mirai | 3f641d453df7285ffdc7cb3eb2e4c2b8ed3c4ccfeee6600626c90a7bdc8c6046 | Triage

Sharing

General

Target

3f641d453df7285ffdc7cb3eb2e4c2b8ed3c4ccfeee6600626c90a7bdc8c6046.elf
Size

106KB
Sample

250101-cwn2nstldl
MD5

e1506e7d4d7359db685b3bdef09a1de9
SHA1

73232a78e75d724d56455562c84684389450e881
SHA256

3f641d453df7285ffdc7cb3eb2e4c2b8ed3c4ccfeee6600626c90a7bdc8c6046
SHA512

2f0dac784c12d407a4b4412dc8bba251a06cae2b64298d062cb2f68bc0651559d59f4ce9ddf309c63c53e118b25e78f042b979ca74926244d57204f3dccdfbd9
SSDEEP

1536:xpkGXvSvr77wIPSdCAWdVixkxhWf3jQ0wZygsCkcmRv2:xpk4Svr77wG8vj5wnev2

Score

10^/10

mirai mirai credential_access defense_evasion discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Targets

- Target
  
  3f641d453df7285ffdc7cb3eb2e4c2b8ed3c4ccfeee6600626c90a7bdc8c6046.elf
- Size
  
  106KB
- MD5
  
  e1506e7d4d7359db685b3bdef09a1de9
- SHA1
  
  73232a78e75d724d56455562c84684389450e881
- SHA256
  
  3f641d453df7285ffdc7cb3eb2e4c2b8ed3c4ccfeee6600626c90a7bdc8c6046
- SHA512
  
  2f0dac784c12d407a4b4412dc8bba251a06cae2b64298d062cb2f68bc0651559d59f4ce9ddf309c63c53e118b25e78f042b979ca74926244d57204f3dccdfbd9
- SSDEEP
  
  1536:xpkGXvSvr77wIPSdCAWdVixkxhWf3jQ0wZygsCkcmRv2:xpk4Svr77wG8vj5wnev2
Score

7^/10

credential_access defense_evasion discovery evasion persistence privilege_escalation
- Deletes Audit logs
  Deletes logs related to the Linux Audit framework.
  evasion
- Deletes itself
- Deletes journal logs
  Deletes systemd journal logs. Likely to evade detection.
  evasion
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
  defense_evasion
- Deletes log files
  Deletes log files on the system.
  defense_evasion
- Enumerates running processes
  Discovers information about currently running processes on the system
- Modifies systemd
  Adds/ modifies systemd service files. Likely to achieve persistence.
  persistence privilege_escalation
- Reads process memory
  Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
  credential_access
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

XDG Autostart Entries

Create or Modify System Process

Systemd Service

Privilege Escalation

Boot or Logon Autostart Execution

XDG Autostart Entries

Create or Modify System Process

Systemd Service

Defense Evasion

Impair Defenses

Indicator Removal

Clear Linux or Mac System Logs

Credential Access

OS Credential Dumping

Proc Filesystem

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

credential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalation