mirai | 54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c

General

Target

54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf
Size

274KB
MD5

28df757f694fefc6d25939e65348753b
SHA1

aa82f4a94ad10b29ac8540a4984032b686fe1632
SHA256

54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c
SHA512

fdd557b487f2730ac79dd2299bd203493fa40437c3da7b6cf0b6c8eb05535eee78fd5f124549feb65d2b5731bb42cbab2610c7ea879c006510aa8e3422c8ace8
SSDEEP

6144:Qt0eKnj/dQW/n3gGgzVHJl/44wrm9NrOIiMf4J+wvWMUxc:QtvUai3SrXdOIFgvuMR

Score

10^/10

mirai botnet infostealer persistence

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 1 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

description ioc process

File opened for modification /dev/watchdog 54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

description	ioc	process
File opened for modification	/dev/watchdog	54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

Reads EFI boot settings 3 IoCs

Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

infostealer

Processes:

systemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	192.3.165.37
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	94.247.43.254
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	114.114.114.114
Destination IP	192.3.165.37

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.P6MHKf crontab
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

description ioc process

File opened for modification /etc/init.d/dnsconfig 54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.P6MHKf	crontab

description	ioc	process
File opened for modification	/etc/init.d/dnsconfig	54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

Modifies systemd 1 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

description	ioc	process
File opened for modification	/etc/systemd/system/dnsconfigs.service	54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

description	ioc	process
File opened for modification	/bin/watchdog	54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf
File opened for modification	/sbin/watchdog	54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

systemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl

Reads runtime system information 23 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlcpmountsystemctlsystemctlmount54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

description	ioc	process
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/self/exe	54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf
File opened for reading	/proc/1476/cmdline	54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

description ioc process

File opened for modification /tmp/server_session.lock 54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

description	ioc	process
File opened for modification	/tmp/server_session.lock	54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf

/tmp/54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf
/tmp/54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf
1⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:1476

/bin/sh
sh -c "mount -o bind /tmp/nginx_server /proc/1476/ > /dev/null 2>&1"
2⤵
PID:1478

/usr/bin/mount
mount -o bind /tmp/nginx_server /proc/1476/
3⤵
- Reads runtime system information
PID:1479

/bin/cp
cp -f /tmp/54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf /var/tmp/nginx_kel
2⤵
- Reads runtime system information
PID:1477

/bin/sh
sh -c "mount -o bind /tmp/nginx_server /proc/1482/ > /dev/null 2>&1"
2⤵
PID:1483

/usr/bin/mount
mount -o bind /tmp/nginx_server /proc/1482/
3⤵
- Reads runtime system information
PID:1484

/bin/sh
sh -c "crontab /var/tmp/.recoverys"
2⤵
PID:1492

/usr/bin/crontab
crontab /var/tmp/.recoverys
3⤵
- Creates/modifies Cron job
PID:1495

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1493

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig
3⤵
PID:1494

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1497

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig
3⤵
PID:1498

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1499

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig
3⤵
PID:1500

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1501

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig
3⤵
PID:1502

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1504

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig
3⤵
PID:1506

/bin/sh
sh -c "systemctl daemon-reload > /dev/null 2>&1"
2⤵
PID:1505

/usr/bin/systemctl
systemctl daemon-reload
3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1507

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1508

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig
3⤵
PID:1509

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1513

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig
3⤵
PID:1514

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1515

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig
3⤵
PID:1516

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1517

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig
3⤵
PID:1518

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1519

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs
3⤵
PID:1521

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1522

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs
3⤵
PID:1523

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1524

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs
3⤵
PID:1525

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1526

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs
3⤵
PID:1527

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1528

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs
3⤵
PID:1529

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1530

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs
3⤵
PID:1531

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1532

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs
3⤵
PID:1533

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1534

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs
3⤵
PID:1535

/bin/sh
sh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"
2⤵
PID:1562

/usr/bin/systemctl
systemctl enable dnsconfigs.service
3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1563

/bin/sh
sh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"
2⤵
PID:1632

/usr/bin/systemctl
systemctl start dnsconfigs.service
3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1633

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

1

T1574

Privilege Escalation

Scheduled Task/Job

1

T1053

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

1

T1574

Defense Evasion

Impair Defenses

1

T1562

Hijack Execution Flow

1

T1574

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/dnsconfig
Filesize
1KB

MD5
df56ea52b8cee93884f3872d25a85db0

SHA1
2fd0c7407ed67253a807d1d01c6ffd3467edaf8e

SHA256
a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5

SHA512
e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da

Download Submit
/etc/systemd/system/dnsconfigs.service
Filesize
174B

MD5
900f683b08977636b092fcbfa1ad8a42

SHA1
6d521f5c3e862f1106d9ac6a3a654e57e6814333

SHA256
71d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3

SHA512
50b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0

Download Submit
/tmp/server_session.lock
Filesize
5B

MD5
4a620052008b8d131feaf7c39a70cfab

SHA1
19342b2202266aeda37d494065fdb0ec4ccfce3f

SHA256
5a4492b5dad4e66cf7d3cd47da24ab98a0f21b83e202c1bed6350888779e8255

SHA512
4e805bf7fd5eddfc80efb0dab2fb3fdb0f54921749018d7fecb32004fd0088a344a8b9e7514264d6fdbbe7cda85be9ba607dbe626ccf2761d87035486ed716f7

Download Submit
/var/spool/cron/crontabs/tmp.P6MHKf
Filesize
230B

MD5
245dcd278b96af6ee3cf51b350f854e1

SHA1
e0933fa7d01274f484e5a6eb03935f0196fa4202

SHA256
79350d585e23c3acd65100b408ba549996076eab3eebaad87c81b9f4ef5d4198

SHA512
f81193d4db19a2774cc13c4e890ad7dd24d77b7b2efdabf269ec7dba7d39f85ed578f0c2dfd6ade553fd1a5de802ddbb008ffcd7364da49176db204582b7751b

Download Submit
/var/tmp/.recoverys
Filesize
37B

MD5
abe9a0e06459d029e0f5183965dbbf3b

SHA1
7e79e16ea12fed960bcee8eb5a9c6384fa61a2d1

SHA256
b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384

SHA512
955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd

Download Submit
/var/tmp/nginx_kel
Filesize
274KB

MD5
28df757f694fefc6d25939e65348753b

SHA1
aa82f4a94ad10b29ac8540a4984032b686fe1632

SHA256
54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c

SHA512
fdd557b487f2730ac79dd2299bd203493fa40437c3da7b6cf0b6c8eb05535eee78fd5f124549feb65d2b5731bb42cbab2610c7ea879c006510aa8e3422c8ace8

Download Submit
memory/1476-1-0x0000000008048000-0x00000000080dd670-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads