mirai | 4e2c5513cf1c4a3c12c6e108d0120d57355b3411c30d59dfb0d263ad932b6868

Analysis

max time kernel
150s
max time network
152s
platform
debian-9_armhf
resource
debian9-armhf-20231221-en
resource tags

arch:armhfimage:debian9-armhf-20231221-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
12-02-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arm7
Size

58KB
MD5

60b10da752b888d644e650933a3379f2
SHA1

3ed6c0b972869da6273757f3f1c94d8d351d11dc
SHA256

4e2c5513cf1c4a3c12c6e108d0120d57355b3411c30d59dfb0d263ad932b6868
SHA512

002a6e7f6c4d909056cc51e227fcc8c776ccad9d1e600513a83ce4876cd035bb12f129ca3a1a48d21d76bd654058c19af55fe3d3a66186786779dc8bf4df8e4b
SSDEEP

1536:vPsS3RDMckLByMgLGohIovgh5/CLNh4Mt/hr25eg2:vPsSBDMcnxzQh5qLNhH3K5S

Score

10^/10

mirai mirai botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (73694) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Changes its process name 1 IoCs

Processes:

arm7

description ioc pid process

Changes the process name, possibly in an attempt to hide itself svfvtlhajlh48ge21isdkhs8 665 arm7
Deletes itself 1 IoCs

Processes:

arm7

pid process

665 arm7
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

arm7

description ioc process

File opened for modification /dev/misc/watchdog arm7
File opened for modification /dev/watchdog arm7
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

arm7

description ioc process

File opened for reading /proc/self/exe arm7

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	svfvtlhajlh48ge21isdkhs8	665	arm7

pid	process
665	arm7

description	ioc	process
File opened for modification	/dev/misc/watchdog	arm7
File opened for modification	/dev/watchdog	arm7

description	ioc	process
File opened for reading	/proc/self/exe	arm7

/tmp/arm7
/tmp/arm7 0day_router
1⤵
- Changes its process name
- Deletes itself
- Modifies Watchdog functionality
- Reads runtime system information
PID:665

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/665-1-0x00008000-0x0002f830-memory.dmp

Download