mirai | da995b21eec86f7e8d8b8d376ad138069987fb4f7efc4d67e26a73f486f22a30

Analysis

max time kernel
152s
max time network
154s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
20/12/2023, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dab4c1f87b0934db639b0ce28dcdaa1
Size

54KB
MD5

8dab4c1f87b0934db639b0ce28dcdaa1
SHA1

50c7201dc308a2fd0e4a93ce3ebd04ad5d3ae0a7
SHA256

da995b21eec86f7e8d8b8d376ad138069987fb4f7efc4d67e26a73f486f22a30
SHA512

d32009a6a4277da15db449fa8e1e020ca1757e8373e5fe34424e8a4356244525009bce208dbef451e5d3e9d5a41f030cccf9f607292c40be158c0b188bb2104b
SSDEEP

1536:8NvCoA4PBwI5gz8xTfN+LbqqCLlFmLRCyRoe7zA:8VCo3CQgwNQbdylQEVcs

Score

10^/10

mirai botnet discovery

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (167624) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	GNU	667	8dab4c1f87b0934db639b0ce28dcdaa1

Deletes log files 1 TTPs 2 IoCs

Deletes log files on the system.

Indicator Removal

T1070

description	ioc	Process
File truncated	/var/log/wtmp	sh
File truncated	/var/log/secure	sh

Disables SELinux 3 IoCs

Disables SELinux security module.

pid	Process
709	setenforce
727	mount
814	mount

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc
File opened for reading	/proc/net/tcp

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/tcp

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/block	umount

Reads runtime system information 13 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	setenforce
File opened for reading	/proc/self/exe	8dab4c1f87b0934db639b0ce28dcdaa1
File opened for reading	/proc/filesystems	umount
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/710/exe	Process not Found
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/self/mountinfo	umount
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	mount

/tmp/8dab4c1f87b0934db639b0ce28dcdaa1
/tmp/8dab4c1f87b0934db639b0ce28dcdaa1
1⤵
- Changes its process name
- Reads runtime system information
PID:667
- /bin/sh
  sh -c "rm -rf /tmp/* /var/tmp/*"
  2⤵
  PID:668
- - /bin/rm
    rm -rf /tmp/8dab4c1f87b0934db639b0ce28dcdaa1 /tmp/systemd-private-18ccc832a72342af8cbb15f4e004664d-systemd-timedated.service-7PKVfo /var/tmp/systemd-private-18ccc832a72342af8cbb15f4e004664d-systemd-timedated.service-IZ6Qbb
    3⤵
    PID:671
- /bin/sh
  sh -c "echo 0>/var/log/wtmp"
  2⤵
  - Deletes log files
  PID:675
- /bin/sh
  sh -c "rm -rf /bin/netstat"
  2⤵
  PID:676
- - /bin/rm
    rm -rf /bin/netstat
    3⤵
    PID:677
- /bin/sh
  sh -c "echo 0>/var/log/secure"
  2⤵
  - Deletes log files
  PID:679
- /bin/sh
  sh -c "/sbin/iptables -A INPUT -p tcp --destination-port 22 -j DROP"
  2⤵
  PID:680
- - /sbin/iptables
    /sbin/iptables -A INPUT -p tcp --destination-port 22 -j DROP
    3⤵
    PID:681
- /bin/sh
  sh -c "/sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP"
  2⤵
  PID:688
- - /sbin/iptables
    /sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP
    3⤵
    PID:690
- /bin/sh
  sh -c "/sbin/iptables -A INPUT -p tcp --destination-port 37215 -j DROP"
  2⤵
  PID:691
- - /sbin/iptables
    /sbin/iptables -A INPUT -p tcp --destination-port 37215 -j DROP
    3⤵
    PID:692
- /bin/sh
  sh -c "/sbin/iptables -A INPUT -p tcp --destination-port 23 -j DROP"
  2⤵
  PID:693
- - /sbin/iptables
    /sbin/iptables -A INPUT -p tcp --destination-port 23 -j DROP
    3⤵
    PID:694
- /bin/sh
  sh -c "rm -rf ~/.bash_history"
  2⤵
  PID:696
- - /bin/rm
    rm -rf "~/.bash_history"
    3⤵
    PID:697
- /bin/sh
  sh -c "history -c"
  2⤵
  PID:698
- /bin/sh
  sh -c "/bin/busybox cp /tmp/8dab4c1f87b0934db639b0ce28dcdaa1 /usr/sbin/developer"
  2⤵
  PID:701
- - /bin/busybox
    /bin/busybox cp /tmp/8dab4c1f87b0934db639b0ce28dcdaa1 /usr/sbin/developer
    3⤵
    PID:702
- /bin/sh
  sh -c "/bin/busybox cp /tmp/8dab4c1f87b0934db639b0ce28dcdaa1 /etc/init.d/developer"
  2⤵
  PID:704
- - /bin/busybox
    /bin/busybox cp /tmp/8dab4c1f87b0934db639b0ce28dcdaa1 /etc/init.d/developer
    3⤵
    PID:705
- /bin/sh
  sh -c "/sbin/chkconfig --add mashiro"
  2⤵
  PID:706
- - /sbin/chkconfig
    /sbin/chkconfig --add mashiro
    3⤵
    PID:707
- /bin/sh
  sh -c "setenforce 0"
  2⤵
  PID:708
- - /usr/sbin/setenforce
    setenforce 0
    3⤵
    - Disables SELinux
    - Reads runtime system information
    PID:709

/bin/sh
sh -c "umount /proc/*"
1⤵
PID:700
- /bin/umount
  umount /proc/1 /proc/10 /proc/108 /proc/11 /proc/110 /proc/111 /proc/12 /proc/13 /proc/138 /proc/139 /proc/14 /proc/146 /proc/15 /proc/153 /proc/16 /proc/17 /proc/171 /proc/18 /proc/19 /proc/2 /proc/20 /proc/204 /proc/21 /proc/210 /proc/22 /proc/23 /proc/24 /proc/25 /proc/26 /proc/27 /proc/275 /proc/28 /proc/281 /proc/282 /proc/285 /proc/286 /proc/29 /proc/3 /proc/306 /proc/308 /proc/318 /proc/347 /proc/4 /proc/41 /proc/42 /proc/43 /proc/5 /proc/572 /proc/584 /proc/590 /proc/591 /proc/6 /proc/605 /proc/638 /proc/644 /proc/645 /proc/647 /proc/649 /proc/650 /proc/653 /proc/667 /proc/670 /proc/683 /proc/699 /proc/7 /proc/700 /proc/701 /proc/702 /proc/78 /proc/8 /proc/9 /proc/99 /proc/apm /proc/buddyinfo /proc/bus /proc/cgroups /proc/cmdline /proc/consoles /proc/cpu /proc/cpuinfo /proc/crypto /proc/device-tree /proc/devices /proc/diskstats /proc/driver /proc/execdomains /proc/fb /proc/filesystems /proc/fs /proc/interrupts /proc/iomem /proc/ioports /proc/irq /proc/kallsyms /proc/key-users /proc/keys /proc/kmsg /proc/kpagecgroup /proc/kpagecount /proc/kpageflags /proc/loadavg /proc/locks /proc/meminfo /proc/misc /proc/modules /proc/mounts /proc/mtd /proc/net /proc/pagetypeinfo /proc/partitions /proc/sched_debug /proc/schedstat /proc/self /proc/slabinfo /proc/softirqs /proc/stat /proc/swaps /proc/sys /proc/sysrq-trigger /proc/sysvipc /proc/thread-self /proc/timer_list /proc/tty /proc/uptime /proc/version /proc/vmallocinfo /proc/vmstat /proc/zoneinfo
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:703

/bin/sh
sh -c "mount -o bind /tmp /proc/711"
1⤵
PID:713
- /bin/mount
  mount -o bind /tmp /proc/711
  2⤵
  - Reads runtime system information
  PID:718

/bin/sh
sh -c "mount -o bind /tmp /proc/712"
1⤵
PID:714
- /bin/mount
  mount -o bind /tmp /proc/712
  2⤵
  - Reads runtime system information
  PID:717

/bin/sh
sh -c "mount -o bind /tmp /proc/715"
1⤵
PID:716
- /bin/mount
  mount -o bind /tmp /proc/715
  2⤵
  - Reads runtime system information
  PID:719

/bin/sh
sh -c "mount -o bind /tmp /proc/699"
1⤵
PID:722
- /bin/mount
  mount -o bind /tmp /proc/699
  2⤵
  - Reads runtime system information
  PID:723

/bin/sh
sh -c "mount -o bind /tmp /proc/710"
1⤵
PID:726
- /bin/mount
  mount -o bind /tmp /proc/710
  2⤵
  - Disables SELinux
  - Reads runtime system information
  PID:727

/bin/sh
sh -c "mount -o bind /tmp /proc/808"
1⤵
PID:811
- /bin/mount
  mount -o bind /tmp /proc/808
  2⤵
  - Reads runtime system information
  PID:815

/bin/sh
sh -c "mount -o bind /tmp /proc/809"
1⤵
PID:812
- /bin/mount
  mount -o bind /tmp /proc/809
  2⤵
  - Reads runtime system information
  PID:816

/bin/sh
sh -c "mount -o bind /tmp /proc/810"
1⤵
PID:813
- /bin/mount
  mount -o bind /tmp /proc/810
  2⤵
  - Disables SELinux
  - Reads runtime system information
  PID:814

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...