mirai | 89ded71040f0f0b728b5ce4d9c0affd87bae2e227068b515fc8099f6ea310ffc

Analysis

max time kernel
150s
max time network
154s
platform
linux_mipsel
resource
debian9-mipsel-en-20211208
resource tags

arch:mipselimage:debian9-mipsel-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
04-05-2023 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4ce6a8367d840118afdb064c639cc74.elf
Size

37KB
MD5

d4ce6a8367d840118afdb064c639cc74
SHA1

85cf4120be8faf5c3736a7045d4a5921fe5ab542
SHA256

89ded71040f0f0b728b5ce4d9c0affd87bae2e227068b515fc8099f6ea310ffc
SHA512

7279bb9dc79281d0283b24ee5ffccb32bd2959d400e959ab7f8d2fa7a20173e63b350d94daeb4e27224cf2c4545a6e7a928b7c9daffb7c403ab8c49665909d0d
SSDEEP

768:8cFiyluiEduvR0MrPNjIvSGb22VjGqxQLZUiBxTQFTT9nsd6WMI:vFdY4ynbV6BLh7QRT9nUx

Score

10^/10

mirai unstable botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (222532) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog
Changes its process name 1 IoCs

Processes:

d4ce6a8367d840118afdb064c639cc74.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself a 326 d4ce6a8367d840118afdb064c639cc74.elf
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

d4ce6a8367d840118afdb064c639cc74.elf

description ioc process

File opened for reading /proc/self/exe d4ce6a8367d840118afdb064c639cc74.elf

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	a	326	d4ce6a8367d840118afdb064c639cc74.elf

description	ioc	process
File opened for reading	/proc/self/exe	d4ce6a8367d840118afdb064c639cc74.elf

/tmp/d4ce6a8367d840118afdb064c639cc74.elf
/tmp/d4ce6a8367d840118afdb064c639cc74.elf
1⤵
- Changes its process name
- Reads runtime system information
PID:326

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/326-1-0x00400000-0x0045bba8-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads