mirai | 3bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584

Analysis

max time kernel
27s
max time network
335s
platform
debian-12_armhf
resource
debian12-armhf-20240221-en
resource tags

arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
08/12/2024, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3061714.bin
Size

249KB
MD5

038814ff17c4e2f6e286dc858e3c3e38
SHA1

57b63f3ed966b91f2dbc107e87d81201c329671b
SHA256

3bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584
SHA512

5225c9dd4adcaab0547e267c5f207cc89a007268a6c2fe2c3be84d94d08ca92340c3552ac4d59109721224c480cee7a4995a94d1dbe9f3a2e498cef0b1e90e87
SSDEEP

6144:REn8buta+6HwGQJk8a+MrZP6Ffk+figv49e/CKvVA6tnY:RNr2JxahZPl+L8eaKvVAcY

Score

10^/10

mirai lzrd botnet defense_evasion discovery execution persistence privilege_escalatio privilege_escalation

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 1 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	3061714.bin

Unexpected DNS network traffic destination 25 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	192.3.165.37
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	114.114.114.114
Destination IP	168.138.12.137
Destination IP	134.195.4.2
Destination IP	94.247.43.254
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	134.195.4.2
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	54.36.111.116
Destination IP	54.36.111.116
Destination IP	1.0.0.1
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	192.3.165.37
Destination IP	114.114.114.114
Destination IP	192.3.165.37
Destination IP	1.0.0.1
Destination IP	134.195.4.2
Destination IP	192.3.165.37
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.hu6fqC	crontab

Modifies init.d 2 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/dnsconfig	3061714.bin

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence privilege_escalation

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/dnsconfigs.service	3061714.bin

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	3061714.bin
File opened for modification	/bin/watchdog	3061714.bin

Command and Scripting Interpreter: Unix Shell 1 TTPs 23 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
769	sh
773	sh
814	sh
852	sh
729	sh
740	sh
755	sh
806	sh
811	sh
816	sh
721	sh
722	sh
749	sh
780	sh
792	sh
828	sh
708	sh
720	sh
759	sh
776	sh
734	sh
744	sh
763	sh

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/exe	3061714.bin
File opened for reading	/proc/704/cmdline	3061714.bin
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/server_session.lock	3061714.bin

/tmp/3061714.bin
/tmp/3061714.bin
1⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:704
- /bin/sh
  /bin/sh -c "mount -o bind /tmp/nginx_server /proc/704/ > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:708
- - /usr/bin/mount
    mount -o bind /tmp/nginx_server /proc/704/
    3⤵
    - Reads runtime system information
    PID:711
- /bin/cp
  cp -f /tmp/3061714.bin /var/tmp/nginx_kel
  2⤵
  - Reads runtime system information
  PID:707
- /bin/sh
  /bin/sh -c "mount -o bind /tmp/nginx_server /proc/719/ > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:720
- - /usr/bin/mount
    mount -o bind /tmp/nginx_server /proc/719/
    3⤵
    - Reads runtime system information
    PID:726
- /bin/sh
  /bin/sh -c "crontab /var/tmp/.recoverys"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:721
- - /usr/bin/crontab
    crontab /var/tmp/.recoverys
    3⤵
    - Creates/modifies Cron job
    PID:724
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:722
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig
    3⤵
    PID:727
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:729
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig
    3⤵
    PID:735
- /bin/sh
  /bin/sh -c "systemctl daemon-reload > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:734
- - /usr/bin/systemctl
    systemctl daemon-reload
    3⤵
    - Reads runtime system information
    PID:738
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:740
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig
    3⤵
    PID:743
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:744
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig
    3⤵
    PID:746
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:749
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig
    3⤵
    PID:752
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:755
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig
    3⤵
    PID:756
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:759
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig
    3⤵
    PID:761
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:763
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig
    3⤵
    PID:765
- /bin/sh
  /bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:769
- - /usr/bin/ln
    ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig
    3⤵
    PID:771
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:773
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs
    3⤵
    PID:774
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:776
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs
    3⤵
    PID:779
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:780
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs
    3⤵
    PID:782
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:792
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs
    3⤵
    PID:800
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:806
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs
    3⤵
    PID:809
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:811
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs
    3⤵
    PID:812
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:814
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs
    3⤵
    PID:815
- /bin/sh
  /bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:816
- - /usr/bin/ln
    ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs
    3⤵
    PID:817
- /bin/sh
  /bin/sh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:828
- - /usr/bin/systemctl
    systemctl enable dnsconfigs.service
    3⤵
    - Reads runtime system information
    PID:829
- /bin/sh
  /bin/sh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:852
- - /usr/bin/systemctl
    systemctl start dnsconfigs.service
    3⤵
    - Reads runtime system information
    PID:853

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Create or Modify System Process

T1543

Systemd Service

T1543.002

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Create or Modify System Process

T1543

Systemd Service

T1543.002

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/dnsconfig

Filesize
1KB

MD5
df56ea52b8cee93884f3872d25a85db0

SHA1
2fd0c7407ed67253a807d1d01c6ffd3467edaf8e

SHA256
a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5

SHA512
e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da

Download Submit
/etc/systemd/system/dnsconfigs.service

Filesize
174B

MD5
900f683b08977636b092fcbfa1ad8a42

SHA1
6d521f5c3e862f1106d9ac6a3a654e57e6814333

SHA256
71d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3

SHA512
50b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0

Download Submit
/tmp/server_session.lock

Filesize
4B

MD5
f1d5bfbcbd2c24d09e089444dfe716f2

SHA1
050030937b8d2917349245c7887a114919033cd7

SHA256
61f98d6ecb410a131f552cff0a3674dc0694e180a49923f0f6619ad2deac48c0

SHA512
21820738226048efdb53653ad342d6e5f42453f1e63fbcb652c3bd9f2568ebf29929b473af4e5ab54975a82b45bf987f6f7db18858d969f16ebf4ef49d0fa2c8

Download Submit
/var/spool/cron/crontabs/tmp.hu6fqC

Filesize
230B

MD5
f0c86773db5a30cdbfc2fecd4f691e7f

SHA1
9a252f3927c0d14d5b975d1b4ac03cd561a96291

SHA256
5b66d7220f21a993059921529aa4c9e7f5a54540673b66ebad9ff6927a92ff04

SHA512
f10b0f8de7e7efbbb2271d12cbe86ebb2b5519954595980dc744b6c8084a5f07bb329ad6e380824f17c8e3be8c9cfba9c1d641dd5ee8c9f4a9612e39c5c97f8a

Download Submit
/var/tmp/.recoverys

Filesize
37B

MD5
abe9a0e06459d029e0f5183965dbbf3b

SHA1
7e79e16ea12fed960bcee8eb5a9c6384fa61a2d1

SHA256
b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384

SHA512
955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd

Download Submit

pid	Process
769	sh
773	sh
814	sh
852	sh
729	sh
740	sh
755	sh
806	sh
811	sh
816	sh
721	sh
722	sh
749	sh
780	sh
792	sh
828	sh
708	sh
720	sh
759	sh
776	sh
734	sh
744	sh
763	sh

pid	Process
769	sh
773	sh
814	sh
852	sh
729	sh
740	sh
755	sh
806	sh
811	sh
816	sh
721	sh
722	sh
749	sh
780	sh
792	sh
828	sh
708	sh
720	sh
759	sh
776	sh
734	sh
744	sh
763	sh

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	Process
769	sh
773	sh
814	sh
852	sh
729	sh
740	sh
755	sh
806	sh
811	sh
816	sh
721	sh
722	sh
749	sh
780	sh
792	sh
828	sh
708	sh
720	sh
759	sh
776	sh
734	sh
744	sh
763	sh