mirai | 61e72921103f4ed5efacfdc6239febf5ac52238a078020ead4e3cd5ce394dc1c

Analysis

max time kernel
149s
max time network
152s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
08-04-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e80061af37aa728eb1ab1f8e0b75517b_JaffaCakes118
Size

52KB
MD5

e80061af37aa728eb1ab1f8e0b75517b
SHA1

9936a98147ff22cefd59f73c45f208b6a9b579a7
SHA256

61e72921103f4ed5efacfdc6239febf5ac52238a078020ead4e3cd5ce394dc1c
SHA512

75852770ce1a9c5e86854e857e5bd8b9e9e4e50a2ffe6b67b092d4a36e12697855038c39392b7c631525aa2f060f2be60821340364c49c1ba3759636d963b63d
SSDEEP

1536:+Y3AmUi3ML4EkwjIQV5WW+PTlL9FtLV2xourV:/753lWI+5P+PBLLtR2Fx

Score

10^/10

mirai mirai botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (20706) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog
File opened for modification /dev/misc/watchdog
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

File opened for reading /proc/net/tcp
Enumerates running processes
Discovers information about currently running processes on the system
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

description ioc

File opened for reading /proc/net/tcp

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

description	ioc
File opened for reading	/proc/net/tcp

description	ioc
File opened for reading	/proc/net/tcp

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

Processes:

e80061af37aa728eb1ab1f8e0b75517b_JaffaCakes118

description	ioc
File opened for reading	/proc/304/fd
File opened for reading	/proc/584/fd
File opened for reading	/proc/588/fd
File opened for reading	/proc/603/fd
File opened for reading	/proc/636/fd
File opened for reading	/proc/272/fd
File opened for reading	/proc/305/fd
File opened for reading	/proc/582/fd
File opened for reading	/proc/646/fd
File opened for reading	/proc/653/fd
File opened for reading	/proc/656/fd
File opened for reading	/proc/657/fd
File opened for reading	/proc/self/exe	e80061af37aa728eb1ab1f8e0b75517b_JaffaCakes118
File opened for reading	/proc/220/fd
File opened for reading	/proc/587/fd
File opened for reading	/proc/643/fd
File opened for reading	/proc/1/fd
File opened for reading	/proc/150/fd
File opened for reading	/proc/286/fd
File opened for reading	/proc/318/fd
File opened for reading	/proc/313/fd
File opened for reading	/proc/651/fd
File opened for reading	/proc/172/fd
File opened for reading	/proc/274/fd
File opened for reading	/proc/288/fd
File opened for reading	/proc/654/fd
File opened for reading	/proc/287/fd
File opened for reading	/proc/642/fd

/tmp/e80061af37aa728eb1ab1f8e0b75517b_JaffaCakes118
/tmp/e80061af37aa728eb1ab1f8e0b75517b_JaffaCakes118
1⤵
- Reads runtime system information
PID:650

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/650-1-0x00008000-0x0002b520-memory.dmp

Download