mirai | a53bb4bc27710e6eed0c689b28aeaf7517e6c408724585f77213d661a8960a9d

Analysis

max time kernel
1s
max time network
127s
platform
debian-9_armhf
resource
debian9-armhf-20221125-en
resource tags

arch:armhfimage:debian9-armhf-20221125-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
09/07/2023, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36010x000080000x00029e74m.dmp
Size

91KB
MD5

2da4f6a4491e864a722675bf77c02da1
SHA1

ecab849c5fef628242f7ff08e51d7c87e30e4100
SHA256

a53bb4bc27710e6eed0c689b28aeaf7517e6c408724585f77213d661a8960a9d
SHA512

626a2f1c5ea4ec2d3f68f8557cfad9f7bb48afaa07395f4ba2d8840d72684e8618ca350cd814f698228cbbc5389f9976132e51ba5a3e4e4bdbb2a2bd31670393
SSDEEP

1536:I3nFHb0K46xXW5h2Zkor08YMSuaA8FlLZFSlTelhaiSUQ91oQWIOZTNMRNa:sbj9xmXar08FSuaA8FlLZNWUQ9uQWIOL

Score

10^/10

mirai mirai botnet

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	a	363	36010x000080000x00029e74m.dmp

Enumerates active TCP sockets 1 TTPs 2 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	36010x000080000x00029e74m.dmp
File opened for reading	/proc/net/tcp	Process not Found

Enumerates running processes
Discovers information about currently running processes on the system

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/tcp	Process not Found
File opened for reading	/proc/net/tcp	36010x000080000x00029e74m.dmp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/16/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/17/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/13/cmdline	Process not Found
File opened for reading	/proc/283/cmdline	Process not Found
File opened for reading	/proc/95/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/11/cmdline	Process not Found
File opened for reading	/proc/15/cmdline	Process not Found
File opened for reading	/proc/21/cmdline	Process not Found
File opened for reading	/proc/95/cmdline	Process not Found
File opened for reading	/proc/162/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/222/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/14/cmdline	Process not Found
File opened for reading	/proc/359/cmdline	Process not Found
File opened for reading	/proc/28/cmdline	Process not Found
File opened for reading	/proc/13/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/18/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/41/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/244/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/357/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/6/cmdline	Process not Found
File opened for reading	/proc/42/cmdline	Process not Found
File opened for reading	/proc/43/cmdline	Process not Found
File opened for reading	/proc/24/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/134/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/359/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/242/cmdline	Process not Found
File opened for reading	/proc/365/cmdline	Process not Found
File opened for reading	/proc/27/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/3/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/43/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/107/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/132/cmdline	Process not Found
File opened for reading	/proc/134/cmdline	Process not Found
File opened for reading	/proc/294/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/281/cmdline	Process not Found
File opened for reading	/proc/315/cmdline	Process not Found
File opened for reading	/proc/7/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/362/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/26/cmdline	Process not Found
File opened for reading	/proc/362/cmdline	Process not Found
File opened for reading	/proc/10/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/74/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/283/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/9/cmdline	Process not Found
File opened for reading	/proc/17/cmdline	Process not Found
File opened for reading	/proc/222/cmdline	Process not Found
File opened for reading	/proc/1/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/12/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/28/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/29/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/281/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/24/cmdline	Process not Found
File opened for reading	/proc/255/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/7/cmdline	Process not Found
File opened for reading	/proc/106/cmdline	Process not Found
File opened for reading	/proc/154/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/317/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/318/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/18/cmdline	Process not Found
File opened for reading	/proc/361/cmdline	Process not Found
File opened for reading	/proc/21/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/23/cmdline	36010x000080000x00029e74m.dmp
File opened for reading	/proc/2/cmdline	Process not Found
File opened for reading	/proc/364/cmdline	Process not Found

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/temp6DmdFx	36010x000080000x00029e74m.dmp

/tmp/36010x000080000x00029e74m.dmp
/tmp/36010x000080000x00029e74m.dmp
1⤵
- Changes its process name
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:363

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/temp6DmdFx

Filesize
91KB

MD5
2da4f6a4491e864a722675bf77c02da1

SHA1
ecab849c5fef628242f7ff08e51d7c87e30e4100

SHA256
a53bb4bc27710e6eed0c689b28aeaf7517e6c408724585f77213d661a8960a9d

SHA512
626a2f1c5ea4ec2d3f68f8557cfad9f7bb48afaa07395f4ba2d8840d72684e8618ca350cd814f698228cbbc5389f9976132e51ba5a3e4e4bdbb2a2bd31670393

Download Submit