mirai | 396727615b18e1cb701c77fd5c85d7f33734ced97a9ecd930cc4d5c9590b3d01

Analysis

max time kernel
32s
max time network
38s
platform
debian-12_mipsel
resource
debian12-mipsel-20240221-en
resource tags

arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
14-04-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mpsl
Size

33KB
MD5

bf258297d167054f2e6eb0663ec8112e
SHA1

b8c339df5c160fefd0d074f38090e4f7bb6c7f7f
SHA256

396727615b18e1cb701c77fd5c85d7f33734ced97a9ecd930cc4d5c9590b3d01
SHA512

ba01240a4ebe685a58b232ebea07320cab6572dbd6ae848e9fb09dfccbff7618f534577cf7cd6e968c499f16ea84203053471fe035434238aea8452059fa950f
SSDEEP

384:ej1iuHGHYf5iuK/qSY6ZFTMLRisYOee0Cr3LWL59AlLDvX9QDB0EG7jD+QBTmixW:eBHb5iuKpiYORpWoZTaojjTpH3WJ

Score

10^/10

mirai mirai botnet evasion

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Changes its process name 1 IoCs

Processes:

mpsl

description ioc pid process

Changes the process name, possibly in an attempt to hide itself m0434pgl0bp8nm5at16a 726 mpsl
Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
evasion

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/audit/audit.log
Deletes itself 1 IoCs

Processes:

mpsl

pid process

726 mpsl
Deletes journal logs 1 TTPs 1 IoCs
Deletes systemd journal logs. Likely to evade detection.
evasion

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/journal/edeb2f80f756429c9aae366fe5ab23dd/system.journal
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

mpsl

description ioc process

File opened for modification /dev/watchdog mpsl
File opened for modification /dev/misc/watchdog mpsl

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	m0434pgl0bp8nm5at16a	726	mpsl

description	ioc
File deleted	/var/log/audit/audit.log

pid	process
726	mpsl

description	ioc
File deleted	/var/log/journal/edeb2f80f756429c9aae366fe5ab23dd/system.journal

description	ioc	process
File opened for modification	/dev/watchdog	mpsl
File opened for modification	/dev/misc/watchdog	mpsl

/tmp/mpsl
/tmp/mpsl
1⤵
- Changes its process name
- Deletes itself
- Modifies Watchdog functionality
PID:726

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/726-1-0x00400000-0x00464c60-memory.dmp

Download