mirai | 848b24188bb64b490fd0ab150eed506f8cc54055ad8e84d9120927995ac5f282

Resubmissions

06/09/2024, 16:39

240906-t6bb1awhpk 10

06/09/2024, 16:01

05/09/2024, 17:38

05/09/2024, 17:34

05/09/2024, 17:29

Analysis

max time kernel
150s
max time network
159s
platform
debian-12_armhf
resource
debian12-armhf-20240221-en
resource tags

arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
05/09/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
Size

117KB
MD5

4a562992cfe96cca14e9ae680caf1064
SHA1

8b50ff3f0f4f77431f083d1f527361ced31e228f
SHA256

e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c
SHA512

1e606c5d99fa9958da72a80d2e182b596819a98d0a8852514a3fee01e907a526a7300c10837342535051e72082b029b3f33bd32b81bc45c805f8be3c9f83a6b3
SSDEEP

3072:AVDvu7a0GkH8XcaUJrfhZVNFNITaKW7lJwY7:Ac7axkHYcaUJrfhZLFNbKylOY7

Score

10^/10

mirai botnet execution persistence privilege_escalatio

Malware Config

Extracted

Family

mirai

www.india-scam-call-center.pw

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Creates/modifies Cron job 1 TTPs 3 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/root	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
File opened for modification	/var/spool/cron/crontabs/tmp.3Cc9gl	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.bN9TNn	crontab

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/bin/vrdrza	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	aomawgjwrog	712	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
724	sh
723	sh

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/allah_is_prick.html	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

/tmp/e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
/tmp/e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
1⤵
- Creates/modifies Cron job
- Writes file to system bin folder
- Changes its process name
- Writes file to tmp directory
PID:712
- /bin/sh
  /bin/sh -c "crontab /var/spool/cron/crontabs/root"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:724
- - /usr/bin/crontab
    crontab /var/spool/cron/crontabs/root
    3⤵
    - Creates/modifies Cron job
    PID:731
- /bin/sh
  /bin/sh -c "crontab /var/spool/cron/crontabs/root"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:723
- - /usr/bin/crontab
    crontab /var/spool/cron/crontabs/root
    3⤵
    - Creates/modifies Cron job
    PID:730

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/d

Filesize
10B

MD5
87008ea3f5403052270ecc79e42a39a8

SHA1
61b897440d9ac27cb2d6268e5039969068be14c9

SHA256
a50262330e8e020f2cf6efc18fbf00bf3aaaa043e039720dd1d3bcd19a6a2376

SHA512
6cb776b6d3909a30320b4f1032dd47b315fed62e4e90a9df21f3144f5cee6729b61b9840a5987dbd5e9588c364af4b0f63aacfc3997a87da6a99f70e12617d48

Download Submit
/etc/d

Filesize
20B

MD5
099a5f9f66fbf599f8e5cf1e19045c3a

SHA1
20c70eea9c1b9a5a990e69ffea0d619e41e4218d

SHA256
cc38d69e6ebe43ce49f791d2e5c15dd34c963c0853e08cb1f9458c483e92703b

SHA512
581ce629df3f71dacf7c0c214503764eeac392bb9cc78eba834d791f0f24fbe91bdc3b2f8c493f1835e5d707951cbe1923db073f94bfb083e42370dc9f90f800

Download Submit
/etc/d

Filesize
30B

MD5
4a26e30cc1cc52a00ab4a0a79600195a

SHA1
fb02086205a12b64314d6bdb95576af989b55def

SHA256
71b77d15d1a8e7416a9ecec4caa73a290ee6a3a4b1971d8b97f8590718854d82

SHA512
47c9ef70d27f083c0b206a6f90c1114452b014835b0320fb03dff4ed41ee875835c4f438baab3182660bd5169f502080e5801c4fb82eb417ce5cf68edcf2f500

Download Submit
/etc/d

Filesize
40B

MD5
8e610a26a954511a733efb3128421e7b

SHA1
6dba673162d9126493887120e38dd037bb4fe1c8

SHA256
ff4892e3211c2fb72c2942f5bb599d955c0ee6272fdc2aa33488dfe24f9fcf76

SHA512
c3abf9a60e363a2e7b408e7bc997a1bf273bd073b2ef2159f8bbbbda7f0488744a4de97d99b696515406ffcb1c469ef933fa8e48755a57ce5ba5fbf4117dd9cf

Download Submit
/tmp/allah_is_prick.html

Filesize
360B

MD5
3a2d9ee3d20a76ed6af3f066be482b64

SHA1
8ee4338df17d6dbbd7cfec1aa0abbd6a7b8081f6

SHA256
9d542210472a30c5142df1f1ac2a25d72a453c5dfad27b09f805691a2e936082

SHA512
715e81e95217eb0d10c1fb3518a589782c2f67bc100e349582cccb5ab5706c4ec931879e3c03717a099d475f8dbec58082cee306c74cd264bd733b5b98aa0b25

Download Submit
/usr/bin/vrdrza

Filesize
117KB

MD5
4a562992cfe96cca14e9ae680caf1064

SHA1
8b50ff3f0f4f77431f083d1f527361ced31e228f

SHA256
e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c

SHA512
1e606c5d99fa9958da72a80d2e182b596819a98d0a8852514a3fee01e907a526a7300c10837342535051e72082b029b3f33bd32b81bc45c805f8be3c9f83a6b3

Download Submit
/var/spool/cron/crontabs/root

Filesize
44B

MD5
ce94b392b9bf5f0e0aaef15a9bc7aca9

SHA1
4d97054fd50293598318ec000ce46dcaf32ab3d7

SHA256
6478e6fbc872c6484b03c75b9e3e1e4e0e5c19876bfcf66dd07331ff223945bd

SHA512
226772d3cf200fbca13dcb12e6e2f9885a9a5b7961b4dc970cd18d3c61e9eab68c0d557e836ca0a40275425d92f5260003d41b5a645ecfa854adbf867c396f27

Download Submit
/var/spool/cron/crontabs/tmp.3Cc9gl

Filesize
247B

MD5
ac0923a24011c228c95672696724666f

SHA1
f38ff39ac5d21c078bd52b3728df040c692a56d9

SHA256
49368f3b27ff978d64d83b6b7d159e3fe8a05bfbbc51bf46e2e4e03fec5748fc

SHA512
d3f2a0c957e29379d58fe1a11490d1a41a463b054a4c1c422275079ca52aee85bf041297bf8ba48b9a49bed223121cbc2aef6442f42dc54820a8415040973775

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads