mirai | 5a1257b3e863798fd601414bfe267e46db1b755eaa471818bd204c0b9efa6228

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
06-11-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

h0r0zx00x.x86.elf
Size

30KB
MD5

d8fb6401cc65babe5175807a3f63ff14
SHA1

9194baed313ee944ef92a86a4311d963b1e56728
SHA256

5a1257b3e863798fd601414bfe267e46db1b755eaa471818bd204c0b9efa6228
SHA512

12438a96710084995dea8a225f88c863f28687520b45e9f37a73b4f5af5c2577560b637b0f0be3ece24ba6a376557b8c1a1e26fe77314735ac17801a964b0320
SSDEEP

768:Dq3ydi2rg98FdmvPyQw7NAFkcEfdhpJJLTsiLetyS33UXn68FqK6:siFdmvPgA2cEfdhxLYiFvXnW9

Score

10^/10

mirai unstable botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (152889) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
defense_evasion

Impair Defenses
T1562

Processes:

h0r0zx00x.x86.elf

description ioc process

File opened for modification /dev/watchdog h0r0zx00x.x86.elf
File opened for modification /dev/misc/watchdog h0r0zx00x.x86.elf
Enumerates running processes
Discovers information about currently running processes on the system
Writes file to system bin folder 2 IoCs

Processes:

h0r0zx00x.x86.elf

description ioc process

File opened for modification /sbin/watchdog h0r0zx00x.x86.elf
File opened for modification /bin/watchdog h0r0zx00x.x86.elf
Changes its process name 1 IoCs

Processes:

h0r0zx00x.x86.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself a 1498 h0r0zx00x.x86.elf

description	ioc	process
File opened for modification	/dev/watchdog	h0r0zx00x.x86.elf
File opened for modification	/dev/misc/watchdog	h0r0zx00x.x86.elf

description	ioc	process
File opened for modification	/sbin/watchdog	h0r0zx00x.x86.elf
File opened for modification	/bin/watchdog	h0r0zx00x.x86.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	a	1498	h0r0zx00x.x86.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

h0r0zx00x.x86.elf

description	ioc	process
File opened for reading	/proc/1123/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1539/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1065/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1101/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1127/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1268/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1513/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/450/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/676/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1058/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1324/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1489/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/self/exe	h0r0zx00x.x86.elf
File opened for reading	/proc/1115/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1161/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1307/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/459/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1016/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1164/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/408/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/982/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/430/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/758/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/468/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/870/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1140/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1190/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1593/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/472/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1155/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1587/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/424/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/916/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1254/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1492/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1502/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/645/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1533/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/406/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/438/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/569/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/672/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1488/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1146/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1508/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/552/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1225/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/514/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/529/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1136/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1563/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/984/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1501/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/601/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/665/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1150/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/992/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1141/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1179/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1557/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/477/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/651/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1581/cmdline	h0r0zx00x.x86.elf
File opened for reading	/proc/1293/cmdline	h0r0zx00x.x86.elf

/tmp/h0r0zx00x.x86.elf
/tmp/h0r0zx00x.x86.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Reads runtime system information
PID:1498

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1498-1-0x0000000008048000-0x0000000008058940-memory.dmp

Download