mirai | a23f0f8effeec0ea89d80aaae567e5c3d118a108b8feea8e39b4d3aa10fb7bf9

Analysis

max time kernel
132s
max time network
148s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
05-01-2025 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Space.x86.elf
Size

38KB
MD5

51ac76a50f6b669ab90ebd8c5e903f8d
SHA1

e1847908d10cdd7face1f7ec73cd7842f02a3b90
SHA256

a23f0f8effeec0ea89d80aaae567e5c3d118a108b8feea8e39b4d3aa10fb7bf9
SHA512

2195b914ceacee800778a74a7fda7f8ce9bce361856ce062a01129b928c83abf197eda8ddc414b70e7993207a68ac62bd90664811581f342f8f5f5408ab8d398
SSDEEP

768:9favOe6etQzOE6JfpdbHVNM5HegIvcLjCPyUvnS5vVWVOs/nbcuyD7UrQRjl:Evh6etuOE6JbbHVNMDlSyK8vwVOs/noh

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	Space.x86.elf
File opened for modification	/dev/watchdog	Space.x86.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	Space.x86.elf
File opened for modification	/bin/watchdog	Space.x86.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/15/status	Space.x86.elf
File opened for reading	/proc/76/status	Space.x86.elf
File opened for reading	/proc/594/status	Space.x86.elf
File opened for reading	/proc/105/status	Space.x86.elf
File opened for reading	/proc/177/status	Space.x86.elf
File opened for reading	/proc/773/status	Space.x86.elf
File opened for reading	/proc/928/status	Space.x86.elf
File opened for reading	/proc/1052/status	Space.x86.elf
File opened for reading	/proc/1320/status	Space.x86.elf
File opened for reading	/proc/1343/status	Space.x86.elf
File opened for reading	/proc/1392/status	Space.x86.elf
File opened for reading	/proc/1063/status	Space.x86.elf
File opened for reading	/proc/1075/status	Space.x86.elf
File opened for reading	/proc/1097/status	Space.x86.elf
File opened for reading	/proc/1114/status	Space.x86.elf
File opened for reading	/proc/1/status	Space.x86.elf
File opened for reading	/proc/162/status	Space.x86.elf
File opened for reading	/proc/446/status	Space.x86.elf
File opened for reading	/proc/526/status	Space.x86.elf
File opened for reading	/proc/979/status	Space.x86.elf
File opened for reading	/proc/1085/status	Space.x86.elf
File opened for reading	/proc/118/status	Space.x86.elf
File opened for reading	/proc/174/status	Space.x86.elf
File opened for reading	/proc/302/status	Space.x86.elf
File opened for reading	/proc/503/status	Space.x86.elf
File opened for reading	/proc/595/status	Space.x86.elf
File opened for reading	/proc/898/status	Space.x86.elf
File opened for reading	/proc/1339/status	Space.x86.elf
File opened for reading	/proc/20/status	Space.x86.elf
File opened for reading	/proc/140/status	Space.x86.elf
File opened for reading	/proc/159/status	Space.x86.elf
File opened for reading	/proc/163/status	Space.x86.elf
File opened for reading	/proc/175/status	Space.x86.elf
File opened for reading	/proc/201/status	Space.x86.elf
File opened for reading	/proc/964/status	Space.x86.elf
File opened for reading	/proc/1222/status	Space.x86.elf
File opened for reading	/proc/11/status	Space.x86.elf
File opened for reading	/proc/176/status	Space.x86.elf
File opened for reading	/proc/638/status	Space.x86.elf
File opened for reading	/proc/7/status	Space.x86.elf
File opened for reading	/proc/8/status	Space.x86.elf
File opened for reading	/proc/92/status	Space.x86.elf
File opened for reading	/proc/626/status	Space.x86.elf
File opened for reading	/proc/1102/status	Space.x86.elf
File opened for reading	/proc/1123/status	Space.x86.elf
File opened for reading	/proc/1139/status	Space.x86.elf
File opened for reading	/proc/1199/status	Space.x86.elf
File opened for reading	/proc/1349/status	Space.x86.elf
File opened for reading	/proc/1351/status	Space.x86.elf
File opened for reading	/proc/12/status	Space.x86.elf
File opened for reading	/proc/13/status	Space.x86.elf
File opened for reading	/proc/19/status	Space.x86.elf
File opened for reading	/proc/84/status	Space.x86.elf
File opened for reading	/proc/453/status	Space.x86.elf
File opened for reading	/proc/679/status	Space.x86.elf
File opened for reading	/proc/1241/status	Space.x86.elf
File opened for reading	/proc/1341/status	Space.x86.elf
File opened for reading	/proc/1396/status	Space.x86.elf
File opened for reading	/proc/1397/status	Space.x86.elf
File opened for reading	/proc/16/status	Space.x86.elf
File opened for reading	/proc/790/status	Space.x86.elf
File opened for reading	/proc/1073/status	Space.x86.elf
File opened for reading	/proc/72/status	Space.x86.elf
File opened for reading	/proc/75/status	Space.x86.elf

/tmp/Space.x86.elf
/tmp/Space.x86.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1398

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads