mirai | 6ad8096f2aedc5b1b02499859522b7c60daf7b15c2aea020592267e0c0829c4f

Analysis

max time kernel
152s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221125-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221125-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
13-05-2023 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb464f795c9e28e1f27e3b12c08371df.elf
Size

33KB
MD5

bb464f795c9e28e1f27e3b12c08371df
SHA1

80c852056d611d2cadea04ad546c7e278ce95fd9
SHA256

6ad8096f2aedc5b1b02499859522b7c60daf7b15c2aea020592267e0c0829c4f
SHA512

3193df32af151c13f874cfb745043cab50088850ce00aae923bbbe932cd51cceee0dec281d2df83bfa1c2d8b5283fc4d400baa52fe7a86c60130efb37cd8edd7
SSDEEP

768:rVTYpklmmGA37Bk2gHNEUAgnSPx6N3to4ook+a13Tv:JE1m3Bk24qUzSEDojb+e3b

Score

10^/10

mirai botnet discovery

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (37114) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Changes its process name 1 IoCs

Processes:

bb464f795c9e28e1f27e3b12c08371df.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself /bin/watchdog 594 bb464f795c9e28e1f27e3b12c08371df.elf
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

File opened for reading /proc/net/tcp
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

description ioc

File opened for reading /proc/net/tcp

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/bin/watchdog	594	bb464f795c9e28e1f27e3b12c08371df.elf

description	ioc
File opened for reading	/proc/net/tcp

description	ioc
File opened for reading	/proc/net/tcp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/1225/exe
File opened for reading	/proc/1493/exe
File opened for reading	/proc/1025/exe
File opened for reading	/proc/1963/exe
File opened for reading	/proc/589/exe
File opened for reading	/proc/620/exe
File opened for reading	/proc/807/exe
File opened for reading	/proc/1058/exe
File opened for reading	/proc/785/exe
File opened for reading	/proc/1024/exe
File opened for reading	/proc/1112/exe
File opened for reading	/proc/1849/exe
File opened for reading	/proc/1929/exe
File opened for reading	/proc/1078/exe
File opened for reading	/proc/1949/exe
File opened for reading	/proc/684/exe
File opened for reading	/proc/958/exe
File opened for reading	/proc/2050/exe
File opened for reading	/proc/1159/exe
File opened for reading	/proc/1179/exe
File opened for reading	/proc/1259/exe
File opened for reading	/proc/2063/exe
File opened for reading	/proc/443/exe
File opened for reading	/proc/782/exe
File opened for reading	/proc/1815/exe
File opened for reading	/proc/633/exe
File opened for reading	/proc/780/exe
File opened for reading	/proc/789/exe
File opened for reading	/proc/991/exe
File opened for reading	/proc/1011/exe
File opened for reading	/proc/1594/exe
File opened for reading	/proc/2016/exe
File opened for reading	/proc/403/exe
File opened for reading	/proc/1561/exe
File opened for reading	/proc/1748/exe
File opened for reading	/proc/411/exe
File opened for reading	/proc/1158/exe
File opened for reading	/proc/1695/exe
File opened for reading	/proc/1762/exe
File opened for reading	/proc/1795/exe
File opened for reading	/proc/2096/exe
File opened for reading	/proc/1581/exe
File opened for reading	/proc/590/exe
File opened for reading	/proc/597/exe
File opened for reading	/proc/601/exe
File opened for reading	/proc/770/exe
File opened for reading	/proc/1292/exe
File opened for reading	/proc/1360/exe
File opened for reading	/proc/1527/exe
File opened for reading	/proc/591/exe
File opened for reading	/proc/1782/exe
File opened for reading	/proc/1896/exe
File opened for reading	/proc/410/exe
File opened for reading	/proc/778/exe
File opened for reading	/proc/666/exe
File opened for reading	/proc/768/exe
File opened for reading	/proc/771/exe
File opened for reading	/proc/1212/exe
File opened for reading	/proc/1447/exe
File opened for reading	/proc/1983/exe
File opened for reading	/proc/2083/exe
File opened for reading	/proc/776/exe
File opened for reading	/proc/781/exe
File opened for reading	/proc/1293/exe

/tmp/bb464f795c9e28e1f27e3b12c08371df.elf
/tmp/bb464f795c9e28e1f27e3b12c08371df.elf
1⤵
- Changes its process name
PID:594

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/594-1-0x0000000008048000-0x000000000805b840-memory.dmp

Download