mirai | e61207e0bc6e69fd28d17073fb08256bc288be9ce949760dc0758d81447ed2d7

Analysis

max time kernel
124s
max time network
160s
platform
debian-9_mips
resource
debian9-mipsbe-20221111-en
resource tags

arch:mipsimage:debian9-mipsbe-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
11-05-2023 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Linux.Generic.298766.32725.20286.elf.bin
Size

26KB
MD5

5e049ed7c60e7e05104d1d654161d868
SHA1

b92ecbbdd86b5197aef0752bed2bf959803298f1
SHA256

e61207e0bc6e69fd28d17073fb08256bc288be9ce949760dc0758d81447ed2d7
SHA512

6a8b0d4077ffba105d765ec326e8e8ff62492b4753559b80ff3f79c9533a06d8075e863f161638d62cf8ce0802c8820c2c32b53aff70ae52f888d79e31b292be
SSDEEP

768:WUnnuN5h5MO30lW1YhtXhWMbOiJgGlzDpbuR1JP:WUnurjMOLYLhWanVJuZ

Score

10^/10

mirai botnet discovery

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (80678) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Changes its process name 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Linux.Generic.298766.32725.20286.elf.bin

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/var/Sofia	337	SecuriteInfo.com.Trojan.Linux.Generic.298766.32725.20286.elf.bin

Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

SecuriteInfo.com.Trojan.Linux.Generic.298766.32725.20286.elf.bin

description ioc process

File opened for reading /proc/net/tcp SecuriteInfo.com.Trojan.Linux.Generic.298766.32725.20286.elf.bin
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

SecuriteInfo.com.Trojan.Linux.Generic.298766.32725.20286.elf.bin

description ioc process

File opened for reading /proc/net/tcp SecuriteInfo.com.Trojan.Linux.Generic.298766.32725.20286.elf.bin

description	ioc	process
File opened for reading	/proc/net/tcp	SecuriteInfo.com.Trojan.Linux.Generic.298766.32725.20286.elf.bin

description	ioc	process
File opened for reading	/proc/net/tcp	SecuriteInfo.com.Trojan.Linux.Generic.298766.32725.20286.elf.bin

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/338/cmdline
File opened for reading	/proc/356/cmdline
File opened for reading	/proc/3/cmdline
File opened for reading	/proc/227/cmdline
File opened for reading	/proc/82/cmdline
File opened for reading	/proc/292/cmdline
File opened for reading	/proc/2/cmdline
File opened for reading	/proc/4/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/104/cmdline
File opened for reading	/proc/145/cmdline
File opened for reading	/proc/228/cmdline
File opened for reading	/proc/345/cmdline
File opened for reading	/proc/14/cmdline
File opened for reading	/proc/75/cmdline
File opened for reading	/proc/76/cmdline
File opened for reading	/proc/22/cmdline
File opened for reading	/proc/24/cmdline
File opened for reading	/proc/23/cmdline
File opened for reading	/proc/37/cmdline
File opened for reading	/proc/139/cmdline
File opened for reading	/proc/223/cmdline
File opened for reading	/proc/332/cmdline
File opened for reading	/proc/335/cmdline
File opened for reading	/proc/10/cmdline
File opened for reading	/proc/19/cmdline
File opened for reading	/proc/344/cmdline
File opened for reading	/proc/352/cmdline
File opened for reading	/proc/16/cmdline
File opened for reading	/proc/17/cmdline
File opened for reading	/proc/36/cmdline
File opened for reading	/proc/71/cmdline
File opened for reading	/proc/8/cmdline
File opened for reading	/proc/13/cmdline
File opened for reading	/proc/303/cmdline
File opened for reading	/proc/336/cmdline
File opened for reading	/proc/74/cmdline
File opened for reading	/proc/77/cmdline
File opened for reading	/proc/371/cmdline
File opened for reading	/proc/6/cmdline
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/21/cmdline
File opened for reading	/proc/115/cmdline
File opened for reading	/proc/224/cmdline
File opened for reading	/proc/5/cmdline
File opened for reading	/proc/12/cmdline
File opened for reading	/proc/254/cmdline
File opened for reading	/proc/69/cmdline
File opened for reading	/proc/215/cmdline
File opened for reading	/proc/11/cmdline
File opened for reading	/proc/15/cmdline
File opened for reading	/proc/81/cmdline
File opened for reading	/proc/114/cmdline
File opened for reading	/proc/155/cmdline
File opened for reading	/proc/1/cmdline
File opened for reading	/proc/9/cmdline
File opened for reading	/proc/258/cmdline
File opened for reading	/proc/261/cmdline
File opened for reading	/proc/290/cmdline
File opened for reading	/proc/333/cmdline
File opened for reading	/proc/79/cmdline
File opened for reading	/proc/252/cmdline
File opened for reading	/proc/73/cmdline
File opened for reading	/proc/284/cmdline

/tmp/SecuriteInfo.com.Trojan.Linux.Generic.298766.32725.20286.elf.bin
/tmp/SecuriteInfo.com.Trojan.Linux.Generic.298766.32725.20286.elf.bin
1⤵
- Changes its process name
- Enumerates active TCP sockets
- Reads system network configuration
PID:337

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/337-1-0x00400000-0x004508f0-memory.dmp

Download