mirai | 94c49e730a88a2c854e60f27d06f3a33af4e2e1ac32c41bdbfe7c22c375e4963

Analysis

max time kernel
152s
max time network
154s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221125-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221125-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
10-05-2023 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75a88da8eb68a86955194ffd839ace87201ebad837cf6d9dfddbb2f6a1ef08aa.elf
Size

26KB
MD5

2bad8f8537af64c19b6f4314c354edc0
SHA1

7e49fd3174326b51fa988911dfc517c419710438
SHA256

75a88da8eb68a86955194ffd839ace87201ebad837cf6d9dfddbb2f6a1ef08aa
SHA512

d63d494730e61965d1bdc9ac36eca64cee00bde9ed07eb7a3c272fc4775cd57d107f21c473a0d23c1cd1551f6e3b5c729e37b44f0c618675013a8fef3b18ff33
SSDEEP

384:MUv66YgiokzDM366q1tl81r31ueV9suqK0eaNpVIEWW+ZaWz4lq3+v1RK:x66Y4hy8qi9sK0PINW9WzU9K

Score

10^/10

mirai botnet botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

pachoisgay.3utilities.com

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (108995) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Changes its process name 1 IoCs

Processes:

75a88da8eb68a86955194ffd839ace87201ebad837cf6d9dfddbb2f6a1ef08aa.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/var/Sofia	596	75a88da8eb68a86955194ffd839ace87201ebad837cf6d9dfddbb2f6a1ef08aa.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/80/cmdline
File opened for reading	/proc/161/cmdline
File opened for reading	/proc/35/cmdline
File opened for reading	/proc/15/cmdline
File opened for reading	/proc/158/cmdline
File opened for reading	/proc/168/cmdline
File opened for reading	/proc/357/cmdline
File opened for reading	/proc/26/cmdline
File opened for reading	/proc/32/cmdline
File opened for reading	/proc/129/cmdline
File opened for reading	/proc/351/cmdline
File opened for reading	/proc/1/cmdline
File opened for reading	/proc/19/cmdline
File opened for reading	/proc/27/cmdline
File opened for reading	/proc/85/cmdline
File opened for reading	/proc/156/cmdline
File opened for reading	/proc/289/cmdline
File opened for reading	/proc/164/cmdline
File opened for reading	/proc/8/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/23/cmdline
File opened for reading	/proc/25/cmdline
File opened for reading	/proc/78/cmdline
File opened for reading	/proc/83/cmdline
File opened for reading	/proc/89/cmdline
File opened for reading	/proc/194/cmdline
File opened for reading	/proc/592/cmdline
File opened for reading	/proc/3/cmdline
File opened for reading	/proc/21/cmdline
File opened for reading	/proc/79/cmdline
File opened for reading	/proc/163/cmdline
File opened for reading	/proc/591/cmdline
File opened for reading	/proc/285/cmdline
File opened for reading	/proc/4/cmdline
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/13/cmdline
File opened for reading	/proc/155/cmdline
File opened for reading	/proc/162/cmdline
File opened for reading	/proc/165/cmdline
File opened for reading	/proc/172/cmdline
File opened for reading	/proc/429/cmdline
File opened for reading	/proc/593/cmdline
File opened for reading	/proc/10/cmdline
File opened for reading	/proc/17/cmdline
File opened for reading	/proc/30/cmdline
File opened for reading	/proc/115/cmdline
File opened for reading	/proc/166/cmdline
File opened for reading	/proc/371/cmdline
File opened for reading	/proc/567/cmdline
File opened for reading	/proc/36/cmdline
File opened for reading	/proc/160/cmdline
File opened for reading	/proc/253/cmdline
File opened for reading	/proc/334/cmdline
File opened for reading	/proc/410/cmdline
File opened for reading	/proc/5/cmdline
File opened for reading	/proc/11/cmdline
File opened for reading	/proc/159/cmdline
File opened for reading	/proc/171/cmdline
File opened for reading	/proc/601/cmdline
File opened for reading	/proc/12/cmdline
File opened for reading	/proc/29/cmdline
File opened for reading	/proc/98/cmdline
File opened for reading	/proc/167/cmdline
File opened for reading	/proc/335/cmdline

/tmp/75a88da8eb68a86955194ffd839ace87201ebad837cf6d9dfddbb2f6a1ef08aa.elf
/tmp/75a88da8eb68a86955194ffd839ace87201ebad837cf6d9dfddbb2f6a1ef08aa.elf
1⤵
- Changes its process name
PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-1-0x0000000008048000-0x0000000008057900-memory.dmp

Download