mirai | 848b24188bb64b490fd0ab150eed506f8cc54055ad8e84d9120927995ac5f282

Resubmissions

06/09/2024, 16:39

240906-t6bb1awhpk 10

06/09/2024, 16:01

05/09/2024, 17:38

05/09/2024, 17:34

05/09/2024, 17:29

Analysis

max time kernel
139s
max time network
146s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
05/09/2024, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
Size

117KB
MD5

4a562992cfe96cca14e9ae680caf1064
SHA1

8b50ff3f0f4f77431f083d1f527361ced31e228f
SHA256

e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c
SHA512

1e606c5d99fa9958da72a80d2e182b596819a98d0a8852514a3fee01e907a526a7300c10837342535051e72082b029b3f33bd32b81bc45c805f8be3c9f83a6b3
SSDEEP

3072:AVDvu7a0GkH8XcaUJrfhZVNFNITaKW7lJwY7:Ac7axkHYcaUJrfhZLFNbKylOY7

Score

10^/10

mirai botnet discovery execution persistence privilege_escalatio

Malware Config

Extracted

Family

mirai

www.india-scam-call-center.pw

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Creates/modifies Cron job 1 TTPs 3 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.IclcDg	crontab
File opened for modification	/var/spool/cron/crontabs/root	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
File opened for modification	/var/spool/cron/crontabs/tmp.9O5HCg	crontab

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/eismbs	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
File opened for modification	/bin/poiuftmpw	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	mne	637	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
645	sh
646	sh

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	crontab

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/allah_is_prick.html	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

/tmp/e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
/tmp/e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
1⤵
- Creates/modifies Cron job
- Writes file to system bin folder
- Changes its process name
- Writes file to tmp directory
PID:637
- /bin/sh
  /bin/sh -c "crontab /var/spool/cron/crontabs/root"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:645
- - /usr/bin/crontab
    crontab /var/spool/cron/crontabs/root
    3⤵
    - Creates/modifies Cron job
    - Reads runtime system information
    PID:649
- /bin/sh
  /bin/sh -c "crontab /var/spool/cron/crontabs/root"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:646
- - /usr/bin/crontab
    crontab /var/spool/cron/crontabs/root
    3⤵
    - Creates/modifies Cron job
    - Reads runtime system information
    PID:650

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/eismbs

Filesize
117KB

MD5
4a562992cfe96cca14e9ae680caf1064

SHA1
8b50ff3f0f4f77431f083d1f527361ced31e228f

SHA256
e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c

SHA512
1e606c5d99fa9958da72a80d2e182b596819a98d0a8852514a3fee01e907a526a7300c10837342535051e72082b029b3f33bd32b81bc45c805f8be3c9f83a6b3

Download Submit
/etc/d

Filesize
10B

MD5
34159a87bdd35c0539f82d2799c4bba4

SHA1
355dc49ad22564b9a3f6b75355a390a2aec4c983

SHA256
9d4dddbb374e581172a82a90b3bafc44fe85844fa7f371a635693276809b3fcd

SHA512
0865003677f115ca26ed59de3b0b5539585c856976602b50a29a265b4be43ba8a024363f062787be5c50d5b861386820f3dd3961a24fd3b7a03321c423d7eb0c

Download Submit
/etc/d

Filesize
20B

MD5
c257ca7235339321723684838905cb11

SHA1
ec4a6ef0e90eab61c9088d2ad4525f2ef50ccb7f

SHA256
1806cab1a9bd0d3277a9354126ec04fe51ea991e9a1fc086076a5124888b79dd

SHA512
d28552c422964fefc3c875cc1a187f9a89d6eaae59d50e3b1d214e12f56db27a96c25a4f1270f945184c5f3f28f390df8c8125195077caef14ee66c3102129b6

Download Submit
/etc/d

Filesize
30B

MD5
21012819070da9709d2a678b50aca703

SHA1
bf63a84f63af3446c54c9067d1d343e92ac48c04

SHA256
14d833c99c2012226e7545f378be0f6a374f91e17e80942031ffe296c79d2582

SHA512
4b5c6314c45f9db6ef3b3a1537ed1846f4aa53a49f61f89180f762f61cbfce3736759a2e944e9dd48661db3b6b0ed44fbdfc21f0a2a43aa02d3d704c4ff9b2f1

Download Submit
/etc/d

Filesize
40B

MD5
bf1d16f367b3322301902357c95dc60f

SHA1
d4c494109a51b6b045e80a16f555bf2aee64784e

SHA256
c4bb0247b384f56aefdbe26ece8f6793db15620cd4b6006ad22d53b33e0cd147

SHA512
c27b67b8827d24d4aefc7c9e7632dfecc774585fe2dd57e1bce53caee42d14e8f6e5a51948f21db2f6d280b2e737fe470ac5179f89d23ec1f4c1bfd0e9ebae44

Download Submit
/tmp/allah_is_prick.html

Filesize
360B

MD5
3a2d9ee3d20a76ed6af3f066be482b64

SHA1
8ee4338df17d6dbbd7cfec1aa0abbd6a7b8081f6

SHA256
9d542210472a30c5142df1f1ac2a25d72a453c5dfad27b09f805691a2e936082

SHA512
715e81e95217eb0d10c1fb3518a589782c2f67bc100e349582cccb5ab5706c4ec931879e3c03717a099d475f8dbec58082cee306c74cd264bd733b5b98aa0b25

Download Submit
/var/spool/cron/crontabs/root

Filesize
22B

MD5
e47352b0c003f16799cbd15270cff157

SHA1
868f1b7a2c53aa36ea2208040184d76a045105a0

SHA256
ed2cb9dbc624da5c01690c570b22250a7d217e549fb29049c8234d655ce82afe

SHA512
2373824f26a1cf2f2d7330c530f23931dcf76dffed877806d50b51e2ae65c35fd64e66c0f5413bb4d83829e5cfaf72dad0ef36d69fd1576fc1e5896c8589dcee

Download Submit
/var/spool/cron/crontabs/root

Filesize
47B

MD5
82066361d1213e9f99b50659357852b7

SHA1
e3f4ae64d599c947f08e4b13798300b0b2d34b2b

SHA256
aa348207cc10727401ae244d204b1389976e9ca5ddd408c636d88c420b625331

SHA512
67feab1454b91f3b8282edfa45ef5f1b7754786ec94c3950434ce99f532b99b751a2eeb25fe237cbbd61dc96d76ac49f89ef50b558386994cfafbd303d36aac5

Download Submit
/var/spool/cron/crontabs/tmp.IclcDg

Filesize
250B

MD5
7dd92131917a38d912796f7d5e3db0d7

SHA1
f321cc6d75fbb914254d6c3e60214c2f5dba7300

SHA256
1beafcf5ad91095708c4aa3d78a20cccfba010c3273d7bbbeed42cfa27b2970a

SHA512
b4c3059b538775c16171050e298c684908aa9a9e849b8a611bed1ed10d6db0af77320ed011c0c4c47949e532e3234c076effc0ef26f077efe8333dd6673d72ce

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads