mirai | e80deb534c05c67ec13509d53b252e30a29cc2c433d893233cf724caa682e9b4

Analysis

max time kernel
150s
max time network
191s
platform
debian-12_armhf
resource
debian12-armhf-20240221-en
resource tags

arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
06-11-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

h0r0zx00x.arm7.elf
Size

54KB
MD5

486d2e2c7c3293a97e00e3dc06d6a6fc
SHA1

b5e70d23649b1bb96c43bea3df9956f3c5336746
SHA256

e80deb534c05c67ec13509d53b252e30a29cc2c433d893233cf724caa682e9b4
SHA512

218181a1f5cba39f3db3f0f88f5cd005fe1ccfeede977aab4cd3df154b097051e9f121764775635e1d243eaf291ffbed3a667a1b196d2e54fd2dd9eb36acf1b3
SSDEEP

768:0yXFyXFhmVf5fUJnFHTI2T0Ki+SUJbJOAyS0gwzfHq3UIynPsygjuKNAr0ze0pEa:RuFhKtOZI2ThJPtwzfoyPNqLNI0pE88C

Score

10^/10

mirai unstable botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (151958) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
defense_evasion

Impair Defenses
T1562

Processes:

h0r0zx00x.arm7.elf

description ioc process

File opened for modification /dev/watchdog h0r0zx00x.arm7.elf
File opened for modification /dev/misc/watchdog h0r0zx00x.arm7.elf
Writes file to system bin folder 2 IoCs

Processes:

h0r0zx00x.arm7.elf

description ioc process

File opened for modification /bin/watchdog h0r0zx00x.arm7.elf
File opened for modification /sbin/watchdog h0r0zx00x.arm7.elf
Changes its process name 1 IoCs

Processes:

h0r0zx00x.arm7.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself a 700 h0r0zx00x.arm7.elf

description	ioc	process
File opened for modification	/dev/watchdog	h0r0zx00x.arm7.elf
File opened for modification	/dev/misc/watchdog	h0r0zx00x.arm7.elf

description	ioc	process
File opened for modification	/bin/watchdog	h0r0zx00x.arm7.elf
File opened for modification	/sbin/watchdog	h0r0zx00x.arm7.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	a	700	h0r0zx00x.arm7.elf

Reads runtime system information 15 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

h0r0zx00x.arm7.elf

description	ioc	process
File opened for reading	/proc/642/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/625/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/673/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/706/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/708/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/698/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/660/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/692/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/697/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/707/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/self/exe	h0r0zx00x.arm7.elf
File opened for reading	/proc/627/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/641/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/657/cmdline	h0r0zx00x.arm7.elf
File opened for reading	/proc/713/cmdline	h0r0zx00x.arm7.elf

/tmp/h0r0zx00x.arm7.elf
/tmp/h0r0zx00x.arm7.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Reads runtime system information
PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/700-1-0x00008000-0x0002a64c-memory.dmp

Download