Analysis
-
max time kernel
148s -
max time network
152s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
02/08/2024, 09:30
General
-
Target
aef80e5f4130350747f75619b2a9bd5b.elf
-
Size
30KB
-
MD5
aef80e5f4130350747f75619b2a9bd5b
-
SHA1
ade320c3c5858db1cde044f0b589c85d967eed00
-
SHA256
64c6ccffcdb9a1e7daafc42c332f1ece3ada2ca8aba7ec5a06e81ee551122492
-
SHA512
cceacc4c6ad4400e84b1cb1d0d456b9054024ace7a1e6f0260b2f40436dc47b2361ac2cad8195afc2779a1496e78f3ba3d16c79eef0d123feda6c5b48a944584
-
SSDEEP
768:vOZUS+ldEfeM3lV7yyIQ6GY82uX2H0waBEKlqs3Uozv:v7S+ldofV2nbarnzv
Malware Config
Extracted
mirai
MIRAI
Signatures
-
Contacts a large (19769) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog aef80e5f4130350747f75619b2a9bd5b.elf File opened for modification /dev/misc/watchdog aef80e5f4130350747f75619b2a9bd5b.elf -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp aef80e5f4130350747f75619b2a9bd5b.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp aef80e5f4130350747f75619b2a9bd5b.elf -
Reads runtime system information 28 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/269/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/278/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/461/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/self/exe aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/267/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/275/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/1/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/602/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/648/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/653/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/140/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/277/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/309/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/642/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/650/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/654/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/165/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/300/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/217/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/314/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/638/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/639/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/651/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/301/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/415/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/411/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/460/fd aef80e5f4130350747f75619b2a9bd5b.elf File opened for reading /proc/656/fd aef80e5f4130350747f75619b2a9bd5b.elf