mirai | cd7ec25de399aaeaa8bb28d2be78168325c5fcd8a21c630b42b8e9b3bad158b8

Analysis

max time kernel
151s
max time network
150s
platform
linux_armhf
resource
debian9-armhf-en-20211208
resource tags

arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
29-05-2023 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2d08734fa697c7e03a05e8307a0435f.elf
Size

47KB
MD5

d2d08734fa697c7e03a05e8307a0435f
SHA1

5d21ef1fbaac25b46504e691cf07fe6912479a93
SHA256

cd7ec25de399aaeaa8bb28d2be78168325c5fcd8a21c630b42b8e9b3bad158b8
SHA512

88a2ffeb403ae1dadd6204bc7eb7ae533dcc2f9a2e32ba214e5f1f39d3b47f72fc6f92004487f4687fa88635f9ad48cd03a5714f40471e92793b50693dbeac0a
SSDEEP

768:8m5gQkZb6ifu/Ggh9OHApqBt1m1UlFzXn+PtwhHya80lfeA2Fdphg7C:R5mb6itgUAcXR73+6hH+AS7

Score

10^/10

mirai botnet

Malware Config

Extracted

Family

mirai

client.orxy.space

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Changes its process name 1 IoCs

Processes:

d2d08734fa697c7e03a05e8307a0435f.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself a 359 d2d08734fa697c7e03a05e8307a0435f.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	a	359	d2d08734fa697c7e03a05e8307a0435f.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

d2d08734fa697c7e03a05e8307a0435f.elf

description	ioc	process
File opened for modification	/dev/misc/watchdog	d2d08734fa697c7e03a05e8307a0435f.elf
File opened for modification	/dev/watchdog	d2d08734fa697c7e03a05e8307a0435f.elf

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

d2d08734fa697c7e03a05e8307a0435f.elf

description ioc process

File opened for modification /usr/bin/watchdog d2d08734fa697c7e03a05e8307a0435f.elf

description	ioc	process
File opened for modification	/usr/bin/watchdog	d2d08734fa697c7e03a05e8307a0435f.elf

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

d2d08734fa697c7e03a05e8307a0435f.elf

description	ioc	process
File opened for modification	/sbin/watchdog	d2d08734fa697c7e03a05e8307a0435f.elf
File opened for modification	/bin/watchdog	d2d08734fa697c7e03a05e8307a0435f.elf

Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

d2d08734fa697c7e03a05e8307a0435f.elf

description ioc process

File opened for reading /proc/self/exe d2d08734fa697c7e03a05e8307a0435f.elf

description	ioc	process
File opened for reading	/proc/self/exe	d2d08734fa697c7e03a05e8307a0435f.elf

/tmp/d2d08734fa697c7e03a05e8307a0435f.elf
/tmp/d2d08734fa697c7e03a05e8307a0435f.elf
1⤵
- Changes its process name
- Modifies Watchdog functionality
- Write file to user bin folder
- Writes file to system bin folder
- Reads runtime system information
PID:359

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/359-1-0x00008000-0x000283d0-memory.dmp

Download