mirai | c5c5ab5856200686e97e5c848c2d1d2efc58d2bf94e5963f5f42e6afd4bb1f28

Analysis

max time kernel
150s
max time network
4s
platform
debian-12_mipsel
resource
debian12-mipsel-20240221-en
resource tags

arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
28-03-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5c5ab5856200686e97e5c848c2d1d2efc58d2bf94e5963f5f42e6afd4bb1f28.elf
Size

24KB
MD5

8d50ecfef548023a29d72b90b3d95209
SHA1

9a781e62007daf9aab6203c1015fdd777bfcc654
SHA256

c5c5ab5856200686e97e5c848c2d1d2efc58d2bf94e5963f5f42e6afd4bb1f28
SHA512

a7b9826d79165a94ef114865658ab0ee6adeca0f3d112f60e2c1eb50419577ecb1a7e82fef7ed1e6304a4d8c9817db57f5e5b3b5f0c44092ff1cd6fda0faaf31
SSDEEP

768:oCrQlS07dEv0UXqUhvQE+CXQKMQKCXBp8OZqEWvg:/QlS07FUXqIYSXQKquhqW

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog
File opened for modification /dev/misc/watchdog
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads runtime system information 12 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/673/cmdline
File opened for reading	/proc/695/cmdline
File opened for reading	/proc/718/cmdline
File opened for reading	/proc/719/cmdline
File opened for reading	/proc/730/cmdline
File opened for reading	/proc/418/cmdline
File opened for reading	/proc/676/cmdline
File opened for reading	/proc/677/cmdline
File opened for reading	/proc/692/cmdline
File opened for reading	/proc/711/cmdline
File opened for reading	/proc/717/cmdline
File opened for reading	/proc/736/cmdline

/tmp/c5c5ab5856200686e97e5c848c2d1d2efc58d2bf94e5963f5f42e6afd4bb1f28.elf
/tmp/c5c5ab5856200686e97e5c848c2d1d2efc58d2bf94e5963f5f42e6afd4bb1f28.elf
1⤵
PID:726

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/726-1-0x00400000-0x00452a58-memory.dmp

Download