Resubmissions

01-10-2023 15:04

231001-sfytyadb78 7

01-10-2023 14:51

231001-r757nabf2t 10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    linux_armhf
  • resource
    debian9-armhf-en-20211208
  • resource tags

    arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    01-10-2023 14:51

General

  • Target

    xd.arm7.elf

  • Size

    52KB

  • MD5

    95e813075034c19d4059daf502745ab9

  • SHA1

    d755eba05bc3a68b73051c612f79f5a81f968650

  • SHA256

    0774ac44c906a4612d13aef5ea11620de133ea8806f55c28a1752a211010f9b9

  • SHA512

    eed95d24f1461d8db3f09aa5cf3a6fd3014ea870842dce4cd9b47a5fcc984d4b0e07db04dc318ab10c43667c9dd8eef5a9c0fe8fb6a644c2c1fc52c72ba8f725

  • SSDEEP

    768:BMte5B4PACtw/YcmRIe18D9q63TxZQbSORe7Su2QJnKE79TLrRUaj9q3UELbOs82:BM84ISRX63dZQbS5rzZmaiLIVmWji

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (18731) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 26 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/xd.arm7.elf
    /tmp/xd.arm7.elf
    1⤵
    • Reads runtime system information
    PID:355

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/355-1-0x00008000-0x000298d4-memory.dmp