mirai | 94f559b08a30ec35a058b6c39eb667e7df454a5a874c37ae13c43f454211e5df

General

Target

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf
Size

274KB
MD5

6cef4e41b58be6fb4e2dd50c783c0c87
SHA1

fd5ded3422f64c3930e6541bd54dfb1083916f66
SHA256

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28
SHA512

fbdd467bbf0a3b3cec9564075bfd5d977900acb502d1c15bfb9ba6920bea3cda92c62f15cf50c7335ffb43d6046581c0020a90cec3b6227b61a6b93135e5fe42
SSDEEP

6144:Uxc6tV4HX2TmFGR+WgB+Pjq32p5PPyMwsUpE9BNKaOA5IsY/Vi5iaL:KUtm+5QPjq3SIpLaOAGNK

Score

10^/10

mirai lzrd botnet infostealer persistence

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 1 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description ioc process

File opened for modification /dev/watchdog 4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description	ioc	process
File opened for modification	/dev/watchdog	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

Reads EFI boot settings 3 IoCs

Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

infostealer

Processes:

systemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	94.247.43.254
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	94.247.43.254
Destination IP	134.195.4.2
Destination IP	134.195.4.2
Destination IP	192.3.165.37
Destination IP	192.3.165.37
Destination IP	1.0.0.1

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.svxNiw crontab
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description ioc process

File opened for modification /etc/init.d/dnsconfig 4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.svxNiw	crontab

description	ioc	process
File opened for modification	/etc/init.d/dnsconfig	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

Modifies systemd 1 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description	ioc	process
File opened for modification	/etc/systemd/system/dnsconfigs.service	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description	ioc	process
File opened for modification	/sbin/watchdog	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf
File opened for modification	/bin/watchdog	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

systemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl

Reads runtime system information 23 IoCs

Reads data from /proc virtual filesystem.

Processes:

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elfcpsystemctlsystemctlsystemctlmountmount

description	ioc	process
File opened for reading	/proc/1478/cmdline	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/exe	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description ioc process

File opened for modification /tmp/server_session.lock 4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

description	ioc	process
File opened for modification	/tmp/server_session.lock	4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf

/tmp/4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf
/tmp/4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf
1⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:1478

/bin/sh
sh -c "mount -o bind /tmp/nginx_server /proc/1478/ > /dev/null 2>&1"
2⤵
PID:1480

/usr/bin/mount
mount -o bind /tmp/nginx_server /proc/1478/
3⤵
- Reads runtime system information
PID:1481

/bin/cp
cp -f /tmp/4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28.elf /var/tmp/nginx_kel
2⤵
- Reads runtime system information
PID:1479

/bin/sh
sh -c "mount -o bind /tmp/nginx_server /proc/1484/ > /dev/null 2>&1"
2⤵
PID:1486

/usr/bin/mount
mount -o bind /tmp/nginx_server /proc/1484/
3⤵
- Reads runtime system information
PID:1487

/bin/sh
sh -c "crontab /var/tmp/.recoverys"
2⤵
PID:1495

/usr/bin/crontab
crontab /var/tmp/.recoverys
3⤵
- Creates/modifies Cron job
PID:1499

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1497

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig
3⤵
PID:1498

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1500

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig
3⤵
PID:1502

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1503

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig
3⤵
PID:1505

/bin/sh
sh -c "systemctl daemon-reload > /dev/null 2>&1"
2⤵
PID:1504

/usr/bin/systemctl
systemctl daemon-reload
3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1506

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1507

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig
3⤵
PID:1508

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1509

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig
3⤵
PID:1513

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1514

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig
3⤵
PID:1515

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1516

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig
3⤵
PID:1517

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1518

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig
3⤵
PID:1519

/bin/sh
sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"
2⤵
PID:1520

/usr/bin/ln
ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig
3⤵
PID:1521

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1522

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs
3⤵
PID:1523

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1524

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs
3⤵
PID:1525

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1526

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs
3⤵
PID:1527

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1528

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs
3⤵
PID:1545

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1548

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs
3⤵
PID:1551

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1553

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs
3⤵
PID:1554

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1555

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs
3⤵
PID:1556

/bin/sh
sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"
2⤵
PID:1557

/usr/bin/ln
ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs
3⤵
PID:1558

/bin/sh
sh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"
2⤵
PID:1580

/usr/bin/systemctl
systemctl enable dnsconfigs.service
3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1581

/bin/sh
sh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"
2⤵
PID:1634

/usr/bin/systemctl
systemctl start dnsconfigs.service
3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1635

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

Impair Defenses

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/dnsconfig

Filesize
1KB

MD5
df56ea52b8cee93884f3872d25a85db0

SHA1
2fd0c7407ed67253a807d1d01c6ffd3467edaf8e

SHA256
a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5

SHA512
e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da

Download Submit
/etc/systemd/system/dnsconfigs.service

Filesize
174B

MD5
900f683b08977636b092fcbfa1ad8a42

SHA1
6d521f5c3e862f1106d9ac6a3a654e57e6814333

SHA256
71d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3

SHA512
50b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0

Download Submit
/tmp/server_session.lock

Filesize
5B

MD5
dfaee544019ebf0479ce873b07bc6083

SHA1
cc3d8277f42f93384fb7605e5bc61d8e43a717b1

SHA256
6460ce03aebe77acfac4cd0d22905c0ef89ac8540bb51480d968300ad6db6b75

SHA512
aa21fa1f78a590b35181654113016f63fc9e3ee683f9a0981d78728f7b5c1c486faf8c09f8b6735470da423b9509c6fc7275a2b15e262ec847e3716bb50c5e1d

Download Submit
/var/spool/cron/crontabs/tmp.svxNiw

Filesize
230B

MD5
d10dcfdae68e29f2e7beccef3b02e695

SHA1
c6efd055f2f7b12e7941e019cd77674ab45a0994

SHA256
52421b57cb82c43307ebb72896800f864f7c705ecc4efc50529c76c79fbaa64d

SHA512
4fe104196289107647f90fd25165dd2b160538a58adfad38910b77bee6f03bd1deff7f28ed6e6f23a0f5143beefe2213ee84bd1b021652563d1fa4a83af95384

Download Submit
/var/tmp/.recoverys

Filesize
37B

MD5
abe9a0e06459d029e0f5183965dbbf3b

SHA1
7e79e16ea12fed960bcee8eb5a9c6384fa61a2d1

SHA256
b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384

SHA512
955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd

Download Submit
/var/tmp/nginx_kel

Filesize
274KB

MD5
6cef4e41b58be6fb4e2dd50c783c0c87

SHA1
fd5ded3422f64c3930e6541bd54dfb1083916f66

SHA256
4730105d00af6296688da0b51f3b9be8ea81a4844a3a1d9996256fc218920f28

SHA512
fbdd467bbf0a3b3cec9564075bfd5d977900acb502d1c15bfb9ba6920bea3cda92c62f15cf50c7335ffb43d6046581c0020a90cec3b6227b61a6b93135e5fe42

Download Submit
memory/1478-1-0x0000000000400000-0x00000000006a6bf8-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads