mirai | 3bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584

Resubmissions

22-11-2024 18:24

241122-w2cqdawjf1 10

22-11-2024 18:13

241122-wt52ys1ngp 10

Analysis

max time kernel
15s
max time network
1808s
platform
debian-12_armhf
resource
debian12-armhf-20240221-en
resource tags

arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
22-11-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3061714.bin
Size

249KB
MD5

038814ff17c4e2f6e286dc858e3c3e38
SHA1

57b63f3ed966b91f2dbc107e87d81201c329671b
SHA256

3bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584
SHA512

5225c9dd4adcaab0547e267c5f207cc89a007268a6c2fe2c3be84d94d08ca92340c3552ac4d59109721224c480cee7a4995a94d1dbe9f3a2e498cef0b1e90e87
SSDEEP

6144:REn8buta+6HwGQJk8a+MrZP6Ffk+figv49e/CKvVA6tnY:RNr2JxahZPl+L8eaKvVAcY

Score

10^/10

mirai lzrd botnet defense_evasion discovery execution persistence privilege_escalatio privilege_escalation

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Modifies Watchdog functionality 1 TTPs 1 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
defense_evasion

Impair Defenses
T1562

Processes:

3061714.bin

description ioc process

File opened for modification /dev/watchdog 3061714.bin

description	ioc	process
File opened for modification	/dev/watchdog	3061714.bin

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	1.0.0.1
Destination IP	134.195.4.2
Destination IP	94.247.43.254
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	134.195.4.2
Destination IP	192.3.165.37
Destination IP	168.138.12.137
Destination IP	192.3.165.37
Destination IP	168.138.12.137
Destination IP	114.114.114.114
Destination IP	168.138.12.137
Destination IP	54.36.111.116
Destination IP	192.3.165.37
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	114.114.114.114
Destination IP	54.36.111.116
Destination IP	54.36.111.116
Destination IP	114.114.114.114
Destination IP	168.138.12.137
Destination IP	94.247.43.254
Destination IP	134.195.4.2
Destination IP	114.114.114.114
Destination IP	168.138.12.137
Destination IP	1.0.0.1
Destination IP	192.3.165.37
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	134.195.4.2
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	94.247.43.254
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	114.114.114.114
Destination IP	168.138.12.137
Destination IP	94.247.43.254
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	94.247.43.254
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	134.195.4.2
Destination IP	168.138.12.137
Destination IP	54.36.111.116
Destination IP	114.114.114.114
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	168.138.12.137
Destination IP	94.247.43.254
Destination IP	94.247.43.254
Destination IP	114.114.114.114
Destination IP	168.138.12.137

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.l8piv5 crontab
Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

RC Scripts
T1037.004

Processes:

3061714.bin

description ioc process

File opened for modification /etc/init.d/dnsconfig 3061714.bin
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
persistence privilege_escalation

XDG Autostart Entries
T1547.013

Systemd Service
T1543.002

Processes:

3061714.bin

description ioc process

File opened for modification /etc/systemd/system/dnsconfigs.service 3061714.bin
Writes file to system bin folder 2 IoCs

Processes:

3061714.bin

description ioc process

File opened for modification /sbin/watchdog 3061714.bin
File opened for modification /bin/watchdog 3061714.bin
Command and Scripting Interpreter: Unix Shell 1 TTPs 23 IoCs
Execute scripts via Unix Shell.
execution

Unix Shell
T1059.004

Processes:

shshshshshshshshshshshshshshshshshshshshshshsh

pid process

734 sh
735 sh
746 sh
748 sh
776 sh
786 sh
833 sh
757 sh
765 sh
782 sh
793 sh
821 sh
824 sh
826 sh
829 sh
886 sh
720 sh
831 sh
837 sh
736 sh
771 sh
811 sh
819 sh

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.l8piv5	crontab

description	ioc	process
File opened for modification	/etc/init.d/dnsconfig	3061714.bin

description	ioc	process
File opened for modification	/etc/systemd/system/dnsconfigs.service	3061714.bin

description	ioc	process
File opened for modification	/sbin/watchdog	3061714.bin
File opened for modification	/bin/watchdog	3061714.bin

pid	process
734	sh
735	sh
746	sh
748	sh
776	sh
786	sh
833	sh
757	sh
765	sh
782	sh
793	sh
821	sh
824	sh
826	sh
829	sh
886	sh
720	sh
831	sh
837	sh
736	sh
771	sh
811	sh
819	sh

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

mountsystemctlsystemctlsystemctl3061714.bincpmount

description	ioc	process
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/exe	3061714.bin
File opened for reading	/proc/715/cmdline	3061714.bin
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mount

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

3061714.bin

description ioc process

File opened for modification /tmp/server_session.lock 3061714.bin

description	ioc	process
File opened for modification	/tmp/server_session.lock	3061714.bin

/tmp/3061714.bin
/tmp/3061714.bin
1⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:715
- /bin/cp
  cp -f /tmp/3061714.bin /var/tmp/nginx_kel
  2⤵
  - Reads runtime system information
  PID:719
- /bin/sh
  /bin/sh -c "mount -o bind /tmp/nginx_server /proc/715/ > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:720
- - /usr/bin/mount
    mount -o bind /tmp/nginx_server /proc/715/
    3⤵
    - Reads runtime system information
    PID:723
- /bin/sh
  /bin/sh -c "mount -o bind /tmp/nginx_server /proc/731/ > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:734
- - /usr/bin/mount
    mount -o bind /tmp/nginx_server /proc/731/
    3⤵
    - Reads runtime system information
    PID:741
- /bin/sh
  /bin/sh -c "crontab /var/tmp/.recoverys"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:735
- - /usr/bin/crontab
    crontab /var/tmp/.recoverys
    3⤵
    - Creates/modifies Cron job
    PID:740
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:736
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig
    3⤵
    PID:739
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:746
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig
    3⤵
    PID:752
- /bin/sh
  /bin/sh -c "systemctl daemon-reload > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:748
- - /usr/bin/systemctl
    systemctl daemon-reload
    3⤵
    - Reads runtime system information
    PID:754
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:757
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig
    3⤵
    PID:761
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:765
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig
    3⤵
    PID:769
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:771
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig
    3⤵
    PID:774
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:776
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig
    3⤵
    PID:778
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:782
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig
    3⤵
    PID:785
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:786
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig
    3⤵
    PID:788
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:793
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig
    3⤵
    PID:804
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:811
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs
    3⤵
    PID:817
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:819
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs
    3⤵
    PID:820
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:821
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs
    3⤵
    PID:822
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:824
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs
    3⤵
    PID:825
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:826
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs
    3⤵
    PID:828
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:829
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs
    3⤵
    PID:830
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:831
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs
    3⤵
    PID:832
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:833
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs
    3⤵
    PID:834
- /bin/sh
  /bin/sh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:837
- - /usr/bin/systemctl
    systemctl enable dnsconfigs.service
    3⤵
    - Reads runtime system information
    PID:838
- /bin/sh
  /bin/sh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:886
- - /usr/bin/systemctl
    systemctl start dnsconfigs.service
    3⤵
    - Reads runtime system information
    PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Create or Modify System Process

T1543

Systemd Service

T1543.002

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Create or Modify System Process

T1543

Systemd Service

T1543.002

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/dnsconfig

Filesize
1KB

MD5
df56ea52b8cee93884f3872d25a85db0

SHA1
2fd0c7407ed67253a807d1d01c6ffd3467edaf8e

SHA256
a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5

SHA512
e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da

Download Submit
/etc/systemd/system/dnsconfigs.service

Filesize
174B

MD5
900f683b08977636b092fcbfa1ad8a42

SHA1
6d521f5c3e862f1106d9ac6a3a654e57e6814333

SHA256
71d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3

SHA512
50b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0

Download Submit
/tmp/server_session.lock

Filesize
4B

MD5
fc2a52f2fc1336895548ec92783638b8

SHA1
2db8e3100db60361a96a8bafc27bd6813dd6f0a7

SHA256
5a401a7824349c600b89886016315a119d630629ccf51ad9a5b5775754e8161f

SHA512
2ee2629401fb43057db5e6656e2ca58cd9ea7d529fbb6add020163c7cd2088128cb1d88b1fbbbf2da644da2f3d92855d24d09349323a0c8f9962e5253214005b

Download Submit
/var/spool/cron/crontabs/tmp.l8piv5

Filesize
230B

MD5
b55e711112088369b3adac22048cf3c2

SHA1
1d979da9ba9e4fb01deda2e6be40de0773ec78b2

SHA256
b59c52fcd38ddd9906863e1000567ecba5a036389663b0cb7b3982218994a201

SHA512
812aa979d5cb5ff975224aae5689c6f3fbba59ad48acd30e71a4f33375b9a5102501a1b90bc2707369624df851860c36fc3cd855b4392b98039e03d7462c0b52

Download Submit
/var/tmp/.recoverys

Filesize
37B

MD5
abe9a0e06459d029e0f5183965dbbf3b

SHA1
7e79e16ea12fed960bcee8eb5a9c6384fa61a2d1

SHA256
b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384

SHA512
955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd

Download Submit
memory/715-1-0x00008000-0x00089af4-memory.dmp

Download

pid	process
734	sh
735	sh
746	sh
748	sh
776	sh
786	sh
833	sh
757	sh
765	sh
782	sh
793	sh
821	sh
824	sh
826	sh
829	sh
886	sh
720	sh
831	sh
837	sh
736	sh
771	sh
811	sh
819	sh

pid	process
734	sh
735	sh
746	sh
748	sh
776	sh
786	sh
833	sh
757	sh
765	sh
782	sh
793	sh
821	sh
824	sh
826	sh
829	sh
886	sh
720	sh
831	sh
837	sh
736	sh
771	sh
811	sh
819	sh

pid	process
734	sh
735	sh
746	sh
748	sh
776	sh
786	sh
833	sh
757	sh
765	sh
782	sh
793	sh
821	sh
824	sh
826	sh
829	sh
886	sh
720	sh
831	sh
837	sh
736	sh
771	sh
811	sh
819	sh