mirai | bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79

Analysis

max time kernel
149s
max time network
129s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
07/01/2025, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
Size

25KB
MD5

e802a5d2fc1758f633787e96999218c9
SHA1

e3bea9702230370bd3a9b7b503aedaf6eb8a99f0
SHA256

bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79
SHA512

6fabbf929eed5db052fb111dcb8582549481d4114b12c153a989180a9a9a0b052fbb85687d36221d59b542d62a2173c945c4fba22b374ea79685df09be727df8
SSDEEP

768:uyIWAEAOn2fvESB7DXY9WtwHbK+/AoXZU0Fn:u0pnUsSB7DXRtwdZTJ

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for modification	/dev/misc/watchdog	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for modification	/bin/watchdog	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/748/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/860/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/608/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1184/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1290/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1495/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/778/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/414/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/611/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1230/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1515/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/410/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1168/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1174/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/637/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1152/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1315/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1039/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1167/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/997/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1388/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/740/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/744/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1103/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1577/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/506/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1092/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1050/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/831/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1112/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1114/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/587/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/965/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1202/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1375/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/412/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1444/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1164/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1139/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1163/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1562/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/588/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1241/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1395/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/773/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1192/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1269/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/642/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/974/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1068/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1099/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1170/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1258/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1541/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/639/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/726/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/749/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/585/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1563/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/427/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/870/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/1075/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/759/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
File opened for reading	/proc/771/cmdline	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf

/tmp/bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
/tmp/bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1574

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...