mirai | c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8

General

Target

c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
Size

36KB
MD5

e4df8be7344cd39e0a8e908adbe23cd4
SHA1

0a3fa93b2ef3b28f3bdbd9b5b7774d85205d6d86
SHA256

c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8
SHA512

c76d538d2a6a5ffbde826f2f6265bbd2580d3843bc72c7064b106ddb5e181e3cb57b60578bf0ec9b24c45aee42d94dbd9ed3145d5035439090c743ec0388691d
SSDEEP

768:G+4qtvWUAASjjLMGz7/tjBQd4Mt8nEPH3GgurUEUe5Wx0T:19tvWrASjjL17/9BODtoPgurlU9S

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf

description	ioc	process
File opened for modification	/dev/watchdog	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for modification	/dev/misc/watchdog	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

Processes:

c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf

description	ioc	process
File opened for modification	/sbin/watchdog	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for modification	/bin/watchdog	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf

description	ioc	process
File opened for reading	/proc/9/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/26/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/56/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/821/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/829/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1651/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1735/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1922/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/28/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/43/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/44/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/189/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1632/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/2233/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1986/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1989/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/2156/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/47/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/385/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/390/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1116/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1924/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/2437/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/2083/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/2191/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/192/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/236/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/515/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1096/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1900/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1125/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/2441/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/20/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/37/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/753/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1795/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/587/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1073/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1819/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/36/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/55/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/70/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/79/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/386/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/2133/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/122/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/194/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1899/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1908/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/754/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/19/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/31/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/39/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/159/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/182/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/48/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1054/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1843/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/2199/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/1952/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/3/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/16/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
File opened for reading	/proc/197/status	c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf

/tmp/c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
/tmp/c765671d83adf38b777ecf372154f3b6cb163a429ab97256b91bb17f7600fcc8.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:2441

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2441-1-0x0000000000400000-0x0000000000614b00-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads