Analysis
-
max time kernel
150s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20231221-en -
resource tags
-
submitted
13-02-2024 04:56
General
-
Target
b9d92f637996e981006173eb207734301ff69ded8f9c2a7f0c9b6d5fcc9063a2.elf
-
Size
31KB
-
MD5
8e09ce63b913be6f161f94738d62b24c
-
SHA1
a81171394b9e1a837463e91e207ce955cbf2a87f
-
SHA256
b9d92f637996e981006173eb207734301ff69ded8f9c2a7f0c9b6d5fcc9063a2
-
SHA512
526197e30fcb5e56066381c6d13566b632cb1c9470000cb0b558b0141f3171fcc11f6144744546a040c6f214012ababb4f2a62371e9818b1b3d141dad5a9b543
-
SSDEEP
768:Czc5814KRScHTqA4kOp2OITxWr/t9IGr7rs3UozL:4NRScHN+PHr7WzL
Malware Config
Extracted
mirai
MIRAI
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Contacts a large (72237) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
-
Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
-
Deletes itself 1 IoCs
-
Deletes system logs 1 TTPs 2 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Deletes log files 1 TTPs 3 IoCs
Deletes log files on the system.
-
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/b9d92f637996e981006173eb207734301ff69ded8f9c2a7f0c9b6d5fcc9063a2.elf/tmp/b9d92f637996e981006173eb207734301ff69ded8f9c2a7f0c9b6d5fcc9063a2.elf1⤵
- Changes its process name
- Deletes itself
- Modifies Watchdog functionality
- Reads runtime system information