mirai | dab4d2935ff7d215a4b5efc8f586412eb42ef797bb5257062712456623f7e5e1

Analysis

max time kernel
149s
max time network
7s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11-04-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dab4d2935ff7d215a4b5efc8f586412eb42ef797bb5257062712456623f7e5e1.elf
Size

26KB
MD5

80b0a2d9c9c6b89f7306a1bd3f4bedde
SHA1

d0b583b986b8ee11f9f197465717f318d78dc3b5
SHA256

dab4d2935ff7d215a4b5efc8f586412eb42ef797bb5257062712456623f7e5e1
SHA512

e1d9fff24d394b931445f84607d948068df9a3aeef8ee47684e8d166b272c340e70f87ea407378e1073ba25b2ee15f9770e08f27377eaf5ec88c41a2f3c1980d
SSDEEP

768:mBPEeJMM4olieRV+X8YsXcc5+0UobMs3UozhSq:sMM4olieH+B6UobJzhSq

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog
File opened for modification /dev/misc/watchdog
Enumerates running processes
Discovers information about currently running processes on the system
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads runtime system information 38 IoCs

Reads data from /proc virtual filesystem.

Processes:

dab4d2935ff7d215a4b5efc8f586412eb42ef797bb5257062712456623f7e5e1.elf

description	ioc
File opened for reading	/proc/435/cmdline
File opened for reading	/proc/618/cmdline
File opened for reading	/proc/721/cmdline
File opened for reading	/proc/796/cmdline
File opened for reading	/proc/497/cmdline
File opened for reading	/proc/657/cmdline
File opened for reading	/proc/658/cmdline
File opened for reading	/proc/784/cmdline
File opened for reading	/proc/786/cmdline
File opened for reading	/proc/711/cmdline
File opened for reading	/proc/732/cmdline
File opened for reading	/proc/783/cmdline
File opened for reading	/proc/791/cmdline
File opened for reading	/proc/800/cmdline
File opened for reading	/proc/781/cmdline
File opened for reading	/proc/788/cmdline
File opened for reading	/proc/792/cmdline
File opened for reading	/proc/498/cmdline
File opened for reading	/proc/664/cmdline
File opened for reading	/proc/700/cmdline
File opened for reading	/proc/728/cmdline
File opened for reading	/proc/779/cmdline
File opened for reading	/proc/798/cmdline
File opened for reading	/proc/802/cmdline
File opened for reading	/proc/790/cmdline
File opened for reading	/proc/self/exe	dab4d2935ff7d215a4b5efc8f586412eb42ef797bb5257062712456623f7e5e1.elf
File opened for reading	/proc/660/cmdline
File opened for reading	/proc/662/cmdline
File opened for reading	/proc/668/cmdline
File opened for reading	/proc/722/cmdline
File opened for reading	/proc/450/cmdline
File opened for reading	/proc/673/cmdline
File opened for reading	/proc/740/cmdline
File opened for reading	/proc/766/cmdline
File opened for reading	/proc/773/cmdline
File opened for reading	/proc/671/cmdline
File opened for reading	/proc/774/cmdline
File opened for reading	/proc/794/cmdline

/tmp/dab4d2935ff7d215a4b5efc8f586412eb42ef797bb5257062712456623f7e5e1.elf
/tmp/dab4d2935ff7d215a4b5efc8f586412eb42ef797bb5257062712456623f7e5e1.elf
1⤵
- Reads runtime system information
PID:665

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/665-1-0x00008000-0x00022a48-memory.dmp

Download