mirai | 2afe3f14f806f1b435e2c7c0e82e7e709c8abc4db41b92dddac0fd5df7accb7f

Analysis

max time kernel
152s
max time network
155s
platform
linux_armhf
resource
debian9-armhf-en-20211208
resource tags

arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
29-05-2023 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1781b6440c32c3cd3b5af772eae3b6f.elf
Size

56KB
MD5

c1781b6440c32c3cd3b5af772eae3b6f
SHA1

f32bb16ada1982fd1b2957687b325c0e654f8749
SHA256

2afe3f14f806f1b435e2c7c0e82e7e709c8abc4db41b92dddac0fd5df7accb7f
SHA512

788ef2c2168cbd772db483855cf3a8aac796af14715f359dc8738bd14179a3bf9e09e15b8d8e625f2dd88a6d85b18209b274567db5c4054e4d9bd3704aad4c5e
SSDEEP

1536:mmRRqYI3gyfg/cTfAfVIYftVufrX51x7kDEc3Slge3:mmTLyI/cTfAfmdhc3Pe

Score

10^/10

mirai unstable botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (157694) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Changes its process name 1 IoCs

Processes:

c1781b6440c32c3cd3b5af772eae3b6f.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself a 351 c1781b6440c32c3cd3b5af772eae3b6f.elf
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog
File opened for modification /dev/misc/watchdog
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

c1781b6440c32c3cd3b5af772eae3b6f.elf

description ioc process

File opened for reading /proc/self/exe c1781b6440c32c3cd3b5af772eae3b6f.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	a	351	c1781b6440c32c3cd3b5af772eae3b6f.elf

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

description	ioc	process
File opened for reading	/proc/self/exe	c1781b6440c32c3cd3b5af772eae3b6f.elf

/tmp/c1781b6440c32c3cd3b5af772eae3b6f.elf
/tmp/c1781b6440c32c3cd3b5af772eae3b6f.elf
1⤵
- Changes its process name
- Reads runtime system information
PID:351

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/351-1-0x00008000-0x0002c57c-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads