mirai | dff8ae36adc8ade6bf07d47bfe10182189054a7f6203b98359d38f69f34b2fd7

Analysis

max time kernel
145s
max time network
152s
platform
debian-12_armhf
resource
debian12-armhf-20240418-en
resource tags

arch:armhfimage:debian12-armhf-20240418-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
14-12-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
Size

54KB
MD5

ed72ba084d68d943d62caa99d0536be5
SHA1

844aa461c5b4c6c68fca73aa640db09d7a96bf77
SHA256

dff8ae36adc8ade6bf07d47bfe10182189054a7f6203b98359d38f69f34b2fd7
SHA512

3d54380282f8e2bd170a553b675c28064eb5c32505ca667e9f89c69170476cd3c18cc347dec848c02e8fe352082263698a611c8e7a3c7a22367a5a4a2295129d
SSDEEP

768:z6JthbDVhwtQJAYNW4UxfnWSfJRFa6cjatYGnZbrUR2iq26e+WcmiVq3UIRWcsz6:sPiQiYYxvW4/FmjaV1b3eh+ZOGgRluw

Score

10^/10

mirai unstable botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (102826) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for modification	/dev/misc/watchdog	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for modification	/bin/watchdog	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	a	704	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/713/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/678/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/701/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/709/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/710/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/646/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/665/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/696/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/702/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/629/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/647/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/662/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/self/exe	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
File opened for reading	/proc/630/cmdline	ed72ba084d68d943d62caa99d0536be5_JaffaCakes118

/tmp/ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
/tmp/ed72ba084d68d943d62caa99d0536be5_JaffaCakes118
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Reads runtime system information
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads