mirai | 521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4

General

Target

521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
Size

22KB
MD5

3a1df568d0dd60fbd3e32efa6bcc2ffb
SHA1

9b8ab470c61a376be7cf3d7bd59f281bac4161e5
SHA256

521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4
SHA512

8125c860cc8c07bbebb752e6dbb541201fa7e5a04e650c29b448440cfb6015fae7cc581c21bd009f68ba2d4c7094082740dec87f8b6ad2d5beb5c7356aa721b3
SSDEEP

384:BFYfwf/izXcR3fivuQUhJX9tDtt+9OOzkuptY+XsAGOIRugj+GaR7P8ytN2lM5Bc:PikKzXctauJX9t3gzO+XsNvuE+GIkytq

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf

description	ioc	process
File opened for modification	/dev/misc/watchdog	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for modification	/dev/watchdog	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf

description	ioc	process
File opened for modification	/sbin/watchdog	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for modification	/bin/watchdog	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf

description	ioc	process
File opened for reading	/proc/1574/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1607/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/571/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/720/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1156/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1514/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1189/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/436/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/451/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/484/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1165/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1186/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1321/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1387/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1542/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/955/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1313/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/965/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1097/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1311/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/519/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1363/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1613/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1631/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/960/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1153/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1619/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/410/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/455/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/962/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1257/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1169/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1145/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1350/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1595/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/461/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1036/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1066/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1077/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1171/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1560/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/657/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1030/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1060/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1128/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1188/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1447/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1637/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/457/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1190/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1541/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1580/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/433/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1176/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1235/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/520/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1470/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1625/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1136/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1589/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1111/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/1116/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/409/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
File opened for reading	/proc/556/cmdline	521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf

/tmp/521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
/tmp/521da3ef4c9a610183ca04406cd39b9c7126f874654719f83743e0461430f5d4.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1544