mirai | 3bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584

Resubmissions

22-11-2024 18:24

241122-w2cqdawjf1 10

22-11-2024 18:13

241122-wt52ys1ngp 10

Analysis

max time kernel
329s
max time network
334s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
22-11-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3061714.bin
Size

249KB
MD5

038814ff17c4e2f6e286dc858e3c3e38
SHA1

57b63f3ed966b91f2dbc107e87d81201c329671b
SHA256

3bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584
SHA512

5225c9dd4adcaab0547e267c5f207cc89a007268a6c2fe2c3be84d94d08ca92340c3552ac4d59109721224c480cee7a4995a94d1dbe9f3a2e498cef0b1e90e87
SSDEEP

6144:REn8buta+6HwGQJk8a+MrZP6Ffk+figv49e/CKvVA6tnY:RNr2JxahZPl+L8eaKvVAcY

Score

10^/10

mirai lzrd botnet defense_evasion discovery execution persistence privilege_escalatio privilege_escalation

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 1 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	3061714.bin

Unexpected DNS network traffic destination 21 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.247.43.254
Destination IP	94.247.43.254
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	192.3.165.37
Destination IP	54.36.111.116
Destination IP	114.114.114.114
Destination IP	192.3.165.37
Destination IP	54.36.111.116
Destination IP	94.247.43.254
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	54.36.111.116
Destination IP	94.247.43.254
Destination IP	1.0.0.1
Destination IP	114.114.114.114
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.L4qYR9	crontab

Modifies init.d 2 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/dnsconfig	3061714.bin

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence privilege_escalation

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/dnsconfigs.service	3061714.bin

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	3061714.bin
File opened for modification	/bin/watchdog	3061714.bin

Command and Scripting Interpreter: Unix Shell 1 TTPs 23 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
702	sh
703	sh
734	sh
737	sh
739	sh
656	sh
669	sh
682	sh
687	sh
718	sh
747	sh
730	sh
676	sh
680	sh
693	sh
698	sh
710	sh
745	sh
668	sh
670	sh
691	sh
708	sh
743	sh

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 18 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/self/exe	3061714.bin
File opened for reading	/proc/653/cmdline	3061714.bin
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/server_session.lock	3061714.bin

/tmp/3061714.bin
/tmp/3061714.bin
1⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:653
- /bin/cp
  cp -f /tmp/3061714.bin /var/tmp/nginx_kel
  2⤵
  - Reads runtime system information
  PID:655
- /bin/sh
  /bin/sh -c "mount -o bind /tmp/nginx_server /proc/653/ > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:656
- - /bin/mount
    mount -o bind /tmp/nginx_server /proc/653/
    3⤵
    - Reads runtime system information
    PID:659
- /bin/sh
  /bin/sh -c "mount -o bind /tmp/nginx_server /proc/667/ > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:668
- - /bin/mount
    mount -o bind /tmp/nginx_server /proc/667/
    3⤵
    - Reads runtime system information
    PID:671
- /bin/sh
  /bin/sh -c "crontab /var/tmp/.recoverys"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:669
- - /usr/bin/crontab
    crontab /var/tmp/.recoverys
    3⤵
    - Creates/modifies Cron job
    - Reads runtime system information
    PID:673
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:670
- - /bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig
    3⤵
    PID:674
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:676
- - /bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig
    3⤵
    PID:679
- /bin/sh
  /bin/sh -c "systemctl daemon-reload > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:680
- - /bin/systemctl
    systemctl daemon-reload
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:683
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:682
- - /bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig
    3⤵
    PID:685
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:687
- - /bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig
    3⤵
    PID:690
- /bin/sh
  /bin/sh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:691
- - /bin/systemctl
    systemctl enable dnsconfigs.service
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:694
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:693
- - /bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig
    3⤵
    PID:696
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:698
- - /bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig
    3⤵
    PID:700
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:702
- - /bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig
    3⤵
    PID:705
- /bin/sh
  /bin/sh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:703
- - /bin/systemctl
    systemctl start dnsconfigs.service
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:706
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:708
- - /bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig
    3⤵
    PID:709
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:710
- - /bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig
    3⤵
    PID:712
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:718
- - /bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs
    3⤵
    PID:723
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:730
- - /bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs
    3⤵
    PID:733
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:734
- - /bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs
    3⤵
    PID:735
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:737
- - /bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs
    3⤵
    PID:738
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:739
- - /bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs
    3⤵
    PID:741
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:743
- - /bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs
    3⤵
    PID:744
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:745
- - /bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs
    3⤵
    PID:746
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:747
- - /bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs
    3⤵
    PID:749

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Create or Modify System Process

T1543

Systemd Service

T1543.002

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Create or Modify System Process

T1543

Systemd Service

T1543.002

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/dnsconfig

Filesize
1KB

MD5
df56ea52b8cee93884f3872d25a85db0

SHA1
2fd0c7407ed67253a807d1d01c6ffd3467edaf8e

SHA256
a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5

SHA512
e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da

Download Submit
/etc/systemd/system/dnsconfigs.service

Filesize
174B

MD5
900f683b08977636b092fcbfa1ad8a42

SHA1
6d521f5c3e862f1106d9ac6a3a654e57e6814333

SHA256
71d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3

SHA512
50b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0

Download Submit
/tmp/server_session.lock

Filesize
4B

MD5
8f35272f55b3b1b1fe74f5032b6f3c13

SHA1
7f98a9e60986c42053527c4b74cbf7822f30e9f7

SHA256
a339f4c9da702644ef94f784c25483ae4951503b3708e66794d3408ea42e3f1c

SHA512
e8a42c102e363c30183fd9f30bfcb0275c59b3683653887d88c21e44463a35380ea1235e9ac33179994fd66f398619293cd1511b05ffd9ddd4704254aa77efb1

Download Submit
/var/spool/cron/crontabs/tmp.L4qYR9

Filesize
230B

MD5
5ea5098bba157ee9ef9138a98f3ff23c

SHA1
860f5c41b6145afa2ed4f08e3338c4dad9bcc7b4

SHA256
3e929f0d942eebfbe5f105548dff62be18def59729fdcc11d52c401878dcde5b

SHA512
e1f455c9fdefe8059f24bd6fbdd023a66b28c91d60421c22d4f6d922ce0d2a85455fea5f45fbdf0bfb76ee33baa16950ab1da77019d3e6821e90066890d53139

Download Submit
/var/tmp/.recoverys

Filesize
37B

MD5
abe9a0e06459d029e0f5183965dbbf3b

SHA1
7e79e16ea12fed960bcee8eb5a9c6384fa61a2d1

SHA256
b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384

SHA512
955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd

Download Submit
/var/tmp/nginx_kel

Filesize
249KB

MD5
038814ff17c4e2f6e286dc858e3c3e38

SHA1
57b63f3ed966b91f2dbc107e87d81201c329671b

SHA256
3bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584

SHA512
5225c9dd4adcaab0547e267c5f207cc89a007268a6c2fe2c3be84d94d08ca92340c3552ac4d59109721224c480cee7a4995a94d1dbe9f3a2e498cef0b1e90e87

Download Submit

pid	Process
702	sh
703	sh
734	sh
737	sh
739	sh
656	sh
669	sh
682	sh
687	sh
718	sh
747	sh
730	sh
676	sh
680	sh
693	sh
698	sh
710	sh
745	sh
668	sh
670	sh
691	sh
708	sh
743	sh

pid	Process
702	sh
703	sh
734	sh
737	sh
739	sh
656	sh
669	sh
682	sh
687	sh
718	sh
747	sh
730	sh
676	sh
680	sh
693	sh
698	sh
710	sh
745	sh
668	sh
670	sh
691	sh
708	sh
743	sh

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	Process
702	sh
703	sh
734	sh
737	sh
739	sh
656	sh
669	sh
682	sh
687	sh
718	sh
747	sh
730	sh
676	sh
680	sh
693	sh
698	sh
710	sh
745	sh
668	sh
670	sh
691	sh
708	sh
743	sh