mirai | ed6964fb655c02b74298d9b1a979921abb3dfd42565084053593123af9259f79

General

Target

7cabc7d9ac4490fb547415bdf7269c33.elf
Size

590KB
MD5

7cabc7d9ac4490fb547415bdf7269c33
SHA1

ac72e44f7e7a30727d356b3c5e00317d09ad94e9
SHA256

ed6964fb655c02b74298d9b1a979921abb3dfd42565084053593123af9259f79
SHA512

4e5b86721e06d57e465c2b5353c9427c600f4896b1b073ab889f1f5c36574ed3326c7d2038585106fd4226db33e5f7d252c921a7e5646d70a1e30d5bec0e56e5
SSDEEP

6144:PnRWqReH3BRzqfMC5fuUQh8+Qk8jVJntQf2Avz156Vmw3lgUekJGmOa2j1DluC9s:5UJz9emvo70Tlu0qXK0

Score

10^/10

mirai botnet persistence

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 1 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

7cabc7d9ac4490fb547415bdf7269c33.elf

description ioc process

File opened for modification /dev/watchdog 7cabc7d9ac4490fb547415bdf7269c33.elf

description	ioc	process
File opened for modification	/dev/watchdog	7cabc7d9ac4490fb547415bdf7269c33.elf

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	192.3.165.37
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	114.114.114.114
Destination IP	134.195.4.2
Destination IP	1.0.0.1
Destination IP	168.138.12.137
Destination IP	192.3.165.37
Destination IP	94.247.43.254

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.pHhP7w crontab
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

7cabc7d9ac4490fb547415bdf7269c33.elf

description ioc process

File opened for modification /etc/init.d/dnsconfig 7cabc7d9ac4490fb547415bdf7269c33.elf
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

7cabc7d9ac4490fb547415bdf7269c33.elf

description ioc process

File opened for modification /etc/systemd/system/dnsconfigs.service 7cabc7d9ac4490fb547415bdf7269c33.elf

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.pHhP7w	crontab

description	ioc	process
File opened for modification	/etc/init.d/dnsconfig	7cabc7d9ac4490fb547415bdf7269c33.elf

description	ioc	process
File opened for modification	/etc/systemd/system/dnsconfigs.service	7cabc7d9ac4490fb547415bdf7269c33.elf

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

7cabc7d9ac4490fb547415bdf7269c33.elf

description	ioc	process
File opened for modification	/sbin/watchdog	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/bin/watchdog	7cabc7d9ac4490fb547415bdf7269c33.elf

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

systemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 17 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsystemctlmount7cabc7d9ac4490fb547415bdf7269c33.elfmountsystemctlcpcrontab

description	ioc	process
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/712/cmdline	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/self/stat	systemctl

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

Processes:

7cabc7d9ac4490fb547415bdf7269c33.elf

description	ioc	process
File opened for modification	/tmp/139.199.214.202	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/tmp/114.118.7.163	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/tmp/129.6.15.28	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/tmp/110.75.0.81	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/tmp/119.29.0.254	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/tmp/132.163.96.12	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/tmp/131.188.3.221	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/tmp/114.118.7.161	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/tmp/202.112.29.82	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/tmp/182.92.12.11	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/tmp/132.163.97.1	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/tmp/��TX��J��V '=<�عŃ�-6��6Ad3�̓��$�>�}/�ccu��az��ea$3�_nЅceU=��W^W�5�Op��w⦉��r�X�6��50��OH:yz� ��$�a��K��jڷ`��hOB��9M��V��cr�� mp��4�(4/a�r��酃��O2��;Lo�s;��.� Ŏ��}��J&��kB8a(\��	7cabc7d9ac4490fb547415bdf7269c33.elf
File opened for modification	/tmp/server_session.lock	7cabc7d9ac4490fb547415bdf7269c33.elf

/tmp/7cabc7d9ac4490fb547415bdf7269c33.elf
/tmp/7cabc7d9ac4490fb547415bdf7269c33.elf
1⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:712

/bin/sh
sh -c "mount -o bind /tmp/nginx_server /proc/712/ > /dev/null 2>&1"
2⤵
PID:714

/bin/mount
mount -o bind /tmp/nginx_server /proc/712/
3⤵
- Reads runtime system information
PID:715

/bin/cp
cp -f /tmp/7cabc7d9ac4490fb547415bdf7269c33.elf /var/tmp/nginx_kel
2⤵
- Reads runtime system information
PID:713

/bin/sh
sh -c "crontab /var/tmp/.recoverys"
2⤵
PID:720

/usr/bin/crontab
crontab /var/tmp/.recoverys
3⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:726

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:721

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig
3⤵
PID:727

/bin/sh
sh -c "mount -o bind /tmp/nginx_server /proc/722/ > /dev/null 2>&1"
2⤵
PID:723

/bin/mount
mount -o bind /tmp/nginx_server /proc/722/
3⤵
- Reads runtime system information
PID:728

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:730

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig
3⤵
PID:732

/bin/sh
sh -c "systemctl daemon-reload > /dev/null 2>&1"
2⤵
PID:736

/bin/systemctl
systemctl daemon-reload
3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:739

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:738

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig
3⤵
PID:740

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:742

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig
3⤵
PID:744

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:746

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig
3⤵
PID:755

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:761

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig
3⤵
PID:762

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:764

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig
3⤵
PID:766

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:769

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig
3⤵
PID:771

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:772

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig
3⤵
PID:774

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:776

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs
3⤵
PID:777

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:779

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs
3⤵
PID:780

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:781

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs
3⤵
PID:782

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:783

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs
3⤵
PID:786

/bin/sh
sh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"
2⤵
PID:784

/bin/systemctl
systemctl enable dnsconfigs.service
3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:787

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:788

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs
3⤵
PID:790

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:791

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs
3⤵
PID:792

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:793

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs
3⤵
PID:794

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:806

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs
3⤵
PID:808

/bin/sh
sh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"
2⤵
PID:814

/bin/systemctl
systemctl start dnsconfigs.service
3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:815

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

1

T1574

Privilege Escalation

Scheduled Task/Job

1

T1053

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

1

T1574

Defense Evasion

Impair Defenses

1

T1562

Hijack Execution Flow

1

T1574

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/dnsconfig
Filesize
1KB

MD5
df56ea52b8cee93884f3872d25a85db0

SHA1
2fd0c7407ed67253a807d1d01c6ffd3467edaf8e

SHA256
a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5

SHA512
e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da

Download Submit
/etc/systemd/system/dnsconfigs.service
Filesize
174B

MD5
900f683b08977636b092fcbfa1ad8a42

SHA1
6d521f5c3e862f1106d9ac6a3a654e57e6814333

SHA256
71d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3

SHA512
50b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0

Download Submit
/tmp/server_session.lock
Filesize
4B

MD5
2478f20c456da0cfb55d38fe1989b203

SHA1
427174f6577a2ef4b540be792e9af99aeec07863

SHA256
7830562f506f5e20da1c22e36655349fcb46ecf0bfffbd20c486103cea53512f

SHA512
d9ed43ba53bb91197c883cdb6c088f86add50d3191b15fd9a0b9b1ad1767d533cece421a6b603dfb6263808082824f926326f1b22de463b1a7231ebcb86e67ea

Download Submit
/var/spool/cron/crontabs/tmp.pHhP7w
Filesize
230B

MD5
bdb852c8e70df6cb456b00a3550bc5fa

SHA1
325f70bb55e376ead783fc23e5fada8ddbe6f4b9

SHA256
8171882c8f4e976f4111a1536d274c08e97e565e6e5cfe4a7e6011ca36c4f231

SHA512
edee2eeac26ee84d4e73b924eb165e2f16befeae34a5e53fc3aac66b434b3fded3887fc61561f7042f036971b710cbfb40949da8972a7ee3c47c1baa58e0e9a7

Download Submit
/var/tmp/.recoverys
Filesize
37B

MD5
abe9a0e06459d029e0f5183965dbbf3b

SHA1
7e79e16ea12fed960bcee8eb5a9c6384fa61a2d1

SHA256
b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384

SHA512
955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd

Download Submit
/var/tmp/nginx_kel
Filesize
590KB

MD5
7cabc7d9ac4490fb547415bdf7269c33

SHA1
ac72e44f7e7a30727d356b3c5e00317d09ad94e9

SHA256
ed6964fb655c02b74298d9b1a979921abb3dfd42565084053593123af9259f79

SHA512
4e5b86721e06d57e465c2b5353c9427c600f4896b1b073ab889f1f5c36574ed3326c7d2038585106fd4226db33e5f7d252c921a7e5646d70a1e30d5bec0e56e5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads