mirai | d930e03b78f054fcff98330d08d5105dd2b82e4077d3e2320f2407c877ed0777

Analysis

max time kernel
150s
max time network
149s
platform
debian-9_armhf
resource
debian9-armhf-20221125-en
resource tags

arch:armhfimage:debian9-armhf-20221125-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
30-05-2023 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Heur.20230530012700444246915.elf
Size

44KB
MD5

3ee707af6422cd9a2a310f6fda458f6b
SHA1

a255ea6b39906b4c7bf15b1a52fdb43b50615f85
SHA256

d930e03b78f054fcff98330d08d5105dd2b82e4077d3e2320f2407c877ed0777
SHA512

e03d85628ec23454321f817ba3b453ad67da6f68603b7a1b1a9f86783096bcc1d58c68d6add988be145d6cb5b52b3dce1c2cc005c871faa07477630cf32a4ce7
SSDEEP

768:zs14hsFXVIgUksoW+lOqzqoU1PRreX4nblq3UIsVSasAyF/duUM2cZKq2acv:buFFxUhoWUOffPRiIbCsV9sAouUI7+

Score

10^/10

mirai botnet

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Changes its process name 1 IoCs

Processes:

SecuriteInfo.com.Heur.20230530012700444246915.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself /bin/sh 362 SecuriteInfo.com.Heur.20230530012700444246915.elf
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog
File opened for modification /dev/misc/watchdog
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

SecuriteInfo.com.Heur.20230530012700444246915.elf

description ioc process

File opened for reading /proc/self/exe SecuriteInfo.com.Heur.20230530012700444246915.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/bin/sh	362	SecuriteInfo.com.Heur.20230530012700444246915.elf

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

description	ioc	process
File opened for reading	/proc/self/exe	SecuriteInfo.com.Heur.20230530012700444246915.elf

/tmp/SecuriteInfo.com.Heur.20230530012700444246915.elf
/tmp/SecuriteInfo.com.Heur.20230530012700444246915.elf
1⤵
- Changes its process name
- Reads runtime system information
PID:362

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/362-1-0x00008000-0x00024764-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads