mirai | 765ee75cdeee8968c544efd7c06f59f8a00c6600df2b444c14bea07967b49aa5

Analysis

max time kernel
149s
max time network
8s
platform
debian-12_mipsel
resource
debian12-mipsel-20240221-en
resource tags

arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
23-02-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

765ee75cdeee8968c544efd7c06f59f8a00c6600df2b444c14bea07967b49aa5.elf
Size

24KB
MD5

d168105097edfa568ec722a193637fdb
SHA1

89f8994ae0d20ace73639d91e19574fd5fc27dc5
SHA256

765ee75cdeee8968c544efd7c06f59f8a00c6600df2b444c14bea07967b49aa5
SHA512

a0d812ea520e4d92bba1fd52024cfca267384d152510ac76643a0154bbc76f9656b666d9c24ba577196f48a74e61a9866c1747fbdd8e96d088a3c94ffad72418
SSDEEP

768:obrQlS07dEv0UXqUhvQE+CXQKMQKCXBpUyZqSWvh:4QlS07FUXqIYSXQKquUWqp

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog
File opened for modification /dev/misc/watchdog
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads runtime system information 21 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/717/cmdline
File opened for reading	/proc/791/cmdline
File opened for reading	/proc/797/cmdline
File opened for reading	/proc/827/cmdline
File opened for reading	/proc/680/cmdline
File opened for reading	/proc/712/cmdline
File opened for reading	/proc/718/cmdline
File opened for reading	/proc/789/cmdline
File opened for reading	/proc/696/cmdline
File opened for reading	/proc/698/cmdline
File opened for reading	/proc/740/cmdline
File opened for reading	/proc/793/cmdline
File opened for reading	/proc/823/cmdline
File opened for reading	/proc/441/cmdline
File opened for reading	/proc/727/cmdline
File opened for reading	/proc/681/cmdline
File opened for reading	/proc/716/cmdline
File opened for reading	/proc/809/cmdline
File opened for reading	/proc/813/cmdline
File opened for reading	/proc/667/cmdline
File opened for reading	/proc/669/cmdline

/tmp/765ee75cdeee8968c544efd7c06f59f8a00c6600df2b444c14bea07967b49aa5.elf
/tmp/765ee75cdeee8968c544efd7c06f59f8a00c6600df2b444c14bea07967b49aa5.elf
1⤵
PID:724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/724-1-0x00400000-0x00452a58-memory.dmp

Download