mirai | a71be073ca2fd00cdfa663ba76fd6fa46770b53ebe1368992758120d7be4b4fd

Analysis

max time kernel
149s
max time network
9s
platform
debian-9_armhf
resource
debian9-armhf-20240221-en
resource tags

arch:armhfimage:debian9-armhf-20240221-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
23-02-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a71be073ca2fd00cdfa663ba76fd6fa46770b53ebe1368992758120d7be4b4fd.elf
Size

21KB
MD5

915eca335c37b2b8264426b8c39f0278
SHA1

3bfe78cd4c2c732cb66b6a4bcd782463f02b5a8c
SHA256

a71be073ca2fd00cdfa663ba76fd6fa46770b53ebe1368992758120d7be4b4fd
SHA512

ba462558a06f370b6381c6d055b59a85622462f3bb2c97ea3688bbc5992cd87cf66c1d8b10b7604878712861eaa5557e6305acd679493e547fa8df9c6a56356b
SSDEEP

384:vvtIoZxrSniaXs+qx+bwqPX+VOcFd5fHq52lxjChymdGUop5hP:vvQn4j+ZO5fKAlx2s3Uozp

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog
File opened for modification /dev/misc/watchdog
Enumerates running processes
Discovers information about currently running processes on the system
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads runtime system information 42 IoCs

Reads data from /proc virtual filesystem.

Processes:

a71be073ca2fd00cdfa663ba76fd6fa46770b53ebe1368992758120d7be4b4fd.elf

description	ioc
File opened for reading	/proc/620/cmdline
File opened for reading	/proc/658/cmdline
File opened for reading	/proc/667/cmdline
File opened for reading	/proc/754/cmdline
File opened for reading	/proc/761/cmdline
File opened for reading	/proc/801/cmdline
File opened for reading	/proc/791/cmdline
File opened for reading	/proc/468/cmdline
File opened for reading	/proc/660/cmdline
File opened for reading	/proc/694/cmdline
File opened for reading	/proc/741/cmdline
File opened for reading	/proc/787/cmdline
File opened for reading	/proc/789/cmdline
File opened for reading	/proc/672/cmdline
File opened for reading	/proc/739/cmdline
File opened for reading	/proc/781/cmdline
File opened for reading	/proc/self/exe	a71be073ca2fd00cdfa663ba76fd6fa46770b53ebe1368992758120d7be4b4fd.elf
File opened for reading	/proc/727/cmdline
File opened for reading	/proc/706/cmdline
File opened for reading	/proc/736/cmdline
File opened for reading	/proc/769/cmdline
File opened for reading	/proc/780/cmdline
File opened for reading	/proc/795/cmdline
File opened for reading	/proc/657/cmdline
File opened for reading	/proc/676/cmdline
File opened for reading	/proc/712/cmdline
File opened for reading	/proc/731/cmdline
File opened for reading	/proc/793/cmdline
File opened for reading	/proc/416/cmdline
File opened for reading	/proc/662/cmdline
File opened for reading	/proc/670/cmdline
File opened for reading	/proc/707/cmdline
File opened for reading	/proc/720/cmdline
File opened for reading	/proc/783/cmdline
File opened for reading	/proc/797/cmdline
File opened for reading	/proc/799/cmdline
File opened for reading	/proc/429/cmdline
File opened for reading	/proc/467/cmdline
File opened for reading	/proc/663/cmdline
File opened for reading	/proc/747/cmdline
File opened for reading	/proc/776/cmdline
File opened for reading	/proc/785/cmdline

/tmp/a71be073ca2fd00cdfa663ba76fd6fa46770b53ebe1368992758120d7be4b4fd.elf
/tmp/a71be073ca2fd00cdfa663ba76fd6fa46770b53ebe1368992758120d7be4b4fd.elf
1⤵
- Reads runtime system information
PID:664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/664-1-0x00008000-0x0001dca4-memory.dmp

Download