mirai | 4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28

General

Target

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf
Size

274KB
MD5

6cef4e41b58be6fb4e2dd50c783c0c87
SHA1

fd5ded3422f64c3930e6541bd54dfb1083916f66
SHA256

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28
SHA512

fbdd467bbf0a3b3cec9564075bfd5d977900acb502d1c15bfb9ba6920bea3cda92c62f15cf50c7335ffb43d6046581c0020a90cec3b6227b61a6b93135e5fe42
SSDEEP

6144:Uxc6tV4HX2TmFGR+WgB+Pjq32p5PPyMwsUpE9BNKaOA5IsY/Vi5iaL:KUtm+5QPjq3SIpLaOAGNK

Score

10^/10

mirai lzrd botnet infostealer persistence

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 1 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description ioc process

File opened for modification /dev/watchdog 4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description	ioc	process
File opened for modification	/dev/watchdog	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

Reads EFI boot settings 3 IoCs

Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

infostealer

Processes:

systemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl

Unexpected DNS network traffic destination 12 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	54.36.111.116
Destination IP	94.247.43.254
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	94.247.43.254
Destination IP	1.0.0.1
Destination IP	168.138.12.137
Destination IP	134.195.4.2
Destination IP	114.114.114.114
Destination IP	192.3.165.37
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.Qs55aI crontab
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description ioc process

File opened for modification /etc/init.d/dnsconfig 4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.Qs55aI	crontab

description	ioc	process
File opened for modification	/etc/init.d/dnsconfig	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

Modifies systemd 1 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description	ioc	process
File opened for modification	/etc/systemd/system/dnsconfigs.service	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description	ioc	process
File opened for modification	/sbin/watchdog	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf
File opened for modification	/bin/watchdog	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

systemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl

Reads runtime system information 23 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsystemctlsystemctl4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elfmountmountcp

description	ioc	process
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/1493/cmdline	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/exe	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/self/stat	systemctl

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description ioc process

File opened for modification /tmp/server_session.lock 4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description	ioc	process
File opened for modification	/tmp/server_session.lock	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

/tmp/4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf
/tmp/4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf
1⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:1493

/bin/cp
cp -f /tmp/4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf /var/tmp/nginx_kel
2⤵
- Reads runtime system information
PID:1495

/bin/sh
sh -c "mount -o bind /tmp/nginx_server /proc/1493/ > /dev/null 2>&1"
2⤵
PID:1496

/usr/bin/mount
mount -o bind /tmp/nginx_server /proc/1493/
3⤵
- Reads runtime system information
PID:1497

/bin/sh
sh -c "mount -o bind /tmp/nginx_server /proc/1500/ > /dev/null 2>&1"
2⤵
PID:1501

/usr/bin/mount
mount -o bind /tmp/nginx_server /proc/1500/
3⤵
- Reads runtime system information
PID:1502

/bin/sh
sh -c "crontab /var/tmp/.recoverys"
2⤵
PID:1510

/usr/bin/crontab
crontab /var/tmp/.recoverys
3⤵
- Creates/modifies Cron job
PID:1514

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1511

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig
3⤵
PID:1515

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1516

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig
3⤵
PID:1517

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1518

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig
3⤵
PID:1520

/bin/sh
sh -c "systemctl daemon-reload > /dev/null 2>&1"
2⤵
PID:1519

/usr/bin/systemctl
systemctl daemon-reload
3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1521

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1522

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig
3⤵
PID:1526

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1527

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig
3⤵
PID:1528

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1529

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig
3⤵
PID:1530

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1531

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig
3⤵
PID:1532

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1533

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig
3⤵
PID:1534

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1535

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig
3⤵
PID:1536

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1537

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs
3⤵
PID:1538

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1539

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs
3⤵
PID:1541

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1542

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs
3⤵
PID:1543

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1550

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs
3⤵
PID:1551

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1552

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs
3⤵
PID:1553

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1554

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs
3⤵
PID:1555

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1556

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs
3⤵
PID:1557

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1558

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs
3⤵
PID:1559

/bin/sh
sh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"
2⤵
PID:1600

/usr/bin/systemctl
systemctl enable dnsconfigs.service
3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1601

/bin/sh
sh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"
2⤵
PID:1651

/usr/bin/systemctl
systemctl start dnsconfigs.service
3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

1

T1574

Privilege Escalation

Scheduled Task/Job

1

T1053

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

1

T1574

Defense Evasion

Impair Defenses

1

T1562

Hijack Execution Flow

1

T1574

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/dnsconfig
Filesize
1KB

MD5
df56ea52b8cee93884f3872d25a85db0

SHA1
2fd0c7407ed67253a807d1d01c6ffd3467edaf8e

SHA256
a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5

SHA512
e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da

Download Submit
/etc/systemd/system/dnsconfigs.service
Filesize
174B

MD5
900f683b08977636b092fcbfa1ad8a42

SHA1
6d521f5c3e862f1106d9ac6a3a654e57e6814333

SHA256
71d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3

SHA512
50b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0

Download Submit
/tmp/server_session.lock
Filesize
5B

MD5
ede743815c46e331e8a5f5bf434ef184

SHA1
1d97af1de76c458776466b2834f43200d182823d

SHA256
659ebd79973b79346dfcfdcb392bd25c2ee97a538e083b380838d84a3b6d48ff

SHA512
f0d10cc9ea8116c72064366d5d682b6905cba1ece66e2a911afa4a336c5d49fdf047d51cd4385e4b05a8cefda5e5654195bb190619fb78e06d029a2b873eb607

Download Submit
/var/spool/cron/crontabs/tmp.Qs55aI
Filesize
230B

MD5
802bd757ffa2058108bd31af584b9e70

SHA1
0966f02a186d85ea361779a043cf00f763467c03

SHA256
8c27dff93e30b953d1ea45ebb8d1eef83fba858ed26d70e923b57172df2ded46

SHA512
fe5c0d523787967b790abc1b92f6edecaaa0f1db296a6d08cfbfa4900b1b36fad44c979d36ae97ec65d0b79e4895116af7eff83a78f4cfafbc12c2f52c13d91a

Download Submit
/var/tmp/.recoverys
Filesize
37B

MD5
abe9a0e06459d029e0f5183965dbbf3b

SHA1
7e79e16ea12fed960bcee8eb5a9c6384fa61a2d1

SHA256
b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384

SHA512
955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd

Download Submit
/var/tmp/nginx_kel
Filesize
274KB

MD5
6cef4e41b58be6fb4e2dd50c783c0c87

SHA1
fd5ded3422f64c3930e6541bd54dfb1083916f66

SHA256
4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28

SHA512
fbdd467bbf0a3b3cec9564075bfd5d977900acb502d1c15bfb9ba6920bea3cda92c62f15cf50c7335ffb43d6046581c0020a90cec3b6227b61a6b93135e5fe42

Download Submit
memory/1493-1-0x0000000000400000-0x00000000006a6bf8-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads