mirai | 848b24188bb64b490fd0ab150eed506f8cc54055ad8e84d9120927995ac5f282

Resubmissions

06/09/2024, 16:39

240906-t6bb1awhpk 10

06/09/2024, 16:01

05/09/2024, 17:38

05/09/2024, 17:34

05/09/2024, 17:29

Analysis

max time kernel
148s
max time network
178s
platform
debian-12_armhf
resource
debian12-armhf-20240221-en
resource tags

arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
06/09/2024, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
Size

117KB
MD5

4a562992cfe96cca14e9ae680caf1064
SHA1

8b50ff3f0f4f77431f083d1f527361ced31e228f
SHA256

e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c
SHA512

1e606c5d99fa9958da72a80d2e182b596819a98d0a8852514a3fee01e907a526a7300c10837342535051e72082b029b3f33bd32b81bc45c805f8be3c9f83a6b3
SSDEEP

3072:AVDvu7a0GkH8XcaUJrfhZVNFNITaKW7lJwY7:Ac7axkHYcaUJrfhZLFNbKylOY7

Score

10^/10

mirai botnet execution persistence privilege_escalatio

Malware Config

Extracted

Family

mirai

www.india-scam-call-center.pw

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Creates/modifies Cron job 1 TTPs 3 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.HNVod1	crontab
File opened for modification	/var/spool/cron/crontabs/root	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
File opened for modification	/var/spool/cron/crontabs/tmp.lAqBF7	crontab

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/bin/uemwlnaabm	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	709	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
719	sh
720	sh

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/allah_is_prick.html	e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf

/tmp/e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
/tmp/e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c.elf
1⤵
- Creates/modifies Cron job
- Writes file to system bin folder
- Changes its process name
- Writes file to tmp directory
PID:709
- /bin/sh
  /bin/sh -c "crontab /var/spool/cron/crontabs/root"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:719
- - /usr/bin/crontab
    crontab /var/spool/cron/crontabs/root
    3⤵
    - Creates/modifies Cron job
    PID:724
- /bin/sh
  /bin/sh -c "crontab /var/spool/cron/crontabs/root"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:720
- - /usr/bin/crontab
    crontab /var/spool/cron/crontabs/root
    3⤵
    - Creates/modifies Cron job
    PID:723

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/d

Filesize
10B

MD5
c6b357c4272875f87474d38e84ff8ebe

SHA1
41cd3209975ffb6471da4c9293a66dcd098d9903

SHA256
91b5e2369dedf2076a1e8ee888ca6be224750001ef360bedf9573262930082d3

SHA512
62f308cf5537564d2872c0d957e67eacf0061e7662d888b5ed826bb8da92e3735c413fe1c730be3e31a8adabda078cf0a16908c422bf120de510c640887371ec

Download Submit
/etc/d

Filesize
20B

MD5
cce4baca7bc05a2424c84f20815a04ea

SHA1
12007358f27df6116147916ad8ced147e4410a50

SHA256
8310f1cb29fe2ee8a56255331d3da6c40d580aafa6cddfc025b2b2536ff190df

SHA512
90e7d800fdcc9a2f445b71bcc7973b99dac238e565084d85054da3d5fd2e281446401dcbb84bbd0d56fdf562377be838beadd5919a0b107288025f7c959ffa9d

Download Submit
/etc/d

Filesize
30B

MD5
1d7143da8b879b4e99cae67be067dc86

SHA1
592b8857d669a563efe4fe0cbd462cbfd6e0e40c

SHA256
4fbfe96fce1a7bdf5935a30cafe83b6645944e5c0988456f5a51ba57980f8af9

SHA512
4c8f57c0395f5ae71c0e45b79d2e5782bdab59205712cf7c30d750b4a7e78154dabf9ffd724d2431751940319407677a1a7efdc66bb8283c6f21260ede63e578

Download Submit
/tmp/allah_is_prick.html

Filesize
360B

MD5
3a2d9ee3d20a76ed6af3f066be482b64

SHA1
8ee4338df17d6dbbd7cfec1aa0abbd6a7b8081f6

SHA256
9d542210472a30c5142df1f1ac2a25d72a453c5dfad27b09f805691a2e936082

SHA512
715e81e95217eb0d10c1fb3518a589782c2f67bc100e349582cccb5ab5706c4ec931879e3c03717a099d475f8dbec58082cee306c74cd264bd733b5b98aa0b25

Download Submit
/usr/bin/uemwlnaabm

Filesize
117KB

MD5
4a562992cfe96cca14e9ae680caf1064

SHA1
8b50ff3f0f4f77431f083d1f527361ced31e228f

SHA256
e1e9e081c9e730efa06ba1ae1c93a8960f6f7730f902ac824c2835dec901964c

SHA512
1e606c5d99fa9958da72a80d2e182b596819a98d0a8852514a3fee01e907a526a7300c10837342535051e72082b029b3f33bd32b81bc45c805f8be3c9f83a6b3

Download Submit
/var/spool/cron/crontabs/root

Filesize
26B

MD5
b39c8315803ae9a81e4d0e071e3c11a9

SHA1
4fbed2a581abe40d0693799c6c97d0bcdd006c61

SHA256
8baed4a933ccec1a3b013de63dd9f533d879fa7ba16ce3bc4f5ae5f0e7fc0873

SHA512
6843997e3c8e9331f6fb4b9925bc9830be82581be6e05a23b485e8ed0e4dbb8ea79dee1dc62f30d85774e26f4c06dcd3b71c549563beeda2c0add2be116489e8

Download Submit
/var/spool/cron/crontabs/root

Filesize
52B

MD5
4d6a8968b834372f0388cbbbe4660fa7

SHA1
c8d32163cc1a33c6716b910ce8c09cee17de860e

SHA256
8d1aa8b4adbe5cae53603aa7d0137f02b0308fa8f3cb7ff2cc836c3c42ecf233

SHA512
9643b0155a6df26b377ac3845e3d4cd1f24d2ad26ec68400d7e61e137fa0d0f9bb9c1abaf2b6ed4c34251f06cb8bebc885c5cec7636248dbe18449b3e68fc73e

Download Submit
/var/spool/cron/crontabs/tmp.lAqBF7

Filesize
255B

MD5
2b06a8875f3d1e7cba0b14423521231c

SHA1
7c6ca0c7f7e0dd6676cf4cf36f93880b7f7d99a1

SHA256
26d0506b052bded35fdd304051094f32102605a616a2c4e6ed408d4adfc90427

SHA512
78385aff795337c32c1398ac1928fa75ac15f3141863bcc612931ccec9cc55006df86686d12189e709115b9dec6bc3407a095d77352fd2d8205470e8afb111e7

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads