mirai | 4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28

General

Target

SecuriteInfo.com.Other.Malware-gen.31307.16494.elf
Size

274KB
MD5

6cef4e41b58be6fb4e2dd50c783c0c87
SHA1

fd5ded3422f64c3930e6541bd54dfb1083916f66
SHA256

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28
SHA512

fbdd467bbf0a3b3cec9564075bfd5d977900acb502d1c15bfb9ba6920bea3cda92c62f15cf50c7335ffb43d6046581c0020a90cec3b6227b61a6b93135e5fe42
SSDEEP

6144:Uxc6tV4HX2TmFGR+WgB+Pjq32p5PPyMwsUpE9BNKaOA5IsY/Vi5iaL:KUtm+5QPjq3SIpLaOAGNK

Score

10^/10

mirai lzrd botnet infostealer persistence

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 1 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

description ioc process

File opened for modification /dev/watchdog SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

description	ioc	process
File opened for modification	/dev/watchdog	SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

Reads EFI boot settings 3 IoCs

Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

infostealer

Processes:

systemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	1.0.0.1
Destination IP	134.195.4.2
Destination IP	54.36.111.116
Destination IP	192.3.165.37
Destination IP	168.138.12.137
Destination IP	192.3.165.37
Destination IP	114.114.114.114
Destination IP	54.36.111.116
Destination IP	1.0.0.1

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.oWdhGj crontab
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

description ioc process

File opened for modification /etc/init.d/dnsconfig SecuriteInfo.com.Other.Malware-gen.31307.16494.elf
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

description ioc process

File opened for modification /etc/systemd/system/dnsconfigs.service SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.oWdhGj	crontab

description	ioc	process
File opened for modification	/etc/init.d/dnsconfig	SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

description	ioc	process
File opened for modification	/etc/systemd/system/dnsconfigs.service	SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

description	ioc	process
File opened for modification	/sbin/watchdog	SecuriteInfo.com.Other.Malware-gen.31307.16494.elf
File opened for modification	/bin/watchdog	SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

systemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl

Reads runtime system information 23 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsystemctlsystemctlmountmountSecuriteInfo.com.Other.Malware-gen.31307.16494.elfcp

description	ioc	process
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1483/cmdline	SecuriteInfo.com.Other.Malware-gen.31307.16494.elf
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/exe	SecuriteInfo.com.Other.Malware-gen.31307.16494.elf
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/self/stat	systemctl

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

description ioc process

File opened for modification /tmp/server_session.lock SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

description	ioc	process
File opened for modification	/tmp/server_session.lock	SecuriteInfo.com.Other.Malware-gen.31307.16494.elf

/tmp/SecuriteInfo.com.Other.Malware-gen.31307.16494.elf
/tmp/SecuriteInfo.com.Other.Malware-gen.31307.16494.elf
1⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:1483

/bin/sh
sh -c "mount -o bind /tmp/nginx_server /proc/1483/ > /dev/null 2>&1"
2⤵
PID:1491

/usr/bin/mount
mount -o bind /tmp/nginx_server /proc/1483/
3⤵
- Reads runtime system information
PID:1492

/bin/cp
cp -f /tmp/SecuriteInfo.com.Other.Malware-gen.31307.16494.elf /var/tmp/nginx_kel
2⤵
- Reads runtime system information
PID:1490

/bin/sh
sh -c "mount -o bind /tmp/nginx_server /proc/1495/ > /dev/null 2>&1"
2⤵
PID:1496

/usr/bin/mount
mount -o bind /tmp/nginx_server /proc/1495/
3⤵
- Reads runtime system information
PID:1497

/bin/sh
sh -c "crontab /var/tmp/.recoverys"
2⤵
PID:1507

/usr/bin/crontab
crontab /var/tmp/.recoverys
3⤵
- Creates/modifies Cron job
PID:1509

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1508

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig
3⤵
PID:1510

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1514

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig
3⤵
PID:1517

/bin/sh
sh -c "systemctl daemon-reload > /dev/null 2>&1"
2⤵
PID:1515

/usr/bin/systemctl
systemctl daemon-reload
3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1518

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1519

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig
3⤵
PID:1520

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1521

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig
3⤵
PID:1522

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1523

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig
3⤵
PID:1524

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1525

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig
3⤵
PID:1526

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1527

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig
3⤵
PID:1528

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1529

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig
3⤵
PID:1530

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1539

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig
3⤵
PID:1551

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1553

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs
3⤵
PID:1554

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1555

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs
3⤵
PID:1556

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1557

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs
3⤵
PID:1558

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1559

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs
3⤵
PID:1560

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1561

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs
3⤵
PID:1562

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1563

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs
3⤵
PID:1564

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1565

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs
3⤵
PID:1566

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1567

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs
3⤵
PID:1568

/bin/sh
sh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"
2⤵
PID:1579

/usr/bin/systemctl
systemctl enable dnsconfigs.service
3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1580

/bin/sh
sh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"
2⤵
PID:1622

/usr/bin/systemctl
systemctl start dnsconfigs.service
3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1623

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

Impair Defenses

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/dnsconfig

Filesize
1KB

MD5
df56ea52b8cee93884f3872d25a85db0

SHA1
2fd0c7407ed67253a807d1d01c6ffd3467edaf8e

SHA256
a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5

SHA512
e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da

Download Submit
/etc/systemd/system/dnsconfigs.service

Filesize
174B

MD5
900f683b08977636b092fcbfa1ad8a42

SHA1
6d521f5c3e862f1106d9ac6a3a654e57e6814333

SHA256
71d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3

SHA512
50b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0

Download Submit
/tmp/server_session.lock

Filesize
5B

MD5
191ab157c005c01a92b1e37abff122d4

SHA1
e8a7d68450e96f5d9d82e9e82e1d954f037e5e5a

SHA256
04322c6136b82f110cc612c340a511cafa29e73c2a5b65a64b54066f006c06f6

SHA512
3a356521cfb9e380a7337c5b2ce42b10f4fd3137991f8a24b81dd7613d65c38967a2600c260a599dc2229a13d88870a08067ed19f15c0b5691c2090c737760fe

Download Submit
/var/spool/cron/crontabs/tmp.oWdhGj

Filesize
230B

MD5
f8948bb077b9a222c987faecd5dd0262

SHA1
1f0614a10ce6e3f048353fc7f7d138c7ffa87028

SHA256
b23816d87dd985fbc95ce9d1e1b73bc99e591009390a235666fc4748197ba4c3

SHA512
4e4c2d3566aa9e82cc11f071b34d45d5b322573517c683b0ef839fcf487c30baa6ff6121182d48f9b2b82578a63a054c69e27b2c63f096dd03d1ec5c832488cb

Download Submit
/var/tmp/.recoverys

Filesize
37B

MD5
abe9a0e06459d029e0f5183965dbbf3b

SHA1
7e79e16ea12fed960bcee8eb5a9c6384fa61a2d1

SHA256
b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384

SHA512
955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd

Download Submit
/var/tmp/nginx_kel

Filesize
274KB

MD5
6cef4e41b58be6fb4e2dd50c783c0c87

SHA1
fd5ded3422f64c3930e6541bd54dfb1083916f66

SHA256
4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28

SHA512
fbdd467bbf0a3b3cec9564075bfd5d977900acb502d1c15bfb9ba6920bea3cda92c62f15cf50c7335ffb43d6046581c0020a90cec3b6227b61a6b93135e5fe42

Download Submit
memory/1483-1-0x0000000000400000-0x00000000006a6bf8-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads