mirai | d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0

General

Target

d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
Size

37KB
MD5

edf612986dba9abff11a7530fa06d3c2
SHA1

c39e5ecf48ed660df4c93353744955bebfb91636
SHA256

d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0
SHA512

0dd292e9760c9ac15b06809133d8296f21250085c803585be73abcd1d1faacbf07bb28a0703943f65c0bc66e0c6311b3342a1c39e118dfae6491b5f7b7eeda9f
SSDEEP

768:4a+BWS+ZPwIIBPGXna4nvdQL5zc6R96SMO/ieUeSMI68nCmqnbcuyD7UrQRj/:4a+BH+hKBAa4Vcc6RwSMO/ieCME2nouG

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf

description	ioc	process
File opened for modification	/dev/watchdog	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for modification	/dev/misc/watchdog	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

Processes:

d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf

description	ioc	process
File opened for modification	/bin/watchdog	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for modification	/sbin/watchdog	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf

description	ioc	process
File opened for reading	/proc/606/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/866/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/8/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/21/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/211/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/215/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/218/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/221/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1042/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/521/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1036/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1080/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1211/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1141/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1250/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/25/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/85/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/219/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/308/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/690/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1109/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1206/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1327/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/19/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/80/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/97/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/582/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/584/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/599/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/22/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/113/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/158/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/731/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1426/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/14/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/15/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1075/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1318/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1577/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/209/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/524/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/9/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/73/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1171/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1401/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/12/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/216/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/445/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/499/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/644/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1471/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1587/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/77/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/99/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/109/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/629/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1100/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1462/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/93/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/217/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/588/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/777/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1129/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
File opened for reading	/proc/1552/status	d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf

/tmp/d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
/tmp/d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1587

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1587-1-0x0000000008048000-0x000000000805bc08-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads