mirai | 8313bbaf96f4f3f7bdf70c00190ea96a5d1a1264ef48b989eb53d1ca947d497b

Analysis

max time kernel
150s
max time network
144s
platform
debian-9_armhf
resource
debian9-armhf-20221125-en
resource tags

arch:armhfimage:debian9-armhf-20221125-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
03-06-2023 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f264ac226bc5e4f230ae6c99f4f397f3.elf
Size

45KB
MD5

f264ac226bc5e4f230ae6c99f4f397f3
SHA1

adae7d09d9448cce4ed337ddc9ec1ded0ae4b27a
SHA256

8313bbaf96f4f3f7bdf70c00190ea96a5d1a1264ef48b989eb53d1ca947d497b
SHA512

efffd11d888b86827fd5209f30c6d65cc1f9f5480a1fe9efc7fc6e8b9d5d53670514ca96f0bbad5921ad164d576ecbb32e1d713b5b5ea7b441ccaf363ad36058
SSDEEP

768:g/TYCoIxdEk+AxoTZAZHFeq8b3cA9q3UELbUXfi6nVMQHI4vcGpvv:gECFd+A6YHAxcJLRQZv

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog
File opened for modification /dev/misc/watchdog
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads runtime system information 20 IoCs

Reads data from /proc virtual filesystem.

Processes:

f264ac226bc5e4f230ae6c99f4f397f3.elf

description	ioc
File opened for reading	/proc/502/cmdline
File opened for reading	/proc/404/cmdline
File opened for reading	/proc/455/cmdline
File opened for reading	/proc/471/cmdline
File opened for reading	/proc/481/cmdline
File opened for reading	/proc/self/exe	f264ac226bc5e4f230ae6c99f4f397f3.elf
File opened for reading	/proc/459/cmdline
File opened for reading	/proc/419/cmdline
File opened for reading	/proc/420/cmdline
File opened for reading	/proc/422/cmdline
File opened for reading	/proc/470/cmdline
File opened for reading	/proc/461/cmdline
File opened for reading	/proc/467/cmdline
File opened for reading	/proc/489/cmdline
File opened for reading	/proc/501/cmdline
File opened for reading	/proc/401/cmdline
File opened for reading	/proc/428/cmdline
File opened for reading	/proc/438/cmdline
File opened for reading	/proc/448/cmdline
File opened for reading	/proc/503/cmdline

/tmp/f264ac226bc5e4f230ae6c99f4f397f3.elf
/tmp/f264ac226bc5e4f230ae6c99f4f397f3.elf
1⤵
- Reads runtime system information
PID:362

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/362-1-0x00008000-0x00026464-memory.dmp

Download