mirai | 87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc

General

Target

87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
Size

28KB
MD5

5fcf827521ca236e06e8de70b29f294b
SHA1

323ee4bc5f95705700f6d942d017f230f59de0fd
SHA256

87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc
SHA512

04324901cb24d9d83db6eb7a3fda5f37266099c67e1be66afe816890462a2a67946976eb25259ffd890e851f4df4381c474220260da9b853173ce7bda58cafbf
SSDEEP

384:lZafyAaXspkybkZwe3WKU7vUMiFTygskWwdn5ojl/Yx00b1GPVRzqjXrPpxy0XRn:l+y1XsBbd8Xy3jgoA5kl/glw9RopnBW6

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

C2

www.sushiking.world

s.sushiking.world

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf

description	ioc	process
File opened for modification	/dev/watchdog	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for modification	/dev/misc/watchdog	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf

Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf

description ioc process

File opened for reading /proc/net/tcp 87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
Enumerates running processes
Discovers information about currently running processes on the system
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf

description ioc process

File opened for reading /proc/net/tcp 87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf

description	ioc	process
File opened for reading	/proc/net/tcp	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf

description	ioc	process
File opened for reading	/proc/net/tcp	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf

Reads runtime system information 41 IoCs

Reads data from /proc virtual filesystem.

Processes:

87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf

description	ioc	process
File opened for reading	/proc/372/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/731/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/574/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/711/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/716/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/386/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/390/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/732/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/682/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/696/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/742/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/744/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/696/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/722/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/711/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/729/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/684/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/574/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/710/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/586/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/710/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/181/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/684/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/713/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/736/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/718/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/1/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/371/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/586/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/717/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/751/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/202/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/373/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/398/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/419/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/682/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/720/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/732/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/736/exe	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/258/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
File opened for reading	/proc/395/fd	87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf

/tmp/87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
/tmp/87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc.elf
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:725

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Network Connections Discovery

1

T1049

System Network Configuration Discovery

1

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/725-1-0x00400000-0x00456ce8-memory.dmp

Download

Analysis

Sharing