mirai | e180555303654e1f2b1c0337521988fdccc795a2d6ab246c9b50fee7b98f3012

General

Target

x86_64.elf
Size

35KB
MD5

c48f0e40d26ae8eb2e362393d33cd3cf
SHA1

461d5d98f71079d155f64a3e6520ab138fc10c7e
SHA256

e180555303654e1f2b1c0337521988fdccc795a2d6ab246c9b50fee7b98f3012
SHA512

b9711e2aef64796b5ac9afc7e1a6fa7a428171eb6126f3ad1418bd81b895ac7793e956484600e325fb720eabc6e2f82401009f21ee3f6e4b194dd6aad35fcb45
SSDEEP

768:cMNynmsYyYLrA4wwDZfoKGLVI5gui3pkJfd+p3LmOb+nx46x/ZsV:RAndgEXw9wK4OA5Pp7mtxX/+V

Score

10^/10

mirai mirai botnet evasion

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Changes its process name 1 IoCs

Processes:

x86_64.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself ki52i5viiihi 1471 x86_64.elf
Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
evasion

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/audit/audit.log
Deletes itself 1 IoCs

Processes:

x86_64.elf

pid process

1471 x86_64.elf
Deletes journal logs 1 TTPs 1 IoCs
Deletes systemd journal logs. Likely to evade detection.
evasion

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/journal/4816dd152e8c48ff97e9117d197c13d8/system.journal
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/syslog
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

x86_64.elf

description ioc process

File opened for modification /dev/watchdog x86_64.elf
File opened for modification /dev/misc/watchdog x86_64.elf
Deletes log files 1 TTPs 4 IoCs
Deletes log files on the system.

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/ubuntu-advantage.log
File deleted /var/log/auth.log
File deleted /var/log/kern.log
File deleted /var/log/apport.log
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	ki52i5viiihi	1471	x86_64.elf

description	ioc
File deleted	/var/log/audit/audit.log

pid	process
1471	x86_64.elf

description	ioc
File deleted	/var/log/journal/4816dd152e8c48ff97e9117d197c13d8/system.journal

description	ioc
File deleted	/var/log/syslog

description	ioc	process
File opened for modification	/dev/watchdog	x86_64.elf
File opened for modification	/dev/misc/watchdog	x86_64.elf

description	ioc
File deleted	/var/log/ubuntu-advantage.log
File deleted	/var/log/auth.log
File deleted	/var/log/kern.log
File deleted	/var/log/apport.log

Reads CPU attributes 1 TTPs 10 IoCs

System Information Discovery

T1082

Processes:

pkillpkillpkillpkillpkillpkillpkillpkillpkillpkill

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pkillpkillpkillpkillpkillpkillpkillpkillpkillpkill

description	ioc	process
File opened for reading	/proc/1473/cmdline	pkill
File opened for reading	/proc/1444/status	pkill
File opened for reading	/proc/1489/cmdline	pkill
File opened for reading	/proc/self/auxv	pkill
File opened for reading	/proc/164/status	pkill
File opened for reading	/proc/1049/cmdline	pkill
File opened for reading	/proc/1090/status	pkill
File opened for reading	/proc/954/cmdline	pkill
File opened for reading	/proc/1110/cmdline	pkill
File opened for reading	/proc/1420/cmdline	pkill
File opened for reading	/proc/88/status	pkill
File opened for reading	/proc/92/status	pkill
File opened for reading	/proc/1411/cmdline	pkill
File opened for reading	/proc/1480/cmdline	pkill
File opened for reading	/proc/79/status	pkill
File opened for reading	/proc/480/cmdline	pkill
File opened for reading	/proc/89/cmdline	pkill
File opened for reading	/proc/72/status	pkill
File opened for reading	/proc/89/status	pkill
File opened for reading	/proc/447/cmdline	pkill
File opened for reading	/proc/537/cmdline	pkill
File opened for reading	/proc/982/status	pkill
File opened for reading	/proc/833/status	pkill
File opened for reading	/proc/3/cmdline	pkill
File opened for reading	/proc/6/cmdline	pkill
File opened for reading	/proc/1145/cmdline
File opened for reading	/proc/1097/status	pkill
File opened for reading	/proc/1477/status	pkill
File opened for reading	/proc/102/status	pkill
File opened for reading	/proc/965/status	pkill
File opened for reading	/proc/1479/cmdline	pkill
File opened for reading	/proc/8/cmdline	pkill
File opened for reading	/proc/11/cmdline	pkill
File opened for reading	/proc/485/cmdline	pkill
File opened for reading	/proc/447/status	pkill
File opened for reading	/proc/1434/status	pkill
File opened for reading	/proc/9/status	pkill
File opened for reading	/proc/74/cmdline	pkill
File opened for reading	/proc/442/status	pkill
File opened for reading	/proc/1455/cmdline	pkill
File opened for reading	/proc/1188/status	pkill
File opened for reading	/proc/1422/cmdline	pkill
File opened for reading	/proc/171/cmdline	pkill
File opened for reading	/proc/976/status	pkill
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/166/status	pkill
File opened for reading	/proc/965/cmdline	pkill
File opened for reading	/proc/1487/cmdline	pkill
File opened for reading	/proc/5/cmdline	pkill
File opened for reading	/proc/10/cmdline	pkill
File opened for reading	/proc/4/status	pkill
File opened for reading	/proc/170/status	pkill
File opened for reading	/proc/1417/status	pkill
File opened for reading	/proc/1487/status	pkill
File opened for reading	/proc/93/cmdline	pkill
File opened for reading	/proc/400/status	pkill
File opened for reading	/proc/75/cmdline	pkill
File opened for reading	/proc/1005/status	pkill
File opened for reading	/proc/1121/cmdline	pkill
File opened for reading	/proc/92/cmdline	pkill
File opened for reading	/proc/21/status	pkill
File opened for reading	/proc/1085/cmdline	pkill
File opened for reading	/proc/170/cmdline	pkill
File opened for reading	/proc/982/cmdline	pkill

/tmp/x86_64.elf
/tmp/x86_64.elf
1⤵
- Changes its process name
- Deletes itself
- Modifies Watchdog functionality
PID:1471

/usr/local/sbin/pkill
pkill tshark
1⤵
PID:1474

/usr/local/bin/pkill
pkill tshark
1⤵
PID:1474

/usr/sbin/pkill
pkill tshark
1⤵
PID:1474

/usr/bin/pkill
pkill tshark
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1474

/usr/local/sbin/pkill
pkill wireshark
1⤵
PID:1475

/usr/local/sbin/pkill
pkill dumpcap
1⤵
PID:1476

/usr/local/sbin/pkill
pkill tcpdump
1⤵
PID:1473

/usr/local/sbin/pkill
pkill ettercap
1⤵
PID:1477

/usr/local/sbin/pkill
pkill ngrep
1⤵
PID:1479

/usr/local/bin/pkill
pkill tcpdump
1⤵
PID:1473

/usr/local/bin/pkill
pkill dumpcap
1⤵
PID:1476

/usr/local/sbin/pkill
pkill dsniff
1⤵
PID:1478

/usr/local/sbin/pkill
pkill tcpflow
1⤵
PID:1480

/usr/sbin/pkill
pkill dumpcap
1⤵
PID:1476

/usr/local/bin/pkill
pkill ngrep
1⤵
PID:1479

/usr/local/bin/pkill
pkill ettercap
1⤵
PID:1477

/usr/local/bin/pkill
pkill dsniff
1⤵
PID:1478

/usr/local/bin/pkill
pkill tcpflow
1⤵
PID:1480

/usr/sbin/pkill
pkill ngrep
1⤵
PID:1479

/usr/bin/pkill
pkill dumpcap
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1476

/usr/sbin/pkill
pkill tcpdump
1⤵
PID:1473

/usr/local/sbin/pkill
pkill windump
1⤵
PID:1481

/usr/bin/pkill
pkill ngrep
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1479

/usr/sbin/pkill
pkill ettercap
1⤵
PID:1477

/usr/sbin/pkill
pkill tcpflow
1⤵
PID:1480

/usr/sbin/pkill
pkill dsniff
1⤵
PID:1478

/usr/bin/pkill
pkill tcpdump
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1473

/usr/local/sbin/pkill
pkill netsniff-ng
1⤵
PID:1482

/usr/local/bin/pkill
pkill wireshark
1⤵
PID:1475

/usr/bin/pkill
pkill dsniff
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1478

/usr/bin/pkill
pkill ettercap
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1477

/usr/local/bin/pkill
pkill windump
1⤵
PID:1481

/usr/bin/pkill
pkill tcpflow
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1480

/usr/local/bin/pkill
pkill netsniff-ng
1⤵
PID:1482

/usr/sbin/pkill
pkill windump
1⤵
PID:1481

/usr/sbin/pkill
pkill wireshark
1⤵
PID:1475

/usr/sbin/pkill
pkill netsniff-ng
1⤵
PID:1482

/usr/bin/pkill
pkill wireshark
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1475

/usr/bin/pkill
pkill windump
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1481

/usr/bin/pkill
pkill netsniff-ng
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1482

/usr/local/sbin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1507

/usr/local/sbin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1508

/usr/local/sbin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1509

/usr/local/sbin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1510

/usr/local/sbin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1512

/usr/local/sbin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1499

/usr/local/sbin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1500

/usr/local/sbin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1501

/usr/local/sbin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1502

/usr/local/sbin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1503

/usr/local/sbin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1504

/usr/local/sbin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1505

/usr/local/sbin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1506

/usr/local/sbin/rm
rm -rf /usr/bin/windump
1⤵
PID:1511

/usr/local/sbin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1498

/usr/local/bin/rm
rm -rf /usr/bin/windump
1⤵
PID:1511

/usr/local/bin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1506

/usr/local/bin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1498

/usr/sbin/rm
rm -rf /usr/bin/windump
1⤵
PID:1511

/usr/sbin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1506

/usr/local/sbin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1497

/usr/local/bin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1504

/usr/bin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1506

/usr/sbin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1498

/usr/bin/rm
rm -rf /usr/bin/windump
1⤵
PID:1511

/usr/local/bin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1503

/usr/local/bin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1501

/usr/local/bin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1500

/usr/local/bin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1508

/usr/local/bin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1510

/usr/local/bin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1512

/usr/local/bin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1509

/usr/local/bin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1502

/usr/local/bin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1499

/usr/sbin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1504

/usr/local/bin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1497

/usr/bin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1498

/usr/sbin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1501

/usr/local/bin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1507

/usr/sbin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1510

/usr/sbin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1500

/usr/sbin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1503

/usr/sbin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1508

/usr/sbin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1512

/usr/sbin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1509

/usr/sbin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1499

/usr/sbin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1502

/usr/local/sbin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1496

/usr/bin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1504

/usr/bin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1510

/usr/bin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1503

/usr/sbin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1497

/usr/bin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1501

/usr/bin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1500

/usr/sbin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1507

/usr/bin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1509

/usr/bin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1512

/usr/bin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1508

/usr/bin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1502

/usr/bin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1499

/usr/bin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1497

/usr/local/bin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1496

/usr/bin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1507

/usr/sbin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1496

/usr/local/sbin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1495

/usr/bin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1496

/usr/local/bin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1495

/usr/sbin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1495

/usr/bin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1495

/usr/local/sbin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1494

/usr/local/bin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1494

/usr/sbin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1494

/usr/bin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1494

/usr/local/sbin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1493

/usr/local/bin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1493

/usr/sbin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1493

/usr/local/bin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1505

/usr/bin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1493

/usr/sbin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1505

/usr/bin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1505

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

Indicator Removal

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1471-1-0x0000000000400000-0x00000000005256a8-memory.dmp

Download

Analysis

Sharing