mirai | 9acdcb2268a5eb3e614b11b301b6c5cef11a4aca9b9d8442cf6e639e39c3516a

Analysis

max time kernel
148s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24-11-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118
Size

53KB
MD5

92fd77d89bfe7fe5c74a0f4d3246d965
SHA1

fe4a1a4216ec51d9000ca7e0d0ed0130aea529c2
SHA256

9acdcb2268a5eb3e614b11b301b6c5cef11a4aca9b9d8442cf6e639e39c3516a
SHA512

8c48d832169a4ee13891eafd214a1bb4d41c6902dc05a809d82c9a1b63d4870039d2f96cc2d1c49c6fb48dde2da6e28b3ca683a8e03b8cd2e163b2a9fe91d333
SSDEEP

1536:5NItzSpjfnH2dCYsvTGZETYNLvh0hv4urEiBl:zsz2jfH2UYsKm0NLvhWBl

Score

10^/10

mirai unstable botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

cnctomecutie1337.mikeysyach.xyz

scanthembigbots.mikeysyach.xyz

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118

description	ioc	Process
File opened for modification	/dev/watchdog	92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118
File opened for modification	/dev/misc/watchdog	92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118

Unexpected DNS network traffic destination 21 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0
Destination IP	4.0.0.0

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

Processes:

92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118

description	ioc	Process
File opened for reading	/proc/net/tcp	92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118

Writes file to system bin folder 2 IoCs

Processes:

92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118

description	ioc	Process
File opened for modification	/sbin/watchdog	92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118
File opened for modification	/bin/watchdog	92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118

Changes its process name 1 IoCs

Processes:

92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	a	647	92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118

description	ioc	Process
File opened for reading	/proc/net/tcp	92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118

description	ioc	Process
File opened for reading	/proc/self/exe	92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118

/tmp/92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118
/tmp/92fd77d89bfe7fe5c74a0f4d3246d965_JaffaCakes118
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:647

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/647-1-0x00008000-0x00028e2c-memory.dmp

Download