mirai | 14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7

Analysis

max time kernel
148s
max time network
148s
platform
debian-12_armhf
resource
debian12-armhf-20240729-en
resource tags

arch:armhfimage:debian12-armhf-20240729-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
19-09-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
Size

45KB
MD5

50f15f168839c7b6fd0a2e5fceeb13dd
SHA1

049e61833c04a4a33cc6f59d20c8d2c253aaa430
SHA256

14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7
SHA512

8a7fb19f3541c2e07147fd4e50c21523cf8651e32109bd3dce9c228c34c1d2c2044797ab335c13591da0ffc4c00f53579eed542823d74418cb27c3ea1609c970
SSDEEP

768:D/TYCoIxdEk+AxoTZAZHFeq8b3I9q3UELbUXfi6nVMQHI4vcGpvB:DECFd+A6YHAxxLRQZB

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for modification	/dev/misc/watchdog	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for modification	/bin/watchdog	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/710/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/754/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/695/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/699/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/706/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/647/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/662/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/678/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/self/exe	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/665/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/682/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/698/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/630/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
File opened for reading	/proc/646/cmdline	14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf

/tmp/14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
/tmp/14d3bdb539e16c43852d810e38f95dc59dd2a723a1c45734da7c2c0d040821b7.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:701

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/701-1-0x00008000-0x00026464-memory.dmp

Download