mirai | 138a57ba868d36405d93bbb19061cdef1b2600f7e97eb46ac03441202ee5e211

Analysis

max time kernel
151s
max time network
152s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
13-05-2023 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e0b0c2014e2bf86e328bb7011579aaa.elf
Size

57KB
MD5

3e0b0c2014e2bf86e328bb7011579aaa
SHA1

5476315a86b12d0f6bd359212c8b631945fe6334
SHA256

138a57ba868d36405d93bbb19061cdef1b2600f7e97eb46ac03441202ee5e211
SHA512

284f3c6ee140d3fe976cc3fb7aa2a27a87b4d1b03349b9c2b26a9432d53913f9304019246aff6631d10201e67e14ae219991efad40c5edd35df7eb0d46ff805e
SSDEEP

768:B5vZRCdVnbBTnBNXj6u/+e2cQKHsrjBpYyTVb7b79q3UELcnPFHbeNNjfNBTBO7K:B5v/sbBTBojXLRjf5VnWLc97eNZzIm

Score

10^/10

mirai botnet discovery

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (68826) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Changes its process name 1 IoCs

Processes:

3e0b0c2014e2bf86e328bb7011579aaa.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself /bin/watchdog 423 3e0b0c2014e2bf86e328bb7011579aaa.elf
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

File opened for reading /proc/net/tcp
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

description ioc

File opened for reading /proc/net/tcp

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/bin/watchdog	423	3e0b0c2014e2bf86e328bb7011579aaa.elf

description	ioc
File opened for reading	/proc/net/tcp

description	ioc
File opened for reading	/proc/net/tcp

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

Processes:

3e0b0c2014e2bf86e328bb7011579aaa.elfmkdir

description	ioc	process
File opened for reading	/proc/self/exe	3e0b0c2014e2bf86e328bb7011579aaa.elf
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/433/exe

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

sh

description ioc process

File opened for modification /tmp/bin/watchdog sh

description	ioc	process
File opened for modification	/tmp/bin/watchdog	sh

/tmp/3e0b0c2014e2bf86e328bb7011579aaa.elf
/tmp/3e0b0c2014e2bf86e328bb7011579aaa.elf
1⤵
- Changes its process name
- Reads runtime system information
PID:423

/bin/sh
/bin/sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/3e0b0c2014e2bf86e328bb7011579aaa.elf bin/watchdog��a; chmod 777 ��bin/watchdog"
2⤵
- Writes file to tmp directory
PID:424

rm
rm -rf bin/watchdog
3⤵
PID:425

mkdir
mkdir "bin"
3⤵
- Reads runtime system information
PID:426

chmod
chmod 777 "��bin/watchdog"
3⤵
PID:431

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/423-1-0x00008000-0x000293fc-memory.dmp

Download