mirai | cf1b85d4812f7ee052666276a184b481368f0c0c7a43e6d5df903535f466c5fd

Analysis

max time kernel
87s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231221-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231221-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
13/02/2024, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf1b85d4812f7ee052666276a184b481368f0c0c7a43e6d5df903535f466c5fd.elf
Size

33KB
MD5

1fa25a704d6be67b041b62c02dd2b9f7
SHA1

ee840fe5aaf7a32eebb972ef043ada01ed586da1
SHA256

cf1b85d4812f7ee052666276a184b481368f0c0c7a43e6d5df903535f466c5fd
SHA512

57634cff1fc944341e97deebca79e6cf36f09578a987aa16b5d87a4feb9f19317269651f74d001d220aacebc940aade7a4c16e1cb0c6f29f945bd382d10b4c3a
SSDEEP

768:DkT3a5lElCF5CIpadEKUrJqxsk3JS2aEcCYeAAy3t3dGbpBcsX:4T30ElCPvp/7EkeLYtNwBX

Score

10^/10

mirai mirai botnet discovery evasion

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (73299) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	fwsg7ibdhueg8om5ww2l	1558	cf1b85d4812f7ee052666276a184b481368f0c0c7a43e6d5df903535f466c5fd.elf

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

evasion

Indicator Removal

T1070

description	ioc
File deleted	/var/log/audit/audit.log

Deletes itself 1 IoCs

pid	Process
1558	cf1b85d4812f7ee052666276a184b481368f0c0c7a43e6d5df903535f466c5fd.elf

Deletes journal logs 1 TTPs 1 IoCs

Deletes systemd journal logs. Likely to evade detection.

evasion

Indicator Removal

T1070

description	ioc
File deleted	/var/log/journal/11c67417355f45d397f6be11f62e85a6/system.journal

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc
File deleted	/var/log/syslog

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	cf1b85d4812f7ee052666276a184b481368f0c0c7a43e6d5df903535f466c5fd.elf
File opened for modification	/dev/misc/watchdog	cf1b85d4812f7ee052666276a184b481368f0c0c7a43e6d5df903535f466c5fd.elf

/tmp/cf1b85d4812f7ee052666276a184b481368f0c0c7a43e6d5df903535f466c5fd.elf
/tmp/cf1b85d4812f7ee052666276a184b481368f0c0c7a43e6d5df903535f466c5fd.elf
1⤵
- Changes its process name
- Deletes itself
- Modifies Watchdog functionality
PID:1558

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads