
File opened for reading	/proc/73/cmdline
File opened for reading	/proc/222/cmdline
File opened for reading	/proc/6/cmdline

/tmp/a3e3ce2457cb9250c1859c8111cf2e14.elf
/tmp/a3e3ce2457cb9250c1859c8111cf2e14.elf
1⤵
- Changes its process name
- Enumerates active TCP sockets
- Reads system network configuration
PID:329

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/329-1-0x00400000-0x00450da0-memory.dmp

Download