mirai | f62404bc1cb67f57a63a7594d27194cd422b810fd909210a5e56ede97f0a900f

General

Target

048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
Size

52KB
MD5

048fef02458d5be2c0ba2ac21f94a35a
SHA1

dc8cfb7a33868692c3034f746b69573d0e517eeb
SHA256

f62404bc1cb67f57a63a7594d27194cd422b810fd909210a5e56ede97f0a900f
SHA512

68b5ac6ac849abc463a40180401a7a43dd99e1e8a9c4a597f84ffc596f8dedc059e28d8399b0dfc50e197d3e38a008d08a3203a98f926a511004e3133098b8cc
SSDEEP

768:9JomkQ+czIzxisfjo9tBJM9IgNuIq8gARmVb5YUCRfy9q3UELgCV7tn1BdSFztyr:cmpgDjo9tBbgNuejSDCtnLgChajy9

Score

10^/10

mirai mirai botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (20221) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118

description	ioc	process
File opened for modification	/dev/watchdog	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for modification	/dev/misc/watchdog	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118

Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp 048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
Enumerates running processes
Discovers information about currently running processes on the system
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp 048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/tcp	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/tcp	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118

description	ioc	process
File opened for reading	/proc/964/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1164/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1170/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/320/fd	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/896/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/910/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1232/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/980/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/172/fd	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/598/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/756/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/863/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/879/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/972/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1023/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1266/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1272/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/286/fd	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/719/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/825/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/857/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/906/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/947/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1131/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1150/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/971/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1098/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1130/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/808/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/862/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/921/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1017/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1256/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1404/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/235/fd	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/790/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/802/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/814/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/851/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/885/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1091/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1138/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1238/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1433/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1/fd	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/657/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/780/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/927/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1014/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1070/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1142/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1175/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1196/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1312/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/285/fd	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/798/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1250/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/583/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/924/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1427/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1438/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1000/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1412/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
File opened for reading	/proc/1096/exe	048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118

/tmp/048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
/tmp/048fef02458d5be2c0ba2ac21f94a35a_JaffaCakes118
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:649