mirai | bf5af10c4ceba35363d91795b7231b92339224510923a0e01aa76b6649dfff04

Analysis

max time kernel
149s
max time network
154s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
02/09/2024, 01:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bf5af10c4ceba35363d91795b7231b92339224510923a0e01aa76b6649dfff04.elf
Size

113KB
MD5

c62947c17462ca4aabde6ac69b29bb50
SHA1

638f71c65bc039f53918bcec37506ec3cfcc6461
SHA256

bf5af10c4ceba35363d91795b7231b92339224510923a0e01aa76b6649dfff04
SHA512

209b802cab1f3669e1c17b7e2aed4c332f79ada57352e9ba6504dfe5ff835ed40dd8fd4f27922eec6d1428b0e0eea2d459012593984b9973ed95034b9eab27a4
SSDEEP

3072:6GAb5JluZ36bN4uNY+hsf18v1gXvY/tmxn1J1NQPSTPjU6Fzqo:xQJluZ36J4WY+hsf1ggfaW1LQYLtv

Score

10^/10

mirai botnet discovery motw persistence phishing

Malware Config

Extracted

Family

mirai

www.ckea.ru

www.akck.ru

45.152.112.46

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (24871) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Creates/modifies Cron job 1 TTPs 3 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/root	bf5af10c4ceba35363d91795b7231b92339224510923a0e01aa76b6649dfff04.elf
File opened for modification	/var/spool/cron/crontabs/tmp.Nwh2xs	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.VbtgcD	crontab

Mark of the Web detected: This indicates that the page was originally saved or cloned. 4 IoCs

phishing motw

flow	ioc
61815	https://r01.ru/
61870	https://r01.ru/
61965	https://r01.ru/
61964	https://r01.ru/

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/bin/dzoxbudhr	bf5af10c4ceba35363d91795b7231b92339224510923a0e01aa76b6649dfff04.elf
File opened for modification	/bin/ubrvk	bf5af10c4ceba35363d91795b7231b92339224510923a0e01aa76b6649dfff04.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	o@s�h�ngd	2819	bf5af10c4ceba35363d91795b7231b92339224510923a0e01aa76b6649dfff04.elf

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/allah_is_prick.html	bf5af10c4ceba35363d91795b7231b92339224510923a0e01aa76b6649dfff04.elf

/tmp/bf5af10c4ceba35363d91795b7231b92339224510923a0e01aa76b6649dfff04.elf
/tmp/bf5af10c4ceba35363d91795b7231b92339224510923a0e01aa76b6649dfff04.elf
1⤵
- Creates/modifies Cron job
- Writes file to system bin folder
- Changes its process name
- Writes file to tmp directory
PID:2819
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2836
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2839
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2837
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2838
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2840
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2845
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2841
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2844
- /bin/sh
  sh -c "crontab /var/spool/cron/crontabs/root"
  2⤵
  PID:2842
- - /usr/bin/crontab
    crontab /var/spool/cron/crontabs/root
    3⤵
    - Creates/modifies Cron job
    PID:2846
- /bin/sh
  sh -c "crontab /var/spool/cron/crontabs/root"
  2⤵
  PID:2843
- - /usr/bin/crontab
    crontab /var/spool/cron/crontabs/root
    3⤵
    - Creates/modifies Cron job
    PID:2847
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2848
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2851
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2849
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2850
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2874
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2877
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2875
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2876
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2885
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2887
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2886
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2888
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2889
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2891
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2890
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2892
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2897
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2898
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2899
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2900
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2901
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2903
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2902
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2904
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2909
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2912
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2910
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2911
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2917
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2920
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2918
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2919
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2921
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2923
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2922
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2924
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2929
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2931
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2930
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2932
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2937
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2940
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2938
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2939
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2941
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2943
- /bin/sh
  sh -c "hostname -I"
  2⤵
  PID:2942
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/d

Filesize
60B

MD5
4577f81902f6d8819a55a156bdacf4f1

SHA1
cb6cace86b0e7a65600ed526b2e630d33bb09724

SHA256
e3281c38d2d294431921e82b493d41cac4fc912b41dfff14cc2ec23f54b9382b

SHA512
259af7b33add19d89be4f1ed68ab57ccf4d57d8ee303b4cf03ba4c9f9edcd0177f1fd3c0d966ca48dee5238db53207fbd747b06516ca08024d21aa173bbcd32b

Download Submit
/tmp/allah_is_prick.html

Filesize
360B

MD5
3a2d9ee3d20a76ed6af3f066be482b64

SHA1
8ee4338df17d6dbbd7cfec1aa0abbd6a7b8081f6

SHA256
9d542210472a30c5142df1f1ac2a25d72a453c5dfad27b09f805691a2e936082

SHA512
715e81e95217eb0d10c1fb3518a589782c2f67bc100e349582cccb5ab5706c4ec931879e3c03717a099d475f8dbec58082cee306c74cd264bd733b5b98aa0b25

Download Submit
/usr/bin/ubrvk

Filesize
113KB

MD5
c62947c17462ca4aabde6ac69b29bb50

SHA1
638f71c65bc039f53918bcec37506ec3cfcc6461

SHA256
bf5af10c4ceba35363d91795b7231b92339224510923a0e01aa76b6649dfff04

SHA512
209b802cab1f3669e1c17b7e2aed4c332f79ada57352e9ba6504dfe5ff835ed40dd8fd4f27922eec6d1428b0e0eea2d459012593984b9973ed95034b9eab27a4

Download Submit
/var/spool/cron/crontabs/root

Filesize
46B

MD5
d9911ade530ce8ec8c21961d1d8d5635

SHA1
5e2f60a254ccf3e39bff2ceae3abd4decb65d4b0

SHA256
0823be33ec7e003d6a4e6e7980b4589d4746c986bb4c060fc0cf279fd4f0ca92

SHA512
4ca39450a1e5bcff9188443abe5d42914bc2654f1d7b1a4f262566c1ee243c744a9d24bfc0d2da0fe080cb432514f31b0af9d79a82c8197e74e217b2911fbf5e

Download Submit
/var/spool/cron/crontabs/tmp.Nwh2xs

Filesize
249B

MD5
9f6f0b7f2f4a5adcdfb12389ef59d6f3

SHA1
db08041b02045850a200b211d1a69fd088cca642

SHA256
1aa139876792798239d7ba061d059b3886d49b27c71e2557884cbe8d8624ecc7

SHA512
4ba1ee4bc156bc32bba73f31fc382d1ab13a10b74c14bcf660389798b57a40d386e8c132ebc2049a8809ae0a4059606a968154b8b29c1be6c72680db4b843117

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads