mirai | 207483a770395918284f4fb515b151d2bb6423d7529c290100cde9cea3351c80

Analysis

max time kernel
150s
max time network
154s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
06-04-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc8539b02b69890221532b22f4c7edd2_JaffaCakes118
Size

27KB
MD5

dc8539b02b69890221532b22f4c7edd2
SHA1

08e0ce6ebab7d8dbfe602f639cfa07a7f84e7ab5
SHA256

207483a770395918284f4fb515b151d2bb6423d7529c290100cde9cea3351c80
SHA512

0e82206554ed3299a4a7ab6d346ad306b02a056920e82b0ddc695c8386dd05d2c58b7e3e6a644d752b352cf93242ed0d2f1eb07adb82ad614b347ba0108828d6
SSDEEP

768:doz+gJnt5RN1lCYp4P5hu6N6TiFDyqPf/R3F0:Oz1nt5BlCpu9ToDVf/R36

Score

10^/10

mirai mirai botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (23996) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Changes its process name 1 IoCs

Processes:

dc8539b02b69890221532b22f4c7edd2_JaffaCakes118

description pid process

Changes the process name, possibly in an attempt to hide itself 1470 dc8539b02b69890221532b22f4c7edd2_JaffaCakes118
Deletes itself 1 IoCs

Processes:

dc8539b02b69890221532b22f4c7edd2_JaffaCakes118

pid process

1470 dc8539b02b69890221532b22f4c7edd2_JaffaCakes118

description	pid	process
Changes the process name, possibly in an attempt to hide itself	1470	dc8539b02b69890221532b22f4c7edd2_JaffaCakes118

pid	process
1470	dc8539b02b69890221532b22f4c7edd2_JaffaCakes118

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

dc8539b02b69890221532b22f4c7edd2_JaffaCakes118

description	ioc	process
File opened for modification	/dev/watchdog	dc8539b02b69890221532b22f4c7edd2_JaffaCakes118
File opened for modification	/dev/misc/watchdog	dc8539b02b69890221532b22f4c7edd2_JaffaCakes118

Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

File opened for reading /proc/net/tcp
Enumerates running processes
Discovers information about currently running processes on the system
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

description ioc

File opened for reading /proc/net/tcp

description	ioc
File opened for reading	/proc/net/tcp

description	ioc
File opened for reading	/proc/net/tcp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/1181/exe
File opened for reading	/proc/456/exe
File opened for reading	/proc/672/exe
File opened for reading	/proc/765/exe
File opened for reading	/proc/804/exe
File opened for reading	/proc/806/exe
File opened for reading	/proc/1120/exe
File opened for reading	/proc/457/exe
File opened for reading	/proc/902/exe
File opened for reading	/proc/911/exe
File opened for reading	/proc/1052/exe
File opened for reading	/proc/1472/exe
File opened for reading	/proc/442/exe
File opened for reading	/proc/503/exe
File opened for reading	/proc/1086/exe
File opened for reading	/proc/787/exe
File opened for reading	/proc/990/exe
File opened for reading	/proc/1084/exe
File opened for reading	/proc/447/exe
File opened for reading	/proc/458/exe
File opened for reading	/proc/513/exe
File opened for reading	/proc/514/exe
File opened for reading	/proc/1095/exe
File opened for reading	/proc/1111/exe
File opened for reading	/proc/1434/exe
File opened for reading	/proc/782/exe
File opened for reading	/proc/1030/exe
File opened for reading	/proc/957/exe
File opened for reading	/proc/1134/exe
File opened for reading	/proc/455/exe
File opened for reading	/proc/582/exe
File opened for reading	/proc/1146/exe
File opened for reading	/proc/473/exe
File opened for reading	/proc/1171/exe
File opened for reading	/proc/1454/exe
File opened for reading	/proc/1549/exe
File opened for reading	/proc/443/exe
File opened for reading	/proc/677/exe
File opened for reading	/proc/812/exe
File opened for reading	/proc/968/exe
File opened for reading	/proc/533/exe
File opened for reading	/proc/550/exe
File opened for reading	/proc/963/exe
File opened for reading	/proc/1040/exe
File opened for reading	/proc/835/exe
File opened for reading	/proc/1140/exe
File opened for reading	/proc/1397/exe
File opened for reading	/proc/936/exe
File opened for reading	/proc/1044/exe
File opened for reading	/proc/697/exe
File opened for reading	/proc/854/exe
File opened for reading	/proc/487/exe
File opened for reading	/proc/681/exe
File opened for reading	/proc/1100/exe
File opened for reading	/proc/1102/exe
File opened for reading	/proc/477/exe
File opened for reading	/proc/1090/exe
File opened for reading	/proc/1309/exe
File opened for reading	/proc/631/exe
File opened for reading	/proc/999/exe
File opened for reading	/proc/974/exe
File opened for reading	/proc/980/exe
File opened for reading	/proc/639/exe
File opened for reading	/proc/1075/exe

/tmp/dc8539b02b69890221532b22f4c7edd2_JaffaCakes118
/tmp/dc8539b02b69890221532b22f4c7edd2_JaffaCakes118
1⤵
- Changes its process name
- Deletes itself
- Modifies Watchdog functionality
PID:1470

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1470-1-0x0000000008048000-0x0000000008056f00-memory.dmp

Download