mirai | e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d

General

Target

e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
Size

23KB
MD5

9ebef94af47bf4c7fbfd415f82f62210
SHA1

c3a37ef3737b028d18e72e827d3f545e76b24ba2
SHA256

e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d
SHA512

3016bbe5bd9205e20a22d10e56697735e08516abbcf37dc581d89091c7786ba2976238f8fad4425d8ef89f16cea523b85f198d6a3fb77f48976f91941f348363
SSDEEP

384:MnB6Yj833S7YSpsGE0m1SAqMaECTS2llsFMP3mrXcTc5cb5rFldGSzwv01JZieeT:m3j8tB0m1SAiTxv0qmrMQ8dGCwv1eBs

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf

description	ioc	process
File opened for modification	/dev/misc/watchdog	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for modification	/dev/watchdog	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf

description	ioc	process
File opened for modification	/sbin/watchdog	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for modification	/bin/watchdog	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf

description	ioc	process
File opened for reading	/proc/1212/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/644/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1075/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1105/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1056/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1374/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/530/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/537/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/582/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1357/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1032/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1146/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1183/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1596/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/977/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1166/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1576/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/455/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1180/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/543/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1173/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1397/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1027/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1289/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1577/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/431/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1207/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1337/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1628/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1171/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1175/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1189/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1646/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/439/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/481/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1308/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1257/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1371/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/452/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/471/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1087/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1273/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1658/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1670/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/474/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/607/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/881/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1274/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1622/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1262/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/653/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/663/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1118/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1578/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1077/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1085/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1150/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1101/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1110/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1200/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1616/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/1634/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/461/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
File opened for reading	/proc/496/cmdline	e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf

/tmp/e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
/tmp/e762b31b5db2cd2f3101d93a05f98ae180295d6cc1178a86dfb09d613052068d.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1580