mirai | b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8

General

Target

b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
Size

26KB
MD5

dcab5d9ca3b40643ebef3268185b6557
SHA1

5c4e37769ffb73a5167fff724dc7e7676ecad222
SHA256

b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8
SHA512

0608153373eef9f1ae22920d9b35d46e6959f375b264502dc09d642569199bd2caa5adffdffd79d31bd84a5c76e54b8612bd2b3b4193e06d254aad7dab8d9e02
SSDEEP

768:2JHRvHIJX6pWbolcCpWRk7vYsqZoQs3Uozhp:WHRvHkX6Y8cK8kVFzhp

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf

description	ioc	process
File opened for modification	/dev/watchdog	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for modification	/dev/misc/watchdog	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

Processes:

b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf

description	ioc	process
File opened for modification	/sbin/watchdog	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for modification	/bin/watchdog	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf

Reads runtime system information 48 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf

description	ioc	process
File opened for reading	/proc/716/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/761/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/767/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/775/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/781/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/318/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/395/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/649/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/792/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/794/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/456/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/768/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/787/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/743/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/765/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/796/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/788/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/307/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/330/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/777/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/702/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/411/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/696/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/697/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/719/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/749/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/779/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/654/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/660/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/674/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/650/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/656/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/663/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/723/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/784/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/309/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/457/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/612/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/690/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/703/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/731/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/772/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/773/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/self/exe	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/655/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/664/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/783/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
File opened for reading	/proc/790/cmdline	b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf

/tmp/b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
/tmp/b47ebd689c7cbe560f3f0f1a7722c349df1ef307d24429dc9edf0ec86883d5c8.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:657

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/657-1-0x00008000-0x00022ac0-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads