Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    debian-12_armhf
  • resource
    debian12-armhf-20240729-en
  • resource tags

    arch:armhfimage:debian12-armhf-20240729-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
  • submitted
    04/08/2024, 01:40

General

  • Target

    99018dfa33e27f481bfa457c794e9908d6af1111eb74618b87c45f867158c0ec.elf

  • Size

    35KB

  • MD5

    3c25f39e80f7cc6bbe607ba99e3dc248

  • SHA1

    45d40c50b801f96d2d14b9f453fa0247e6a6d842

  • SHA256

    99018dfa33e27f481bfa457c794e9908d6af1111eb74618b87c45f867158c0ec

  • SHA512

    b2bc638d2d8f76c1fba2a781b922ebb04ba7a59f9675aec33fab9b62dbf20ae37067a5435a4164319d14ab374f3e83f4d79ff1ce26084dc80e65db5f90e3984a

  • SSDEEP

    768:oPRpsskbodln+2j9nGblZenQDuQVTNUhC4l/RLwf+ch/49q3UELr:w+bf2j9eEnyuQjU9hRLwmc5hLr

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (20290) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 34 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/99018dfa33e27f481bfa457c794e9908d6af1111eb74618b87c45f867158c0ec.elf
    /tmp/99018dfa33e27f481bfa457c794e9908d6af1111eb74618b87c45f867158c0ec.elf
    1⤵
    • Modifies Watchdog functionality
    • Enumerates active TCP sockets
    • Reads system network configuration
    • Reads runtime system information
    PID:707

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads