mirai | f1edcebbddd718478622d047705e872ad26fa577f40f57c2dbfd902ea4bafeab

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_mips
resource
debian9-mipsbe-20240226-en
resource tags

arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
19-04-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
Size

30KB
MD5

fb6dc629f3cea2f4968bf1dfb286276a
SHA1

6c8f03d87844af15df78fe1490683ee854dc320e
SHA256

f1edcebbddd718478622d047705e872ad26fa577f40f57c2dbfd902ea4bafeab
SHA512

59084359debf89dc0e00c5bcf143f7567854992a9f997e42874c4269ecea004d08fce7db1a74907a470107b4c61f3607edc7440fe51a1a04edecdd759e6c9fa0
SSDEEP

768:4VyvYLznDEB2iC+sDqC6NtxsPCekdob4dc1WokdX9JgGlzDpbuR1JY:4AYnnDEBI+smICekdoT1LOVJuq

Score

10^/10

mirai unst botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

UNST

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (19737) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118

description	ioc	process
File opened for modification	/dev/watchdog	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for modification	/dev/misc/watchdog	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118

Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
Enumerates running processes
Discovers information about currently running processes on the system
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/tcp	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/tcp	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118

Reads runtime system information 35 IoCs

Reads data from /proc virtual filesystem.

Processes:

fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118

description	ioc	process
File opened for reading	/proc/684/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/337/fd	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/514/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/751/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/818/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/472/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/705/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/383/fd	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/384/fd	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/706/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/779/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/164/fd	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/331/fd	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/335/fd	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/1/fd	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/143/fd	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/700/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/724/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/242/fd	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/699/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/708/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/750/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/787/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/332/fd	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/338/fd	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/485/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/395/fd	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/711/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/703/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/714/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/721/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/775/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/800/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/402/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
File opened for reading	/proc/513/exe	fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118

/tmp/fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
/tmp/fb6dc629f3cea2f4968bf1dfb286276a_JaffaCakes118
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:707

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/707-1-0x00400000-0x00455a28-memory.dmp

Download