mirai | e99b8f5f1732bc27ba3e043cb55a561a286135f3d544e69042c4e89658977d6e

Analysis

max time kernel
153s
max time network
154s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
03-05-2023 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f78a83d756084712a6b6df1aeca10ade.elf
Size

23KB
MD5

f78a83d756084712a6b6df1aeca10ade
SHA1

9e6842be6daf2fe2a765ba0ce026b5f95a54ee90
SHA256

e99b8f5f1732bc27ba3e043cb55a561a286135f3d544e69042c4e89658977d6e
SHA512

75c7611e450520e6111d8a476512aea554408cc412cea353305d097253096bd5bfa5f938da25ba350d2fe9059132b384cc31a2c3b0282634d7a4a3d9ce6a14b8
SSDEEP

384:M0XjEy4VsCu/nFZ84Yg84t8/ejhp27rKLc6lUCbgxKMWl0iouN07JoWHt3UhLv1H:R+VsCIFZeZ4t8/ejf42lULxKMxiuoz5

Score

10^/10

mirai botnet botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

cnc.kintaro.cc

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (105452) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Changes its process name 1 IoCs

Processes:

f78a83d756084712a6b6df1aeca10ade.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself /var/Sofia 597 f78a83d756084712a6b6df1aeca10ade.elf
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

f78a83d756084712a6b6df1aeca10ade.elf

description ioc process

File opened for reading /proc/net/tcp f78a83d756084712a6b6df1aeca10ade.elf
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

f78a83d756084712a6b6df1aeca10ade.elf

description ioc process

File opened for reading /proc/net/tcp f78a83d756084712a6b6df1aeca10ade.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/var/Sofia	597	f78a83d756084712a6b6df1aeca10ade.elf

description	ioc	process
File opened for reading	/proc/net/tcp	f78a83d756084712a6b6df1aeca10ade.elf

description	ioc	process
File opened for reading	/proc/net/tcp	f78a83d756084712a6b6df1aeca10ade.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/30/cmdline
File opened for reading	/proc/98/cmdline
File opened for reading	/proc/593/cmdline
File opened for reading	/proc/29/cmdline
File opened for reading	/proc/84/cmdline
File opened for reading	/proc/89/cmdline
File opened for reading	/proc/355/cmdline
File opened for reading	/proc/357/cmdline
File opened for reading	/proc/1/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/28/cmdline
File opened for reading	/proc/203/cmdline
File opened for reading	/proc/592/cmdline
File opened for reading	/proc/595/cmdline
File opened for reading	/proc/6/cmdline
File opened for reading	/proc/9/cmdline
File opened for reading	/proc/35/cmdline
File opened for reading	/proc/180/cmdline
File opened for reading	/proc/262/cmdline
File opened for reading	/proc/389/cmdline
File opened for reading	/proc/565/cmdline
File opened for reading	/proc/32/cmdline
File opened for reading	/proc/173/cmdline
File opened for reading	/proc/177/cmdline
File opened for reading	/proc/79/cmdline
File opened for reading	/proc/80/cmdline
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/22/cmdline
File opened for reading	/proc/23/cmdline
File opened for reading	/proc/169/cmdline
File opened for reading	/proc/250/cmdline
File opened for reading	/proc/460/cmdline
File opened for reading	/proc/10/cmdline
File opened for reading	/proc/15/cmdline
File opened for reading	/proc/27/cmdline
File opened for reading	/proc/82/cmdline
File opened for reading	/proc/126/cmdline
File opened for reading	/proc/170/cmdline
File opened for reading	/proc/4/cmdline
File opened for reading	/proc/34/cmdline
File opened for reading	/proc/36/cmdline
File opened for reading	/proc/422/cmdline
File opened for reading	/proc/606/cmdline
File opened for reading	/proc/85/cmdline
File opened for reading	/proc/168/cmdline
File opened for reading	/proc/382/cmdline
File opened for reading	/proc/17/cmdline
File opened for reading	/proc/21/cmdline
File opened for reading	/proc/83/cmdline
File opened for reading	/proc/163/cmdline
File opened for reading	/proc/167/cmdline
File opened for reading	/proc/2/cmdline
File opened for reading	/proc/14/cmdline
File opened for reading	/proc/16/cmdline
File opened for reading	/proc/179/cmdline
File opened for reading	/proc/202/cmdline
File opened for reading	/proc/352/cmdline
File opened for reading	/proc/78/cmdline
File opened for reading	/proc/164/cmdline
File opened for reading	/proc/174/cmdline
File opened for reading	/proc/175/cmdline
File opened for reading	/proc/11/cmdline
File opened for reading	/proc/12/cmdline
File opened for reading	/proc/20/cmdline

/tmp/f78a83d756084712a6b6df1aeca10ade.elf
/tmp/f78a83d756084712a6b6df1aeca10ade.elf
1⤵
- Changes its process name
- Enumerates active TCP sockets
- Reads system network configuration
PID:597

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/597-1-0x0000000008048000-0x0000000008054a80-memory.dmp

Download