mirai | df015ade97f1e4e20d7cbeea972e34873b8a31818c58ac6a219181a3a8ebbb10

Analysis

max time kernel
149s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240418-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240418-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
27-04-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

boatnet.x86.elf
Size

20KB
MD5

788ad2ffa9f903e010b2030190f09866
SHA1

86e48447bbde69b07354ddb1149a6b1ca52afd59
SHA256

df015ade97f1e4e20d7cbeea972e34873b8a31818c58ac6a219181a3a8ebbb10
SHA512

2f56cff17b678378f81f3cc0cc15ac66bf438b1fcf21acb178c70aea3ebf5025737877315a866ad08f9caf8a769af4ebb8d3c7e7b1dac3f74a2db56cd7c785c7
SSDEEP

384:M0DLpj8s/qPui8uZxoIA57RWQjJiEVi+ZkXadmTb+502F2vwA9dWuMW21bAK1oTH:x98o08kxofBE+ZkXaITbp2F2TWul0c57

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

boatnet.x86.elf

description ioc process

File opened for modification /dev/watchdog boatnet.x86.elf
File opened for modification /dev/misc/watchdog boatnet.x86.elf
Enumerates running processes
Discovers information about currently running processes on the system
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

boatnet.x86.elf

description ioc process

File opened for modification /sbin/watchdog boatnet.x86.elf
File opened for modification /bin/watchdog boatnet.x86.elf

description	ioc	process
File opened for modification	/dev/watchdog	boatnet.x86.elf
File opened for modification	/dev/misc/watchdog	boatnet.x86.elf

description	ioc	process
File opened for modification	/sbin/watchdog	boatnet.x86.elf
File opened for modification	/bin/watchdog	boatnet.x86.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

boatnet.x86.elf

description	ioc	process
File opened for reading	/proc/702/cmdline	boatnet.x86.elf
File opened for reading	/proc/1062/cmdline	boatnet.x86.elf
File opened for reading	/proc/939/cmdline	boatnet.x86.elf
File opened for reading	/proc/1130/cmdline	boatnet.x86.elf
File opened for reading	/proc/1176/cmdline	boatnet.x86.elf
File opened for reading	/proc/1272/cmdline	boatnet.x86.elf
File opened for reading	/proc/653/cmdline	boatnet.x86.elf
File opened for reading	/proc/659/cmdline	boatnet.x86.elf
File opened for reading	/proc/1138/cmdline	boatnet.x86.elf
File opened for reading	/proc/1525/cmdline	boatnet.x86.elf
File opened for reading	/proc/1556/cmdline	boatnet.x86.elf
File opened for reading	/proc/1262/cmdline	boatnet.x86.elf
File opened for reading	/proc/1580/cmdline	boatnet.x86.elf
File opened for reading	/proc/1610/cmdline	boatnet.x86.elf
File opened for reading	/proc/1157/cmdline	boatnet.x86.elf
File opened for reading	/proc/1331/cmdline	boatnet.x86.elf
File opened for reading	/proc/1542/cmdline	boatnet.x86.elf
File opened for reading	/proc/406/cmdline	boatnet.x86.elf
File opened for reading	/proc/722/cmdline	boatnet.x86.elf
File opened for reading	/proc/1456/cmdline	boatnet.x86.elf
File opened for reading	/proc/1562/cmdline	boatnet.x86.elf
File opened for reading	/proc/437/cmdline	boatnet.x86.elf
File opened for reading	/proc/1010/cmdline	boatnet.x86.elf
File opened for reading	/proc/1280/cmdline	boatnet.x86.elf
File opened for reading	/proc/598/cmdline	boatnet.x86.elf
File opened for reading	/proc/661/cmdline	boatnet.x86.elf
File opened for reading	/proc/668/cmdline	boatnet.x86.elf
File opened for reading	/proc/1135/cmdline	boatnet.x86.elf
File opened for reading	/proc/1144/cmdline	boatnet.x86.elf
File opened for reading	/proc/1109/cmdline	boatnet.x86.elf
File opened for reading	/proc/1245/cmdline	boatnet.x86.elf
File opened for reading	/proc/1568/cmdline	boatnet.x86.elf
File opened for reading	/proc/1586/cmdline	boatnet.x86.elf
File opened for reading	/proc/1616/cmdline	boatnet.x86.elf
File opened for reading	/proc/464/cmdline	boatnet.x86.elf
File opened for reading	/proc/549/cmdline	boatnet.x86.elf
File opened for reading	/proc/1055/cmdline	boatnet.x86.elf
File opened for reading	/proc/1313/cmdline	boatnet.x86.elf
File opened for reading	/proc/1530/cmdline	boatnet.x86.elf
File opened for reading	/proc/1029/cmdline	boatnet.x86.elf
File opened for reading	/proc/1158/cmdline	boatnet.x86.elf
File opened for reading	/proc/944/cmdline	boatnet.x86.elf
File opened for reading	/proc/405/cmdline	boatnet.x86.elf
File opened for reading	/proc/673/cmdline	boatnet.x86.elf
File opened for reading	/proc/1177/cmdline	boatnet.x86.elf
File opened for reading	/proc/1522/cmdline	boatnet.x86.elf
File opened for reading	/proc/1301/cmdline	boatnet.x86.elf
File opened for reading	/proc/457/cmdline	boatnet.x86.elf
File opened for reading	/proc/465/cmdline	boatnet.x86.elf
File opened for reading	/proc/1151/cmdline	boatnet.x86.elf
File opened for reading	/proc/1287/cmdline	boatnet.x86.elf
File opened for reading	/proc/409/cmdline	boatnet.x86.elf
File opened for reading	/proc/468/cmdline	boatnet.x86.elf
File opened for reading	/proc/1233/cmdline	boatnet.x86.elf
File opened for reading	/proc/1058/cmdline	boatnet.x86.elf
File opened for reading	/proc/1238/cmdline	boatnet.x86.elf
File opened for reading	/proc/1353/cmdline	boatnet.x86.elf
File opened for reading	/proc/1548/cmdline	boatnet.x86.elf
File opened for reading	/proc/1102/cmdline	boatnet.x86.elf
File opened for reading	/proc/1125/cmdline	boatnet.x86.elf
File opened for reading	/proc/1433/cmdline	boatnet.x86.elf
File opened for reading	/proc/462/cmdline	boatnet.x86.elf
File opened for reading	/proc/467/cmdline	boatnet.x86.elf
File opened for reading	/proc/951/cmdline	boatnet.x86.elf

/tmp/boatnet.x86.elf
/tmp/boatnet.x86.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1527

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1527-1-0x0000000008048000-0x00000000080547a0-memory.dmp

Download