Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240418-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240418-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    07-05-2024 23:38

General

  • Target

    223b48430897e5c90b36ba13575dc426_JaffaCakes118

  • Size

    29KB

  • MD5

    223b48430897e5c90b36ba13575dc426

  • SHA1

    1430db45154e9a0be4f0e65da41662ac06e60134

  • SHA256

    3288991971bf3b274a0b17c0c9ca0dcd349394ae50ff4c8a1e507592da6c102d

  • SHA512

    d083ef881e3384797ccf59493e3837a5f3f1c8fd8b4c8a667a3e580a2e9eaf887d477bf187cd44e601e59467bc1c859246e4a0a5c5d80cb48e2ab2b11c5fe0cd

  • SSDEEP

    768:XHL0Vqv5jkdOGvxxaSI6tTmSZuQBi6EJ7b8:XoVqRwdjzaQYmL

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (20237) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/223b48430897e5c90b36ba13575dc426_JaffaCakes118
    /tmp/223b48430897e5c90b36ba13575dc426_JaffaCakes118
    1⤵
    • Modifies Watchdog functionality
    • Enumerates active TCP sockets
    • Reads system network configuration
    • Reads runtime system information
    PID:1531

Network

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Impair Defenses

1
T1562

Discovery

Network Service Discovery

2
T1046

System Network Connections Discovery

1
T1049

System Network Configuration Discovery

1
T1016

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1531-1-0x0000000008048000-0x0000000008058d20-memory.dmp