mirai | 56f386b78cadd6f9ea658ef5ddbef06c2ade3f43559ef64f2ac7857fff749693

Analysis

max time kernel
153s
max time network
102s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
03-06-2023 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a79468f0a428271359625b9360d319ad.elf
Size

22KB
MD5

a79468f0a428271359625b9360d319ad
SHA1

638b337e7b1985fc7aa65ce8fe48ebe7d0290601
SHA256

56f386b78cadd6f9ea658ef5ddbef06c2ade3f43559ef64f2ac7857fff749693
SHA512

848d94adee7a49743d1a273e094446c820cfcabe198e5d18c7ea6b80de9f422c9cbcb5d9918a3d793c4bb3d6fd20ae7de324dd79a67b97e2cbadb7b40e86e23c
SSDEEP

384:jDYC95A2rM7RjFrvX2V6H2XJ8LaHYsbX1chQO1Hfmmcb4/N7KbxTKqB+cuiFqcJU:jDZ5Dw7RjFjcU+O24sDO1uE/Nmbx+qBq

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog
File opened for modification /dev/misc/watchdog
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads runtime system information 13 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/615/cmdline
File opened for reading	/proc/422/cmdline
File opened for reading	/proc/424/cmdline
File opened for reading	/proc/565/cmdline
File opened for reading	/proc/591/cmdline
File opened for reading	/proc/592/cmdline
File opened for reading	/proc/600/cmdline
File opened for reading	/proc/409/cmdline
File opened for reading	/proc/460/cmdline
File opened for reading	/proc/593/cmdline
File opened for reading	/proc/594/cmdline
File opened for reading	/proc/599/cmdline
File opened for reading	/proc/619/cmdline

/tmp/a79468f0a428271359625b9360d319ad.elf
/tmp/a79468f0a428271359625b9360d319ad.elf
1⤵
PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-1-0x0000000000400000-0x000000000050de48-memory.dmp

Download