mirai | f395ace9d7dcc6b64e4161b0be7408f0be492c61b817bfbba73de4330bf312d7

Analysis

max time kernel
153s
max time network
165s
platform
debian-12_mipsel
resource
debian12-mipsel-20240221-en
resource tags

arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
11-11-2024 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f395ace9d7dcc6b64e4161b0be7408f0be492c61b817bfbba73de4330bf312d7.elf
Size

37KB
MD5

8f7e78c211d41399085cab1f78b01c32
SHA1

c28ee1e8dc1ca6f1bdfeb29551a15a62daf895dd
SHA256

f395ace9d7dcc6b64e4161b0be7408f0be492c61b817bfbba73de4330bf312d7
SHA512

48aaa98b5a4f2601852b29ca3b3915757536cd1be309dfcd6791fa20d4e53bce57b280efd1cc66e1f60faaf51ce8511a931acdff4bc9e4d1f1aa10b7d85fecd2
SSDEEP

768:7ghW5vB2zC1sXOom1bUBfeDfOZOPT16ciTpKPYbwPHsWMVO:8o58CU7Koy165ogbMH/

Score

10^/10

mirai mirai botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (23188) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

shchmod

pid process

743 sh
757 chmod

pid	process
743	sh
757	chmod

Changes its process name 1 IoCs

Processes:

f395ace9d7dcc6b64e4161b0be7408f0be492c61b817bfbba73de4330bf312d7.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/bin/busybox	741	f395ace9d7dcc6b64e4161b0be7408f0be492c61b817bfbba73de4330bf312d7.elf

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

f395ace9d7dcc6b64e4161b0be7408f0be492c61b817bfbba73de4330bf312d7.elfmkdirmv

description	ioc	process
File opened for reading	/proc/self/exe	f395ace9d7dcc6b64e4161b0be7408f0be492c61b817bfbba73de4330bf312d7.elf
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mv

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

sh

description ioc process

File opened for modification /tmp/bin/busybox sh

description	ioc	process
File opened for modification	/tmp/bin/busybox	sh

/tmp/f395ace9d7dcc6b64e4161b0be7408f0be492c61b817bfbba73de4330bf312d7.elf
/tmp/f395ace9d7dcc6b64e4161b0be7408f0be492c61b817bfbba73de4330bf312d7.elf
1⤵
- Changes its process name
- Reads runtime system information
PID:741
- /bin/sh
  sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/f395ace9d7dcc6b64e4161b0be7408f0be492c61b817bfbba73de4330bf312d7.elf bin/busybox; chmod 777 bin/busybox"
  2⤵
  - File and Directory Permissions Modification
  - Writes file to tmp directory
  PID:743
- - /usr/bin/rm
    rm -rf bin/busybox
    3⤵
    PID:745
- - /usr/bin/mkdir
    mkdir bin
    3⤵
    - Reads runtime system information
    PID:747
- - /usr/bin/mv
    mv /tmp/f395ace9d7dcc6b64e4161b0be7408f0be492c61b817bfbba73de4330bf312d7.elf bin/busybox
    3⤵
    - Reads runtime system information
    PID:751
- - /usr/bin/chmod
    chmod 777 bin/busybox
    3⤵
    - File and Directory Permissions Modification
    PID:757

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/741-1-0x00400000-0x0045b0d8-memory.dmp

Download