mirai | e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1

General

Target

e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
Size

32KB
MD5

43e11544aaec72564d64c7116c5f78dd
SHA1

e14dd28ceebb013e8e4c3b60699b6e294477aa1f
SHA256

e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1
SHA512

126a0ec228a3aa101b944a6a8b2e4dd9805396adea6a2d3e7f985c611899ecdb0430b0c6e86aa4c4eb75bd3f3d310217e5390ac58eac50d60182a3a397e05d1b
SSDEEP

768:y0ccAAbmczyM7yAdRJkM/EUMXy5NjK7Xl5Th3/BNBahO:RBPDNLJkM/xnSrBNBEO

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf

description	ioc	process
File opened for modification	/dev/misc/watchdog	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for modification	/dev/watchdog	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf

description	ioc	process
File opened for modification	/bin/watchdog	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for modification	/sbin/watchdog	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf

description	ioc	process
File opened for reading	/proc/675/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/829/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/894/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1777/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1982/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/456/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/481/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/535/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1440/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/2100/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/502/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/992/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1005/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1431/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1433/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1512/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1988/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1432/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1468/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1541/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/641/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1041/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1045/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1078/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1410/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/810/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/955/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1077/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1215/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1454/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1984/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/586/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/927/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1054/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1130/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1175/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/503/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/582/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1131/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1528/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/802/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1987/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/485/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/499/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1303/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1437/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1947/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/617/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/763/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/997/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1033/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1076/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1100/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1505/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1989/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/452/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/497/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/695/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/804/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1023/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/982/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1426/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/1427/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
File opened for reading	/proc/785/cmdline	e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf

/tmp/e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
/tmp/e76d37dc584871945719a86adc02d4f041aca86465872590cfb208cd57c46cb1.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1509