mirai | aae9d2a9669849b09b4e8ed8f3baeeb4c948ca80ebddd5004a57c2b6b7049fc9

Analysis

max time kernel
149s
max time network
152s
platform
debian-12_armhf
resource
debian12-armhf-20240418-en
resource tags

arch:armhfimage:debian12-armhf-20240418-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
11-12-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arm5.elf
Size

32KB
MD5

bf55d7061cedeb10e6a3839353dc6d8c
SHA1

34b773230a77570ef0c6fced5ab9f125996e4daf
SHA256

aae9d2a9669849b09b4e8ed8f3baeeb4c948ca80ebddd5004a57c2b6b7049fc9
SHA512

555f6dec792e49927d5392fc8dae5174e8868c9acdddebd4d0a5b3386352df40c7342a82d0973979cdb5061ee347f4ebd33ce19ab98fbb6dcae293e1eb69c57e
SSDEEP

768:GWo0SuKqmi7AY8GMnX7Md+Swn41BSYECR3Wzb9q3UELKIA:ZopuLm7jRw+Sw41wO26LE

Score

10^/10

mirai botnet botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (114507) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	arm5.elf
File opened for modification	/dev/misc/watchdog	arm5.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/var/Sofia	696	arm5.elf

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/	arm5.elf
File opened for reading	/proc/self/exe	arm5.elf

/tmp/arm5.elf
/tmp/arm5.elf
1⤵
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads