mirai | d9bfca6ab055f77105be3a540ff9bfb63bd3e76e1d5437f243a56da87a6c6ec3

Analysis

max time kernel
145s
max time network
148s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
23-11-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Satan.x86_64.elf
Size

36KB
MD5

bfa617c0d8676301a6318cc7c5623ea2
SHA1

797c2ade765bc1458b62a6442081235356a46ab3
SHA256

d9bfca6ab055f77105be3a540ff9bfb63bd3e76e1d5437f243a56da87a6c6ec3
SHA512

96aa3141d1ab328a265a351b6c8c55d85122ea50d6856da2c966c10b9c9f359c0d5f9c306e1ee68d310ae2f0e9b2bcc7c73686163859e7b9d4cd971aee5ce151
SSDEEP

768:3lsqCiE1wJ5TNw5zSLcsHrUz7bk/53B1g1hdiJFuXjNeFSx0v:3l6ikl5lIrms3B10hsvuXjNRO

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
defense_evasion

Impair Defenses
T1562

Processes:

Satan.x86_64.elf

description ioc process

File opened for modification /dev/watchdog Satan.x86_64.elf
File opened for modification /dev/misc/watchdog Satan.x86_64.elf
Enumerates running processes
Discovers information about currently running processes on the system
Writes file to system bin folder 2 IoCs

Processes:

Satan.x86_64.elf

description ioc process

File opened for modification /sbin/watchdog Satan.x86_64.elf
File opened for modification /bin/watchdog Satan.x86_64.elf

description	ioc	process
File opened for modification	/dev/watchdog	Satan.x86_64.elf
File opened for modification	/dev/misc/watchdog	Satan.x86_64.elf

description	ioc	process
File opened for modification	/sbin/watchdog	Satan.x86_64.elf
File opened for modification	/bin/watchdog	Satan.x86_64.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

Satan.x86_64.elf

description	ioc	process
File opened for reading	/proc/585/status	Satan.x86_64.elf
File opened for reading	/proc/1919/status	Satan.x86_64.elf
File opened for reading	/proc/1925/status	Satan.x86_64.elf
File opened for reading	/proc/1929/status	Satan.x86_64.elf
File opened for reading	/proc/1935/status	Satan.x86_64.elf
File opened for reading	/proc/11/status	Satan.x86_64.elf
File opened for reading	/proc/31/status	Satan.x86_64.elf
File opened for reading	/proc/45/status	Satan.x86_64.elf
File opened for reading	/proc/2455/status	Satan.x86_64.elf
File opened for reading	/proc/1858/status	Satan.x86_64.elf
File opened for reading	/proc/1889/status	Satan.x86_64.elf
File opened for reading	/proc/14/status	Satan.x86_64.elf
File opened for reading	/proc/46/status	Satan.x86_64.elf
File opened for reading	/proc/1678/status	Satan.x86_64.elf
File opened for reading	/proc/2458/status	Satan.x86_64.elf
File opened for reading	/proc/24/status	Satan.x86_64.elf
File opened for reading	/proc/383/status	Satan.x86_64.elf
File opened for reading	/proc/1668/status	Satan.x86_64.elf
File opened for reading	/proc/32/status	Satan.x86_64.elf
File opened for reading	/proc/33/status	Satan.x86_64.elf
File opened for reading	/proc/34/status	Satan.x86_64.elf
File opened for reading	/proc/54/status	Satan.x86_64.elf
File opened for reading	/proc/584/status	Satan.x86_64.elf
File opened for reading	/proc/8/status	Satan.x86_64.elf
File opened for reading	/proc/9/status	Satan.x86_64.elf
File opened for reading	/proc/23/status	Satan.x86_64.elf
File opened for reading	/proc/1812/status	Satan.x86_64.elf
File opened for reading	/proc/1902/status	Satan.x86_64.elf
File opened for reading	/proc/1074/status	Satan.x86_64.elf
File opened for reading	/proc/1113/status	Satan.x86_64.elf
File opened for reading	/proc/1779/status	Satan.x86_64.elf
File opened for reading	/proc/2396/status	Satan.x86_64.elf
File opened for reading	/proc/28/status	Satan.x86_64.elf
File opened for reading	/proc/37/status	Satan.x86_64.elf
File opened for reading	/proc/124/status	Satan.x86_64.elf
File opened for reading	/proc/56/status	Satan.x86_64.elf
File opened for reading	/proc/892/status	Satan.x86_64.elf
File opened for reading	/proc/1123/status	Satan.x86_64.elf
File opened for reading	/proc/1944/status	Satan.x86_64.elf
File opened for reading	/proc/1997/status	Satan.x86_64.elf
File opened for reading	/proc/4/status	Satan.x86_64.elf
File opened for reading	/proc/10/status	Satan.x86_64.elf
File opened for reading	/proc/51/status	Satan.x86_64.elf
File opened for reading	/proc/2053/status	Satan.x86_64.elf
File opened for reading	/proc/41/status	Satan.x86_64.elf
File opened for reading	/proc/274/status	Satan.x86_64.elf
File opened for reading	/proc/2233/status	Satan.x86_64.elf
File opened for reading	/proc/2111/status	Satan.x86_64.elf
File opened for reading	/proc/35/status	Satan.x86_64.elf
File opened for reading	/proc/418/status	Satan.x86_64.elf
File opened for reading	/proc/1752/status	Satan.x86_64.elf
File opened for reading	/proc/2000/status	Satan.x86_64.elf
File opened for reading	/proc/2094/status	Satan.x86_64.elf
File opened for reading	/proc/2108/status	Satan.x86_64.elf
File opened for reading	/proc/2236/status	Satan.x86_64.elf
File opened for reading	/proc/2459/status	Satan.x86_64.elf
File opened for reading	/proc/18/status	Satan.x86_64.elf
File opened for reading	/proc/29/status	Satan.x86_64.elf
File opened for reading	/proc/1042/status	Satan.x86_64.elf
File opened for reading	/proc/69/status	Satan.x86_64.elf
File opened for reading	/proc/196/status	Satan.x86_64.elf
File opened for reading	/proc/432/status	Satan.x86_64.elf
File opened for reading	/proc/755/status	Satan.x86_64.elf
File opened for reading	/proc/1332/status	Satan.x86_64.elf

/tmp/Satan.x86_64.elf
/tmp/Satan.x86_64.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:2459

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2459-1-0x0000000000400000-0x0000000000614b00-memory.dmp

Download