mirai | 43d60410699abf69677eef78eed754d524b8cb8035e344d2ab24f7133ad0b34e

Analysis

max time kernel
149s
max time network
128s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
15-01-2025 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ub8ehJSePAfc9FYqZIT6.x86_64.elf
Size

17KB
MD5

eadf195933f9d4ba0fc3687b56fcf912
SHA1

a0b4328d78fb5746529d2f5e1db26e1074013a58
SHA256

43d60410699abf69677eef78eed754d524b8cb8035e344d2ab24f7133ad0b34e
SHA512

dd8aefa57936685c0aca304777fb7cf8e20fe1760e0c795981e9091946a6c4928dc0416593e3ab831eca5db2e8b0b089f786ab74cef52c2a32f7d0373227ffb9
SSDEEP

384:llWw+Jg28pCVYNFZIpU4RiRvmxPlPtAutTWcaiFqcJ0y:mw+VGZh4GvIWbsCy

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for modification	/dev/misc/watchdog	ub8ehJSePAfc9FYqZIT6.x86_64.elf

Traces itself 1 IoCs

Traces itself to prevent debugging attempts

pid	Process
1565	ub8ehJSePAfc9FYqZIT6.x86_64.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for modification	/bin/watchdog	ub8ehJSePAfc9FYqZIT6.x86_64.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1140/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/722/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/769/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1562/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/589/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/614/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/635/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/641/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/752/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/970/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1032/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1097/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1184/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/410/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/775/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/499/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/683/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/799/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/949/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1090/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1092/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1037/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1164/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1303/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1506/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/741/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1210/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/588/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/783/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1157/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1419/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1449/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/590/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/613/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1158/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1160/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1563/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/414/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/636/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1073/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1161/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/417/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1052/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1353/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/740/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/788/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1162/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1238/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/666/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/764/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/971/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1104/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1183/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/406/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/586/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1169/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1316/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1341/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1361/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1395/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1569/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/413/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/522/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf
File opened for reading	/proc/1144/cmdline	ub8ehJSePAfc9FYqZIT6.x86_64.elf

/tmp/ub8ehJSePAfc9FYqZIT6.x86_64.elf
/tmp/ub8ehJSePAfc9FYqZIT6.x86_64.elf
1⤵
- Modifies Watchdog functionality
- Traces itself
- Writes file to system bin folder
- Reads runtime system information
PID:1565

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads