Overview

overview

10

Static

static

10

firmware.armv7l

debian-9-armhf

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    23-11-2024 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    firmware.armv7l

  • Size

    133KB

  • MD5

    0870a2df3e83fe76124c4e93c7b2d8e2

  • SHA1

    6cdf840e4849c14774cb60fa4e111ccb15111214

  • SHA256

    ee310a2f85f0381f2afd48584e05763b3bd88e36f1c35468c147e7733617e9d6

  • SHA512

    d88a700356f8f9a75cfd63ad5c660a1aa4ff20d9d6b979d658b805d0153b7180a39f8250fc6b8ec33865653c5bfc0d36df61244ebd3d7702d372dfff1d8216d0

  • SSDEEP

    3072:xWvIGWRyWt1KTcGjFyamva5pOXJBbDDSQNpNVj/sp0a3:xeIGIyWt1KTfQjva5pOXJBbHSQJVrsa4

Score
10/10
miraibotnetdiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Extracted

Family

mirai

C2

secure.microsoftconnect.net

binary.microsoftconnect.net

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Creates/modifies Cron job 1 TTPs 2 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 1 IoCs
  • Changes its process name 1 IoCs
  • Command and Scripting Interpreter: Unix Shell 1 TTPs 1 IoCs

    Execute scripts via Unix Shell.

    execution
  • Reads runtime system information 31 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/firmware.armv7l
    /tmp/firmware.armv7l
    1⤵
    • Creates/modifies Cron job
    • Writes file to system bin folder
    • Changes its process name
    • Reads runtime system information
    • Writes file to tmp directory
    PID:654
    • /bin/sh
      /bin/sh -c "crontab /var/spool/cron/crontabs/root"
      2⤵
      • Command and Scripting Interpreter: Unix Shell
      PID:656
      • /usr/bin/crontab
        crontab /var/spool/cron/crontabs/root
        3⤵
        • Creates/modifies Cron job
        • Reads runtime system information
        PID:657
    • /bin/sh
      sh -c "hostname -I"
      2⤵
        PID:669
        • /bin/hostname
          hostname -I
          3⤵
            PID:671
        • /bin/sh
          sh -c "hostname -I"
          2⤵
            PID:673
            • /bin/hostname
              hostname -I
              3⤵
                PID:674

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /bin/dxfyes
            Filesize

            133KB

            MD5

            0870a2df3e83fe76124c4e93c7b2d8e2

            SHA1

            6cdf840e4849c14774cb60fa4e111ccb15111214

            SHA256

            ee310a2f85f0381f2afd48584e05763b3bd88e36f1c35468c147e7733617e9d6

            SHA512

            d88a700356f8f9a75cfd63ad5c660a1aa4ff20d9d6b979d658b805d0153b7180a39f8250fc6b8ec33865653c5bfc0d36df61244ebd3d7702d372dfff1d8216d0

            Download Submit

          • /etc/dbmn.conf
            Filesize

            8B

            MD5

            e5dd44856874ab9c807de3ca9fde9047

            SHA1

            155ee893d4f5d8e9071546adc57ea7a6f6da2655

            SHA256

            14403150cbddd09b5c694aa6d303cd0b170683cf3881475f828780ae007cd675

            SHA512

            62a60e7bda57a8dfa761f29c6d75286ef308f4196b8db5837d13c9376c98fefc217a939b26b4fbbf92d38338b7cefe70ee31f203b83c8262ba9c8512e412e53d

            Download Submit

          • /tmp/allah_is_prick.html
            Filesize

            360B

            MD5

            3a2d9ee3d20a76ed6af3f066be482b64

            SHA1

            8ee4338df17d6dbbd7cfec1aa0abbd6a7b8081f6

            SHA256

            9d542210472a30c5142df1f1ac2a25d72a453c5dfad27b09f805691a2e936082

            SHA512

            715e81e95217eb0d10c1fb3518a589782c2f67bc100e349582cccb5ab5706c4ec931879e3c03717a099d475f8dbec58082cee306c74cd264bd733b5b98aa0b25

            Download Submit

          • /var/spool/cron/crontabs/root
            Filesize

            22B

            MD5

            a4cf3f1ddb380808ac2298b005cf0547

            SHA1

            b62798db41e7509207320946f6bf2747f252ed7e

            SHA256

            8b1f7b09d3242b27cc784b49454a1abfb24a49b2cb782a83d5b4ff037e3af0a7

            SHA512

            69ad750ced491679e7ea8d47d63debbdace78f9faf667f08d5fcbb0ac31d4ded25fb1f6819ec9b2282f12745d353618e3274b7b4d32a707104cd1b450ba98a78

            Download Submit

          • /var/spool/cron/crontabs/tmp.sAzGL9
            Filesize

            225B

            MD5

            2238032cb5f335744fe908714f6a9cba

            SHA1

            078c9eb01cb7414968a302c3e76fa471f410088b

            SHA256

            538b73d9c64dbf72a4568b2adfb2cf097e7d622bf2c970bce9e1dc06d37143ac

            SHA512

            158714ea3844369e706edcf91e1e64b865f1f3333cbd84feebf60c407fd8ce59dabfb940753caa3b05e3e271811c6ccf1250901de18db2fc3237da749447b759

            Download Submit