mirai | 7cd4bfb3b0e27989012024605cc453dbc8a226b413d84e2560ae4af70d0dc238 | Triage

Submit
Reports

Overview

overview

Static

static

1476-1-0x0...ry.dmp

ubuntu-20.04-amd64

Sharing

General

Target

1476-1-0x0000000008048000-0x00000000080dd670-memory.dmp
Size

550KB
Sample

240425-rxqdfsbf93
MD5

568264350ee36fa052e450ea1abb363a
SHA1

085eb89757c72c855a31bb06ae64badf51a8cf54
SHA256

7cd4bfb3b0e27989012024605cc453dbc8a226b413d84e2560ae4af70d0dc238
SHA512

9788bbe3740f12ce75897b037e1a9032ec3d1bb3d66922804ce411a54ce77efc8ace343bae132bb10a5f36ec8c41402b6b440fcb7cfa170e7ce917f93c0931f6
SSDEEP

12288:c4gOtjAMa0XvCH43s7QcCGazY66yDZoJlu:c4v1XvCH43s7QcCGazM3

Score

10^/10

mirai botnet infostealer linux persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1476-1-0x0000000008048000-0x00000000080dd670-memory.dmp

Resource

ubuntu2004-amd64-20240221-en

mirai botnet infostealer persistence

ubuntu-20.04-amd64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  1476-1-0x0000000008048000-0x00000000080dd670-memory.dmp
- Size
  
  550KB
- MD5
  
  568264350ee36fa052e450ea1abb363a
- SHA1
  
  085eb89757c72c855a31bb06ae64badf51a8cf54
- SHA256
  
  7cd4bfb3b0e27989012024605cc453dbc8a226b413d84e2560ae4af70d0dc238
- SHA512
  
  9788bbe3740f12ce75897b037e1a9032ec3d1bb3d66922804ce411a54ce77efc8ace343bae132bb10a5f36ec8c41402b6b440fcb7cfa170e7ce917f93c0931f6
- SSDEEP
  
  12288:c4gOtjAMa0XvCH43s7QcCGazY66yDZoJlu:c4v1XvCH43s7QcCGazM3
Score

10^/10

mirai botnet infostealer persistence
- Mirai
  Mirai is a prevalent Linux malware infecting exposed network devices.
  botnet mirai
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
- Reads EFI boot settings
  Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
  infostealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies systemd
  Adds/ modifies systemd service files. Likely to achieve persistence.
  persistence
- Writes file to system bin folder
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Boot or Logon Autostart Execution

Hijack Execution Flow

Privilege Escalation

Scheduled Task/Job

Boot or Logon Autostart Execution

Hijack Execution Flow

Defense Evasion

Impair Defenses

Hijack Execution Flow

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

miraibotnetinfostealerpersistence

© 2018-2024

Terms | Privacy