mirai | 3bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584

General

Target

2808037.bin
Size

249KB
MD5

038814ff17c4e2f6e286dc858e3c3e38
SHA1

57b63f3ed966b91f2dbc107e87d81201c329671b
SHA256

3bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584
SHA512

5225c9dd4adcaab0547e267c5f207cc89a007268a6c2fe2c3be84d94d08ca92340c3552ac4d59109721224c480cee7a4995a94d1dbe9f3a2e498cef0b1e90e87
SSDEEP

6144:REn8buta+6HwGQJk8a+MrZP6Ffk+figv49e/CKvVA6tnY:RNr2JxahZPl+L8eaKvVAcY

Score

10^/10

mirai lzrd botnet persistence

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 1 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog

description	ioc
File opened for modification	/dev/watchdog

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	114.114.114.114
Destination IP	134.195.4.2
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	192.3.165.37
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	192.3.165.37
Destination IP	134.195.4.2
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	54.36.111.116
Destination IP	168.138.12.137
Destination IP	134.195.4.2
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	168.138.12.137
Destination IP	192.3.165.37
Destination IP	168.138.12.137
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	94.247.43.254
Destination IP	168.138.12.137
Destination IP	192.3.165.37
Destination IP	1.0.0.1
Destination IP	192.3.165.37
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	192.3.165.37
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	192.3.165.37
Destination IP	134.195.4.2
Destination IP	192.3.165.37
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	192.3.165.37
Destination IP	94.247.43.254
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	192.3.165.37
Destination IP	192.3.165.37
Destination IP	1.0.0.1

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.46uPWw crontab
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/dnsconfig
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/systemd/system/dnsconfigs.service
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /bin/watchdog
File opened for modification /sbin/watchdog

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.46uPWw	crontab

description	ioc
File opened for modification	/etc/init.d/dnsconfig

description	ioc
File opened for modification	/etc/systemd/system/dnsconfigs.service

description	ioc
File opened for modification	/bin/watchdog
File opened for modification	/sbin/watchdog

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

systemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 18 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlcrontabsystemctlsystemctlcpmount2808037.binmount

description	ioc	process
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/655/cmdline
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/exe	2808037.bin
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/server_session.lock

description	ioc
File opened for modification	/tmp/server_session.lock

/tmp/2808037.bin
/tmp/2808037.bin
1⤵
- Reads runtime system information
PID:655

/bin/sh
/bin/sh -c "mount -o bind /tmp/nginx_server /proc/655/ > /dev/null 2>&1"
2⤵
PID:657

/bin/mount
mount -o bind /tmp/nginx_server /proc/655/
3⤵
- Reads runtime system information
PID:661

/bin/cp
cp -f /tmp/2808037.bin /var/tmp/nginx_kel
2⤵
- Reads runtime system information
PID:656

/bin/sh
/bin/sh -c "crontab /var/tmp/.recoverys"
1⤵
PID:667

/usr/bin/crontab
crontab /var/tmp/.recoverys
2⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:672

/bin/sh
/bin/sh -c "mount -o bind /tmp/nginx_server /proc/666/ > /dev/null 2>&1"
1⤵
PID:668

/bin/mount
mount -o bind /tmp/nginx_server /proc/666/
2⤵
- Reads runtime system information
PID:673

/bin/sh
/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"
1⤵
PID:669

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig
2⤵
PID:674

/bin/sh
/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"
1⤵
PID:677

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig
2⤵
PID:679

/bin/sh
/bin/sh -c "systemctl daemon-reload > /dev/null 2>&1"
1⤵
PID:681

/bin/systemctl
systemctl daemon-reload
2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:684

/bin/sh
/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"
1⤵
PID:683

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig
2⤵
PID:685

/bin/sh
/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"
1⤵
PID:687

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig
2⤵
PID:690

/bin/sh
/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"
1⤵
PID:692

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig
2⤵
PID:700

/bin/sh
/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"
1⤵
PID:706

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig
2⤵
PID:708

/bin/sh
/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"
1⤵
PID:710

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig
2⤵
PID:712

/bin/sh
/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"
1⤵
PID:716

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig
2⤵
PID:717

/bin/sh
/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"
1⤵
PID:719

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig
2⤵
PID:721

/bin/sh
/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"
1⤵
PID:722

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs
2⤵
PID:723

/bin/sh
/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"
1⤵
PID:724

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs
2⤵
PID:726

/bin/sh
/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"
1⤵
PID:727

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs
2⤵
PID:729

/bin/sh
/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"
1⤵
PID:730

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs
2⤵
PID:731

/bin/sh
/bin/sh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"
1⤵
PID:732

/bin/systemctl
systemctl enable dnsconfigs.service
2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:735

/bin/sh
/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"
1⤵
PID:734

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs
2⤵
PID:736

/bin/sh
/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"
1⤵
PID:738

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs
2⤵
PID:740

/bin/sh
/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"
1⤵
PID:741

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs
2⤵
PID:748

/bin/sh
/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"
1⤵
PID:754

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs
2⤵
PID:755

/bin/sh
/bin/sh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"
1⤵
PID:759

/bin/systemctl
systemctl start dnsconfigs.service
2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

1

T1574

Privilege Escalation

Scheduled Task/Job

1

T1053

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

1

T1574

Defense Evasion

Impair Defenses

1

T1562

Hijack Execution Flow

1

T1574

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/dnsconfig
Filesize
1KB

MD5
df56ea52b8cee93884f3872d25a85db0

SHA1
2fd0c7407ed67253a807d1d01c6ffd3467edaf8e

SHA256
a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5

SHA512
e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da

Download Submit
/etc/systemd/system/dnsconfigs.service
Filesize
174B

MD5
900f683b08977636b092fcbfa1ad8a42

SHA1
6d521f5c3e862f1106d9ac6a3a654e57e6814333

SHA256
71d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3

SHA512
50b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0

Download Submit
/tmp/server_session.lock
Filesize
4B

MD5
8b697894953f807b29db45e3610c5afd

SHA1
c31141dc24164ef98ef3a252e0da62df482199b3

SHA256
e96f1336fa739b01c04504dea39125dc8d4a7e7d23d8ff24ce5b050c7477ae9e

SHA512
6e4649d48128f9dc5bc6b0f5c9beed62c84fe3476dcc09583b8a4bb1bf0a34a495c4b2342a16409d7cfb0897e93d59f4c34bd6da0e5c27d390dcc536725b998f

Download Submit
/var/spool/cron/crontabs/tmp.46uPWw
Filesize
230B

MD5
5488db4699c29139923e9972175137d6

SHA1
abc33d37b242aeaa569211b80a464c7a98abb508

SHA256
7ecb0e72afdafa0a95419220fb76690e70ac83908190514dfcc6c292d202a4c0

SHA512
a40a1f34e8c9b2399fb6b318b540e549b120ec019ed0dc894ee4d0a04a1c9c9831bd67208803d5327a241ef6ef99d2aeaa3704a3bdaba99d6903a43b7ca3d4cf

Download Submit
/var/tmp/.recoverys
Filesize
37B

MD5
abe9a0e06459d029e0f5183965dbbf3b

SHA1
7e79e16ea12fed960bcee8eb5a9c6384fa61a2d1

SHA256
b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384

SHA512
955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd

Download Submit
/var/tmp/nginx_kel
Filesize
249KB

MD5
038814ff17c4e2f6e286dc858e3c3e38

SHA1
57b63f3ed966b91f2dbc107e87d81201c329671b

SHA256
3bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584

SHA512
5225c9dd4adcaab0547e267c5f207cc89a007268a6c2fe2c3be84d94d08ca92340c3552ac4d59109721224c480cee7a4995a94d1dbe9f3a2e498cef0b1e90e87

Download Submit
memory/655-1-0x00008000-0x00089af4-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads