mirai | a5e49197eef420712112f442602b66b5e9ea702454b87b9bdac9e833b161cfa4

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
03/09/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d7a2a182467276297c8a84a5d2840e7ee335fb985f63cda9e618b229973e1a2.elf
Size

93KB
MD5

307c851a7a0c4b7dd8afd2abd662480c
SHA1

4e2b66521a16a174fcd6581357d289f1ede59cb1
SHA256

6d7a2a182467276297c8a84a5d2840e7ee335fb985f63cda9e618b229973e1a2
SHA512

fd222411e33c1a658efd61c58ea10b634fea81ced709db7f15789ef6733da0c7c211cd218780c1e598e27b7f71525824282348f30d65ed394756060800cda5e2
SSDEEP

1536:2UoxPa6IgF/tlrHa81oSxmJn9u6eucjFb3F9Ubij1DYxl3xQHrHhd+NP:RyP1IgF/D681xxco6RcjFb3F6b49YnCs

Score

10^/10

mirai botnet discovery persistence rootkit

Malware Config

Extracted

Family

mirai

www.ckea.ru

www.akck.ru

45.152.112.46

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (23046) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
2443	6d7a2a182467276297c8a84a5d2840e7ee335fb985f63cda9e618b229973e1a2.elf
2459	Process not Found
2458	Process not Found
2458	Process not Found
2459	Process not Found
2458	Process not Found
2459	Process not Found
2459	Process not Found
2458	Process not Found
2458	Process not Found
2459	Process not Found
2448	Process not Found
2449	Process not Found
2448	Process not Found
2449	Process not Found
2458	Process not Found
2458	Process not Found
2459	Process not Found
2459	Process not Found
2458	Process not Found
2458	Process not Found
2459	Process not Found
2459	Process not Found
2458	Process not Found
2458	Process not Found
2459	Process not Found
2459	Process not Found
2458	Process not Found
2458	Process not Found
2459	Process not Found
2459	Process not Found
2458	Process not Found
2458	Process not Found
2459	Process not Found
2459	Process not Found
2458	Process not Found
2458	Process not Found
2459	Process not Found
2459	Process not Found
2458	Process not Found
2458	Process not Found
2459	Process not Found
2459	Process not Found
2458	Process not Found
2458	Process not Found
2459	Process not Found
2459	Process not Found
2458	Process not Found
2459	Process not Found
2458	Process not Found
2459	Process not Found
2458	Process not Found
2459	Process not Found
2458	Process not Found
2459	Process not Found
2459	Process not Found
2458	Process not Found
2459	Process not Found
2458	Process not Found
2458	Process not Found
2459	Process not Found
2459	Process not Found
2458	Process not Found
2458	Process not Found

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.8QVWwD	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.HowUcj	crontab

/tmp/6d7a2a182467276297c8a84a5d2840e7ee335fb985f63cda9e618b229973e1a2.elf
/tmp/6d7a2a182467276297c8a84a5d2840e7ee335fb985f63cda9e618b229973e1a2.elf
1⤵
- Loads a kernel module
PID:2443
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2462
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2463
- /usr/bin/crontab
  crontab /var/spool/cron/crontabs/root
  2⤵
  - Creates/modifies Cron job
  PID:2466
- /usr/bin/crontab
  crontab /var/spool/cron/crontabs/root
  2⤵
  - Creates/modifies Cron job
  PID:2467
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2470
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2471
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2490
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2492
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2494
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2496
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2501
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2503
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2505
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2507
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2509
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2512
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2514
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2516
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2518
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2520
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2522
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2524
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2526
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2528
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2530
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2532
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2534
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2536
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2554
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2556
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2561
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:2563

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/d

Filesize
60B

MD5
ee526051d6561a990ad0e765263c8ddb

SHA1
94a7b4ed4d3609e34a1bca4c42aff5114da37d13

SHA256
a17cd77ca3797299d5c50007a5bb31fbe8e2d3404e36587a2a2c6e01e76a63b6

SHA512
2c6daa49cf77519ad5801e9a5c5f38e2df00f3a2a06273e40a8ec284d382d8605ba04e60a2ccd3d11268919f6540cf99d53dfbf3e42730e2c4dccad836247099

Download Submit
/tmp/allah_is_prick.html

Filesize
360B

MD5
3a2d9ee3d20a76ed6af3f066be482b64

SHA1
8ee4338df17d6dbbd7cfec1aa0abbd6a7b8081f6

SHA256
9d542210472a30c5142df1f1ac2a25d72a453c5dfad27b09f805691a2e936082

SHA512
715e81e95217eb0d10c1fb3518a589782c2f67bc100e349582cccb5ab5706c4ec931879e3c03717a099d475f8dbec58082cee306c74cd264bd733b5b98aa0b25

Download Submit
/usr/bin/yjmeiguoop

Filesize
93KB

MD5
307c851a7a0c4b7dd8afd2abd662480c

SHA1
4e2b66521a16a174fcd6581357d289f1ede59cb1

SHA256
6d7a2a182467276297c8a84a5d2840e7ee335fb985f63cda9e618b229973e1a2

SHA512
fd222411e33c1a658efd61c58ea10b634fea81ced709db7f15789ef6733da0c7c211cd218780c1e598e27b7f71525824282348f30d65ed394756060800cda5e2

Download Submit
/var/spool/cron/crontabs/root

Filesize
50B

MD5
d1ef02550e42d1516fbe9146fec43005

SHA1
d6ff37c10757a8e39a152e6a442b3def403ffc47

SHA256
fbc287215adc81db3bc88f6472dc7b01960db1decf4d833828c61641dea56cdd

SHA512
4e0fecd456b1c9617a707eaf0026e076a99ca237b5f194a7a27cc7b4a32cd176c222824ca05d3d1093840705b3e82dcf405c00648be8a78495286cab0e5062c7

Download Submit
/var/spool/cron/crontabs/tmp.8QVWwD

Filesize
253B

MD5
32530eca797f7b512ca94559f0d751ec

SHA1
50a6c318e8c56d7580434ed0bc6b9abc5d056830

SHA256
03e41aaca8df379e79a24fb67a10ef33806552f9d33d0c9ba4dbd401ee734f92

SHA512
c5ee668803df3fadcf04703136e801f5e4dd07c2c1ab68688731797abf853428bf871df11b0857fc971db5a49a77ee38c8edc6dd8e89e074bca0c6a066f18857

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads