mirai | 9f4327c669ce8b3f64dcef2a666c3a9107d2e5569893fd1757ebe7d2ad1298d9

Analysis

max time kernel
150s
max time network
153s
platform
debian-9_mips
resource
debian9-mipsbe-20240226-en
resource tags

arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
31-03-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

520ec309d6b80914fa9b7e97b82b383e_JaffaCakes118
Size

31KB
MD5

520ec309d6b80914fa9b7e97b82b383e
SHA1

74de1d593df5c3cc52c01f25b1e3292bedcf2f13
SHA256

9f4327c669ce8b3f64dcef2a666c3a9107d2e5569893fd1757ebe7d2ad1298d9
SHA512

27c03e93f65627418370dac7642f566b426c03ab71d36e23b5738d6a4ffd47aeacf7392bc76a6c32dcccdb11356def93f155e3b654e11d70004523c4e1830634
SSDEEP

768:0nZwAmfH/GbCDJCD9Ea8byWqK4udlB7Nrt+nJ7DpGJgGlzDpbuR1Ju:0n6AsH/GmDwBJ8byWqKD7JO7DQVJuE

Score

10^/10

mirai mirai botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (20150) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog
File opened for modification /dev/misc/watchdog
Enumerates active TCP sockets 1 TTPs 2 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

520ec309d6b80914fa9b7e97b82b383e_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp 520ec309d6b80914fa9b7e97b82b383e_JaffaCakes118
File opened for reading /proc/net/tcp
Reads system network configuration 1 TTPs 2 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

520ec309d6b80914fa9b7e97b82b383e_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp 520ec309d6b80914fa9b7e97b82b383e_JaffaCakes118
File opened for reading /proc/net/tcp

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

description	ioc	process
File opened for reading	/proc/net/tcp	520ec309d6b80914fa9b7e97b82b383e_JaffaCakes118
File opened for reading	/proc/net/tcp

description	ioc	process
File opened for reading	/proc/net/tcp	520ec309d6b80914fa9b7e97b82b383e_JaffaCakes118
File opened for reading	/proc/net/tcp

Reads runtime system information 22 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/688/exe
File opened for reading	/proc/695/exe
File opened for reading	/proc/764/exe
File opened for reading	/proc/775/exe
File opened for reading	/proc/709/exe
File opened for reading	/proc/499/exe
File opened for reading	/proc/727/exe
File opened for reading	/proc/760/exe
File opened for reading	/proc/783/exe
File opened for reading	/proc/458/exe
File opened for reading	/proc/719/exe
File opened for reading	/proc/498/exe
File opened for reading	/proc/675/exe
File opened for reading	/proc/689/exe
File opened for reading	/proc/694/exe
File opened for reading	/proc/772/exe
File opened for reading	/proc/797/exe
File opened for reading	/proc/466/exe
File opened for reading	/proc/692/exe
File opened for reading	/proc/700/exe
File opened for reading	/proc/703/exe
File opened for reading	/proc/808/exe

/tmp/520ec309d6b80914fa9b7e97b82b383e_JaffaCakes118
/tmp/520ec309d6b80914fa9b7e97b82b383e_JaffaCakes118
1⤵
- Enumerates active TCP sockets
- Reads system network configuration
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/696-1-0x00400000-0x00456d98-memory.dmp

Download