mirai | a67ab3ae7a26a965fb3c25dc014f225a094cab7aa1187fd23d01cf9b0b803e01

Analysis

max time kernel
151s
max time network
153s
platform
debian-12_mipsel
resource
debian12-mipsel-20240418-en
resource tags

arch:mipselimage:debian12-mipsel-20240418-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
18-09-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
Size

44KB
MD5

1ad35be6a82d64f89d9dc253cd00732d
SHA1

ec27b140c4e0a99fe2541df124a570972821b627
SHA256

a67ab3ae7a26a965fb3c25dc014f225a094cab7aa1187fd23d01cf9b0b803e01
SHA512

a51129151f78f8b81e5e82a82ee28651e13ff1daeab3ee6401e899b06c1811c37396a684a2d82db2dc22c9c6f4d78569396399361f6b36f8bdf60a61fb40871e
SSDEEP

768:qD/owcXQko+k5mmjRjhk/YQZYn2n4ambRiYPTGVK7bPUZ8dS+9Wj9:qD/dko+Ymmj1hKG2O0e/Psp+k9

Score

10^/10

mirai botnet defense_evasion discovery

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Deletes itself 1 IoCs

pid	Process
743	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for modification	/dev/misc/watchdog	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	jela518b7r201pel	743	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/11cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/14cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/26cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/30cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/337cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/380cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/20cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/28cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/35cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/47cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/800cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/6cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/59cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/763cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/788cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/449cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/710cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/756cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/16cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/186cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/713cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/770cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/18cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/58cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/717cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/769cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/7cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/32cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/667cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/749cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/751cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/778cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/803cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/113cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/377cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/747cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/757cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/790cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/15cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/24cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/679cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/748cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/785cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/111cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/697cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/792cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/793cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/34cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/53cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/308cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/777cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/21cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/29cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/745cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/4cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/48cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/738cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/9cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/180cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/391cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/394cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/801cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/806cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
File opened for reading	/proc/19cmdline	SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf

/tmp/SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
/tmp/SecuriteInfo.com.Linux.Siggen.9999.16610.1997.elf
1⤵
- Deletes itself
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:743

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads