mirai | 31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0

General

Target

31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
Size

24KB
MD5

c36198cf6a51d72798e6cc13f0c4609f
SHA1

e7b264afd633f6ebc5ee9d11b21da74195f008d1
SHA256

31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0
SHA512

5a5d63e7f9ba9de073bb90a76f71bcf786e51744d4c5a1c401fae4702b4308c2a81b8a1d7d24280813d2d64a479b31b11bf325adc397d81f353473e274315d7e
SSDEEP

384:hkU3Sq+7RxrsPdUrQ8RwHP5s9MJuDITs6fRkW8LqJC+GbF1pxiqEN25M5B7hN:qxgPdsyHP5g7DkTaW09bFTQNGMf

Score

10^/10

mirai lzrd botnet

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf

description	ioc	process
File opened for modification	/dev/watchdog	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for modification	/dev/misc/watchdog	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf

description	ioc	process
File opened for modification	/sbin/watchdog	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for modification	/bin/watchdog	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf

description	ioc	process
File opened for reading	/proc/482/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/498/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/516/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/591/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/923/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/940/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1072/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1435/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/569/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/925/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1058/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1071/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1164/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1172/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/690/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/829/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/928/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1005/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1018/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1040/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/537/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1078/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/452/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/553/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/795/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1115/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/438/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/894/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/949/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/785/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/922/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1028/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/619/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/989/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1221/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1241/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/528/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/967/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1108/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1436/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/449/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/564/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/595/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1077/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1119/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/763/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/986/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1190/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/439/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/494/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/570/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1464/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/499/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/545/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/592/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/810/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/489/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/804/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/962/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1069/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1075/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1101/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/1257/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
File opened for reading	/proc/495/cmdline	31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf

/tmp/31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
/tmp/31b8d1ee9bbbd136b26d1000b3353234115913f90da88389b03ff5b2825d1cd0.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1432