mirai | 7224805c737e382ac2ce12eae6d0832163c13b84ba4caf4251a57a9150f0f8cd

Analysis

max time kernel
153s
max time network
158s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20/12/2023, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80e3820c3adb3779e56ac79f51ebe4fc
Size

28KB
MD5

80e3820c3adb3779e56ac79f51ebe4fc
SHA1

73dfafd32ab95502a3b578294fa8ab8ffcaf76c7
SHA256

7224805c737e382ac2ce12eae6d0832163c13b84ba4caf4251a57a9150f0f8cd
SHA512

5829d0c1346fde6a1f953f0a9bc13f4d91c41a072c5979c36bcf7f559922f38b907f71c7e7c5a06f11bb8d170495fef0fcf33139ba1fc762ee667dd2d752e645
SSDEEP

384:M8ak34teJykdIgzmFDATW7Q2EvlZe2PA0bRsViOnEgfKv+Icd5y2nqoq33pdhZm0:gkH94Aq7D2e2PtDMEalI2n+3paL6jB

Score

10^/10

mirai unstable botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

cnc.404verified.xyz

scan.404verified.xyz

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (81404) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	a	1534	80e3820c3adb3779e56ac79f51ebe4fc

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

/tmp/80e3820c3adb3779e56ac79f51ebe4fc
/tmp/80e3820c3adb3779e56ac79f51ebe4fc
1⤵
- Changes its process name
PID:1534

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads