mirai | 3872813ef5978aa7b4ed3c241c4bf59b62a7b4d663c81340d4e58190b2b29641

General

Target

03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
Size

28KB
MD5

03850a26a6efb9da1b2c792b66395c5f
SHA1

a093f26625736cc5cefbe9bb0531238970f31f22
SHA256

3872813ef5978aa7b4ed3c241c4bf59b62a7b4d663c81340d4e58190b2b29641
SHA512

047fef9da1a5be10dd3a1f91b3bdc9c2712ac66473817f8db44682fab371f55765af830dc3ed8c1266a29d5fe48e9afccc8d671f010b8cf8f33ad740f9c70187
SSDEEP

768:s/iZiR+eWvgHBsyOS07lFO7hponFnlkOXq+FO:s/iBeWvqmc0fWEqKO

Score

10^/10

mirai mirai botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (20566) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118

description	ioc	process
File opened for modification	/dev/misc/watchdog	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for modification	/dev/watchdog	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118

Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp 03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
Enumerates running processes
Discovers information about currently running processes on the system
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp 03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/tcp	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/tcp	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118

description	ioc	process
File opened for reading	/proc/453/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1098/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1299/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1581/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/3023/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/662/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2499/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/3009/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/472/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1916/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2639/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2982/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1152/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1180/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1182/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/500/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2772/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1943/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2503/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1201/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1206/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/477/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2067/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2467/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2836/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1156/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1351/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/671/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1903/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2464/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2801/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2840/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2614/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2877/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2767/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/3101/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1594/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/699/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1947/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2133/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2559/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2606/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1175/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/478/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2649/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1312/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1591/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2880/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/3004/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/426/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/477/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1198/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/547/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1583/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2797/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2617/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/640/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1070/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2112/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2555/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2586/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/2596/exe	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1147/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
File opened for reading	/proc/1176/fd	03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118

/tmp/03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
/tmp/03850a26a6efb9da1b2c792b66395c5f_JaffaCakes118
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:1587