mirai | 848b24188bb64b490fd0ab150eed506f8cc54055ad8e84d9120927995ac5f282

Resubmissions

06/09/2024, 16:39

240906-t6bb1awhpk 10

06/09/2024, 16:01

05/09/2024, 17:38

05/09/2024, 17:34

05/09/2024, 17:29

Analysis

max time kernel
149s
max time network
181s
platform
debian-12_armhf
resource
debian12-armhf-20240221-en
resource tags

arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
05/09/2024, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
Size

117KB
MD5

4a562992cfe96cca14e9ae680caf1064
SHA1

8b50ff3f0f4f77431f083d1f527361ced31e228f
SHA256

e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c
SHA512

1e606c5d99fa9958da72a80d2e182b596819a98d0a8852514a3fee01e907a526a7300c10837342535051e72082b029b3f33bd32b81bc45c805f8be3c9f83a6b3
SSDEEP

3072:AVDvu7a0GkH8XcaUJrfhZVNFNITaKW7lJwY7:Ac7axkHYcaUJrfhZLFNbKylOY7

Score

10^/10

mirai botnet execution persistence privilege_escalatio

Malware Config

Extracted

Family

mirai

www.india-scam-call-center.pw

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Creates/modifies Cron job 1 TTPs 3 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.xMHSuA	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.R4BP4g	crontab
File opened for modification	/var/spool/cron/crontabs/root	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/bin/wzzyc	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	706	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
717	sh
718	sh

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/allah_is_prick.html	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

/tmp/e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
/tmp/e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf arm7
1⤵
- Creates/modifies Cron job
- Writes file to system bin folder
- Changes its process name
- Writes file to tmp directory
PID:706
- /bin/sh
  /bin/sh -c "crontab /var/spool/cron/crontabs/root"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:717
- - /usr/bin/crontab
    crontab /var/spool/cron/crontabs/root
    3⤵
    - Creates/modifies Cron job
    PID:724
- /bin/sh
  /bin/sh -c "crontab /var/spool/cron/crontabs/root"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:718
- - /usr/bin/crontab
    crontab /var/spool/cron/crontabs/root
    3⤵
    - Creates/modifies Cron job
    PID:723

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/d

Filesize
10B

MD5
708dbfc6a84de873443d951456cd26f6

SHA1
902d30744c9c92cfc1d1182afd56399a62d87278

SHA256
b9ade1c3063c9715ba78870f7c81a4cff77a2af70c8ee08e71c1d0d0fbafdda9

SHA512
44f0ef03157be72c17a17c19bdf026add4dedaf558d7318e0928559ab43b0da1a3d7c09bc2e490fb0f1f082837baef98e8ed95e0669788f8c28f680fbd9b54bc

Download Submit
/etc/d

Filesize
20B

MD5
91762d4431a566d3fd28be9a6dd2327e

SHA1
48d8c2f48e6f652b32129dba2ae943d559df5722

SHA256
739d345fefe9f9f5bd37e537909581841b1c4639a47d92b658026cc3ef48d71d

SHA512
2a32e10fa69b57a3a32ff3a156ca586bb21a0b06e25e8072f5519eda34fb376de69779bc3e83611fab3af17f9b96679885b0d0f03eb3d5f54de741f9edffd1f6

Download Submit
/etc/d

Filesize
30B

MD5
71326ec3e3baca5e4eba5219d4aeca13

SHA1
cad70dcf934467cc79772d37c217f633d4ecbaaa

SHA256
7fb63fff4048e93cad55b81eef13ad3638d6326a5548afde904e00f4ed70ebf7

SHA512
3469a3e81c951ef715942fdfea80f7d386750fb474f166be692242609a0e6912037aecb0093236cf0291394a0e577c9f676b419e68132815c40f80d7baec37b8

Download Submit
/etc/d

Filesize
40B

MD5
8b8bb3ce64523dfc992ed1739cea50ba

SHA1
f0e1faa7a9b25755c93465a8c3b1cc1faec04a39

SHA256
6e3b35397ded0ab90ff0bf8f327dd6d7930d444314e74ad14c88f1ec662fb89f

SHA512
bc2e9ab9bc7f9d47aa5ba5e3abe02d60c74f5998fce337bcc3c10cca64ad13be7f15a1b60078a1b20730a0c12d2c869b8703aa284e95d789f78303841e131b1c

Download Submit
/tmp/allah_is_prick.html

Filesize
360B

MD5
3a2d9ee3d20a76ed6af3f066be482b64

SHA1
8ee4338df17d6dbbd7cfec1aa0abbd6a7b8081f6

SHA256
9d542210472a30c5142df1f1ac2a25d72a453c5dfad27b09f805691a2e936082

SHA512
715e81e95217eb0d10c1fb3518a589782c2f67bc100e349582cccb5ab5706c4ec931879e3c03717a099d475f8dbec58082cee306c74cd264bd733b5b98aa0b25

Download Submit
/usr/bin/wzzyc

Filesize
117KB

MD5
4a562992cfe96cca14e9ae680caf1064

SHA1
8b50ff3f0f4f77431f083d1f527361ced31e228f

SHA256
e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c

SHA512
1e606c5d99fa9958da72a80d2e182b596819a98d0a8852514a3fee01e907a526a7300c10837342535051e72082b029b3f33bd32b81bc45c805f8be3c9f83a6b3

Download Submit
/var/spool/cron/crontabs/root

Filesize
21B

MD5
cba20dbbbb9853c4c439c91dad16d27c

SHA1
afefeb2ef1cacb87bedefc2a66fd32c0a5150f65

SHA256
707fafdacb09f4b16358f8c910979f60b1cc8134f7bfe2cdd4c76dd6d75dcea7

SHA512
0187840ec0943348e355967a5633de7318e3b5ea80712af7bef1c5b3f8b2cf5670451058894f7f0befaa92199c4486f31d6f7d1eea214a794de4466582017918

Download Submit
/var/spool/cron/crontabs/root

Filesize
42B

MD5
174064461de21bc2ffd126fa0d9d0ce5

SHA1
5dcad49ee9d7efbe78c5f4d949432c216d99ecfa

SHA256
54a99f0299bfdebac064284aaa04807890ac9b8fefa9795a5c2c868e54571b96

SHA512
bb9b3dfe5c006a26e0b850ef648b5bb2191bfc756118757d51283fa5a919ce6a5d14d31c13aa2d9bef5f7c28eba5260d579f54b08bffd464e41600d11fd7ec80

Download Submit
/var/spool/cron/crontabs/tmp.xMHSuA

Filesize
245B

MD5
c6a5afecd3e7795011049030db65ac1f

SHA1
422e630884e875c9ff5f67aaa8f5cc2586e886d8

SHA256
a4a174b43d713fa43cb33428f8e821e4b07ac6047673f5e915bc5e661c5948a7

SHA512
cf6e3f348f87738c878a7bae6d8007d46d8ba4eae6a3e7e4304ebc37ec2e669226caf2a879afb3a7f99188629e8c3ff8aa1a8391126bc320e012a2f6fdc59b4b

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads