mirai | 68e8dd25ab8690fc4daa226427d54c00f5adb5f651dfde03efc9b46b65e681ea

Analysis

max time kernel
150s
max time network
152s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
12/03/2024, 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49b8f822113bdff71bb72b67f15576a6.elf
Size

43KB
MD5

49b8f822113bdff71bb72b67f15576a6
SHA1

ce2c4745ff1ee1fdc9f6460d2ad9aac74e7d7a6a
SHA256

68e8dd25ab8690fc4daa226427d54c00f5adb5f651dfde03efc9b46b65e681ea
SHA512

db094506b0af86d6055d98b970e1b88dbaaccf43f9e88034b9b789d6bd26a385a1855aa9ab435ddee3549690795077a808f13d730b4b6497b30e4674631d7fe5
SSDEEP

768:Hu64SH4Qj97/SgYSjRmPW3fmHby9hgHIMc3W0voYgd/KtPpjvmaz9sk29q3UELyK:Ozq/dKPW3uHbShgX0gcxrmMzbLB

Score

10^/10

mirai unstable botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (103948) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	49b8f822113bdff71bb72b67f15576a6.elf
File opened for modification	/dev/misc/watchdog	49b8f822113bdff71bb72b67f15576a6.elf

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/1218/mnt
File opened for reading	/proc/699/mnt
File opened for reading	/proc/1723/mnt
File opened for reading	/proc/1848/mnt
File opened for reading	/proc/2020/mnt
File opened for reading	/proc/682/mnt
File opened for reading	/proc/1130/mnt
File opened for reading	/proc/1141/mnt
File opened for reading	/proc/1186/mnt
File opened for reading	/proc/1437/mnt
File opened for reading	/proc/2207/mnt
File opened for reading	/proc/816/mnt
File opened for reading	/proc/1668/mnt
File opened for reading	/proc/891/mnt
File opened for reading	/proc/1566/mnt
File opened for reading	/proc/1635/mnt
File opened for reading	/proc/1771/mnt
File opened for reading	/proc/679/mnt
File opened for reading	/proc/970/mnt
File opened for reading	/proc/1649/mnt
File opened for reading	/proc/1174/mnt
File opened for reading	/proc/1255/mnt
File opened for reading	/proc/1147/mnt
File opened for reading	/proc/1697/mnt
File opened for reading	/proc/1780/mnt
File opened for reading	/proc/2142/mnt
File opened for reading	/proc/957/mnt
File opened for reading	/proc/1793/mnt
File opened for reading	/proc/1472/mnt
File opened for reading	/proc/1814/mnt
File opened for reading	/proc/838/mnt
File opened for reading	/proc/2006/mnt
File opened for reading	/proc/2037/mnt
File opened for reading	/proc/1339/mnt
File opened for reading	/proc/2040/mnt
File opened for reading	/proc/795/mnt
File opened for reading	/proc/1571/mnt
File opened for reading	/proc/1644/mnt
File opened for reading	/proc/1817/mnt
File opened for reading	/proc/876/mnt
File opened for reading	/proc/1994/mnt
File opened for reading	/proc/1269/mnt
File opened for reading	/proc/1275/mnt
File opened for reading	/proc/1860/mnt
File opened for reading	/proc/1869/mnt
File opened for reading	/proc/680/mnt
File opened for reading	/proc/1168/mnt
File opened for reading	/proc/1459/mnt
File opened for reading	/proc/1883/mnt
File opened for reading	/proc/758/mnt
File opened for reading	/proc/1410/mnt
File opened for reading	/proc/1641/mnt
File opened for reading	/proc/1746/mnt
File opened for reading	/proc/1840/mnt
File opened for reading	/proc/1214/mnt
File opened for reading	/proc/1264/mnt
File opened for reading	/proc/1356/mnt
File opened for reading	/proc/1729/mnt
File opened for reading	/proc/1834/mnt
File opened for reading	/proc/694/mnt
File opened for reading	/proc/865/mnt
File opened for reading	/proc/1369/mnt
File opened for reading	/proc/569/mnt
File opened for reading	/proc/1671/mnt

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.1	49b8f822113bdff71bb72b67f15576a6.elf

/tmp/49b8f822113bdff71bb72b67f15576a6.elf
/tmp/49b8f822113bdff71bb72b67f15576a6.elf
1⤵
- Modifies Watchdog functionality
- Writes file to tmp directory
PID:655

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.1

Filesize
4B

MD5
690e0d57f96158b6bfbf99d4558325e8

SHA1
bd11c72f4cf70581784f66b581d79896856d89b2

SHA256
066485fa15a26859b5c9f55a3dcb88f842aa538c8fe1f15a6ce3eb6276ea7c4e

SHA512
2e4572d686a0ae58dad9f8883cd169cdd0d73598874c211c980ff489284f56098cae7448021ec6ea8431fde2976e945b202c70cc102431c14b7ee161b37b9e01

Download Submit