mirai | 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1

General

Target

5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf
Size

244KB
MD5

cef396530992f79dea5d6d8209fc8ee7
SHA1

cdaa0b93d9299a00b90edb4b617a9f89c3aa322f
SHA256

5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1
SHA512

8c7ffcd35b5db373bae1ce7621c97508082aeea2ed1061a167c509d4ca13f1c9e8a30d630e550ffa48ae82c1d0742af62243cd0e93d413f21b69dffd1558fafd
SSDEEP

6144:cvZy8EpPYGg9XlNAI61A6OMLf+ZBse1kZcR6:Brg9Xlh6S+8se1x6

Score

10^/10

mirai lzrd botnet persistence

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 1 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

description ioc process

File opened for modification /dev/watchdog 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

description	ioc	process
File opened for modification	/dev/watchdog	5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	114.114.114.114
Destination IP	94.247.43.254
Destination IP	134.195.4.2
Destination IP	192.3.165.37
Destination IP	114.114.114.114
Destination IP	94.247.43.254
Destination IP	168.138.12.137
Destination IP	134.195.4.2
Destination IP	1.0.0.1
Destination IP	192.3.165.37
Destination IP	192.3.165.37

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.Jd023h crontab
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

description ioc process

File opened for modification /etc/init.d/dnsconfig 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.Jd023h	crontab

description	ioc	process
File opened for modification	/etc/init.d/dnsconfig	5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

Modifies systemd 1 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

description	ioc	process
File opened for modification	/etc/systemd/system/dnsconfigs.service	5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

description	ioc	process
File opened for modification	/sbin/watchdog	5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf
File opened for modification	/bin/watchdog	5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

systemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 18 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsystemctlsystemctl5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elfcrontabmountcpmount

description	ioc	process
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/645/cmdline	5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/self/exe	5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mount

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

description ioc process

File opened for modification /tmp/server_session.lock 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

description	ioc	process
File opened for modification	/tmp/server_session.lock	5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf

/tmp/5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf
/tmp/5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf
1⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:645

/bin/sh
sh -c "mount -o bind /tmp/nginx_server /proc/645/ > /dev/null 2>&1"
2⤵
PID:648

/bin/mount
mount -o bind /tmp/nginx_server /proc/645/
3⤵
- Reads runtime system information
PID:650

/bin/cp
cp -f /tmp/5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf /var/tmp/nginx_kel
2⤵
- Reads runtime system information
PID:646

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:658

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig
3⤵
PID:663

/bin/sh
sh -c "crontab /var/tmp/.recoverys"
2⤵
PID:657

/usr/bin/crontab
crontab /var/tmp/.recoverys
3⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:662

/bin/sh
sh -c "mount -o bind /tmp/nginx_server /proc/656/ > /dev/null 2>&1"
2⤵
PID:659

/bin/mount
mount -o bind /tmp/nginx_server /proc/656/
3⤵
- Reads runtime system information
PID:661

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:665

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig
3⤵
PID:670

/bin/sh
sh -c "systemctl daemon-reload > /dev/null 2>&1"
2⤵
PID:672

/bin/systemctl
systemctl daemon-reload
3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:676

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:674

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig
3⤵
PID:678

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:680

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig
3⤵
PID:682

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:684

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig
3⤵
PID:695

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:700

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig
3⤵
PID:702

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:704

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig
3⤵
PID:706

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:708

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig
3⤵
PID:710

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:711

/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig
3⤵
PID:712

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:713

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs
3⤵
PID:715

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:717

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs
3⤵
PID:718

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:719

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs
3⤵
PID:720

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:722

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs
3⤵
PID:723

/bin/sh
sh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"
2⤵
PID:724

/bin/systemctl
systemctl enable dnsconfigs.service
3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:727

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:726

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs
3⤵
PID:728

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:730

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs
3⤵
PID:731

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:732

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs
3⤵
PID:733

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:734

/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs
3⤵
PID:738

/bin/sh
sh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"
2⤵
PID:750

/bin/systemctl
systemctl start dnsconfigs.service
3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:751

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

1

T1574

Privilege Escalation

Scheduled Task/Job

1

T1053

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

1

T1574

Defense Evasion

Impair Defenses

1

T1562

Hijack Execution Flow

1

T1574

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/dnsconfig
Filesize
1KB

MD5
df56ea52b8cee93884f3872d25a85db0

SHA1
2fd0c7407ed67253a807d1d01c6ffd3467edaf8e

SHA256
a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5

SHA512
e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da

Download Submit
/etc/systemd/system/dnsconfigs.service
Filesize
174B

MD5
900f683b08977636b092fcbfa1ad8a42

SHA1
6d521f5c3e862f1106d9ac6a3a654e57e6814333

SHA256
71d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3

SHA512
50b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0

Download Submit
/tmp/server_session.lock
Filesize
4B

MD5
5667191a54223947887d18fbde93121d

SHA1
16f444f9af949cee6c6068791694c78aa5910114

SHA256
486f5cf7422c96178e696b37354258fe81c16d92e881e8c80f89e31a8d69b362

SHA512
e82e6ea2f7b7ce0e211a5d3f71ff3640d2169da588f4506e99433aedb3d6435890d1dcea3124e9d4a25ee50557f99dba8c6a3193406666da4e08ab5246d61364

Download Submit
/var/spool/cron/crontabs/tmp.Jd023h
Filesize
230B

MD5
cafbe07612771765af8b2c0054eb5968

SHA1
7c1e2576fb6d538ec8aa0ee66dc6d7d0275c0c19

SHA256
702333b78d27130469b62666ef2a3b29b6f9a741ff9b6f4018bc5d0fd6cfe56b

SHA512
e134257c16ddad641982550eac997cba133a9be94609903cb424ad81a65e1a684be2971310b0e6023b24decb27822e91a4fd4f06a3305432b955548be7cefee9

Download Submit
/var/tmp/.recoverys
Filesize
37B

MD5
abe9a0e06459d029e0f5183965dbbf3b

SHA1
7e79e16ea12fed960bcee8eb5a9c6384fa61a2d1

SHA256
b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384

SHA512
955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd

Download Submit
/var/tmp/nginx_kel
Filesize
244KB

MD5
cef396530992f79dea5d6d8209fc8ee7

SHA1
cdaa0b93d9299a00b90edb4b617a9f89c3aa322f

SHA256
5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1

SHA512
8c7ffcd35b5db373bae1ce7621c97508082aeea2ed1061a167c509d4ca13f1c9e8a30d630e550ffa48ae82c1d0742af62243cd0e93d413f21b69dffd1558fafd

Download Submit
memory/645-1-0x00008000-0x0008add4-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads