mirai | 0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb

General

Target

0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
Size

23KB
MD5

d821026d7c8716cd25b626a175ac7175
SHA1

b26e57365122506bf55fedca31930e4fd6ece81a
SHA256

0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb
SHA512

8be9beab765170373a102354812548296fe90630c5f7070174d31b60df936870e9f16d3d989a5ad4a19332cfeb54ef6fc6ea46e137abb0da1aa1a390fdb13586
SSDEEP

384:MyB6Yj833S7YSpsGE0m1SAqMaECTS2lKNwoef7FWDeTi6P+AfXndE/JniIVtb+vE:N3j8tB0m1SAiTxsPt8TXndOxPsM

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf

description	ioc	process
File opened for modification	/dev/watchdog	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for modification	/dev/misc/watchdog	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf

description	ioc	process
File opened for modification	/sbin/watchdog	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for modification	/bin/watchdog	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf

description	ioc	process
File opened for reading	/proc/1102/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1250/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/942/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1374/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1523/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/586/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/792/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/901/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1030/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1073/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1119/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1042/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1087/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1143/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1494/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1501/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1913/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/965/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/979/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1072/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/777/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1076/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1390/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/519/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/578/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/610/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1463/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/639/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/913/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1025/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1020/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1425/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1552/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/577/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/899/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1002/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/671/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/902/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1285/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/497/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1165/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/947/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1038/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1431/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/782/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1927/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/450/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/456/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/673/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/952/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1912/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/478/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/635/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/760/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1063/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1106/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/440/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/989/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1034/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/826/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1112/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/1113/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/536/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
File opened for reading	/proc/555/cmdline	0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf

/tmp/0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
/tmp/0cb9d915f5ca5e40f0ea1a2cd62dcfcd91453cb537a291cfa0c01e02492bfddb.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1511