mirai | 848b24188bb64b490fd0ab150eed506f8cc54055ad8e84d9120927995ac5f282

Resubmissions

06/09/2024, 16:39

240906-t6bb1awhpk 10

06/09/2024, 16:01

05/09/2024, 17:38

05/09/2024, 17:34

05/09/2024, 17:29

Analysis

max time kernel
1798s
max time network
1801s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
06/09/2024, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
Size

117KB
MD5

4a562992cfe96cca14e9ae680caf1064
SHA1

8b50ff3f0f4f77431f083d1f527361ced31e228f
SHA256

e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c
SHA512

1e606c5d99fa9958da72a80d2e182b596819a98d0a8852514a3fee01e907a526a7300c10837342535051e72082b029b3f33bd32b81bc45c805f8be3c9f83a6b3
SSDEEP

3072:AVDvu7a0GkH8XcaUJrfhZVNFNITaKW7lJwY7:Ac7axkHYcaUJrfhZLFNbKylOY7

Score

10^/10

mirai botnet discovery execution persistence privilege_escalatio

Malware Config

Extracted

Family

mirai

www.india-scam-call-center.pw

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Creates/modifies Cron job 1 TTPs 3 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.gdU8To	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.RQxPWo	crontab
File opened for modification	/var/spool/cron/crontabs/root	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/bin/rxpfksk	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	m	657	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
665	sh
666	sh

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	crontab

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/allah_is_prick.html	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

/tmp/e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
/tmp/e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
1⤵
- Creates/modifies Cron job
- Writes file to system bin folder
- Changes its process name
- Writes file to tmp directory
PID:657
- /bin/sh
  /bin/sh -c "crontab /var/spool/cron/crontabs/root"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:665
- - /usr/bin/crontab
    crontab /var/spool/cron/crontabs/root
    3⤵
    - Creates/modifies Cron job
    - Reads runtime system information
    PID:669
- /bin/sh
  /bin/sh -c "crontab /var/spool/cron/crontabs/root"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:666
- - /usr/bin/crontab
    crontab /var/spool/cron/crontabs/root
    3⤵
    - Creates/modifies Cron job
    - Reads runtime system information
    PID:670

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/rxpfksk

Filesize
117KB

MD5
4a562992cfe96cca14e9ae680caf1064

SHA1
8b50ff3f0f4f77431f083d1f527361ced31e228f

SHA256
e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c

SHA512
1e606c5d99fa9958da72a80d2e182b596819a98d0a8852514a3fee01e907a526a7300c10837342535051e72082b029b3f33bd32b81bc45c805f8be3c9f83a6b3

Download Submit
/etc/d

Filesize
10B

MD5
8a47142d98fdb3574131557c8c16c8ac

SHA1
6d10f0599079a338007a62a4a9a1ca10741f2c1e

SHA256
e71797e4fb36f4b829af0bff60f26237bd00258befd6df80b3a2ac0c4f7ff10e

SHA512
960b3f3b526b4c81be5b214ef93a39bc87e05dc5a94e26688e7cb9780f82dcf61a7bbc188a3fbce845a870ca18ab11b55981b0f82a6456d8fb69404644e5ebbe

Download Submit
/etc/d

Filesize
20B

MD5
92b7c5942a1d99a8de83f6156894c4cc

SHA1
7e67f58afd180bf487d92dde5cee33534c01a49c

SHA256
0c10cd465b364dda7c80719fa12b40f4babd15871d931fc16eee6f1acdc9a546

SHA512
997bc7460428bfcc4b6ce8688d24c97e0f5e6fc13a8cc632bc963a0d1278e0b88c7c32c22316f1114c1a548bf16c656f8634dd4afb2bdc69dc30626ae9a00e1a

Download Submit
/etc/d

Filesize
40B

MD5
671a6e13e7e7adbb0b7665a965e2e984

SHA1
2e05e3c4211931c7e33d3063a5af0b83fc99a4c7

SHA256
8659b1392502b48988b5d9e484107f90855f6aedf26ecebda0168182c7ee998d

SHA512
1b891a7b40740c136d7dfb09e3e70d5b7beb2fbba4575e89e58473400da4232a455d4924fe3ddca01c724a47da0ad1dd07654dfa2491601437eaa6ef8209ff1f

Download Submit
/tmp/allah_is_prick.html

Filesize
360B

MD5
3a2d9ee3d20a76ed6af3f066be482b64

SHA1
8ee4338df17d6dbbd7cfec1aa0abbd6a7b8081f6

SHA256
9d542210472a30c5142df1f1ac2a25d72a453c5dfad27b09f805691a2e936082

SHA512
715e81e95217eb0d10c1fb3518a589782c2f67bc100e349582cccb5ab5706c4ec931879e3c03717a099d475f8dbec58082cee306c74cd264bd733b5b98aa0b25

Download Submit
/var/spool/cron/crontabs/root

Filesize
23B

MD5
bac0fcfe39ed0a80ff1cf8def60dd5d0

SHA1
90e74f0e8f9b1c9d2a2973c695ed3fff746b2197

SHA256
b11c773804c17fcc21fbaf918bae70513dd5e0b42fa3750958a4a13b9483ce3d

SHA512
c047d1346744a7f58d5de0dd5e9cc1b2781ec51db8905c4649ae7493a8a499fa8547b142a073344a8377f48f3183a0af77536c21bf5684f129b55db0350e94d8

Download Submit
/var/spool/cron/crontabs/root

Filesize
46B

MD5
930daab4bc73e78a1a133ab77add722d

SHA1
3465983e5730167e427ce67f5c7281777504d829

SHA256
95f498e8bcba30d684338f3401114ddd0c861f479c8ebc0f6440631424bdae67

SHA512
908d193df3d46a666df6452ea5deaa945fe730fa5e94b973c08438f1b8597c1f19fbcc7da73682d13f538384c106fc493e7442386150a9c2f93e879e3c7def97

Download Submit
/var/spool/cron/crontabs/tmp.RQxPWo

Filesize
249B

MD5
17216c1716045055bc8ad1643cf0621a

SHA1
ed38c47969a43f0338d926a6672e04f29eb9ce56

SHA256
3d3c051029a9bb58a16d721fd908a446d33b3a3eb0504a1f4b766ccc1a84c4df

SHA512
df889e5121d9ae4044f1ef6bcec56efaf648e1bbd716a70e70c67280e9fdc5324d26eedd4d88d8e7afc05505ad427df18e29bc927c59a97357ed31b635476d3e

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads