mirai | 9ddb0b6777a2b71e2faa2c63ec596fbedc1adfa55acc9bea30d2e1b5e92caeb1

Resubmissions

15-01-2025 15:59

250115-tfj68aypbp 10

15-01-2025 14:52

250115-r86vkswkds 10

Analysis

max time kernel
299s
max time network
13s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
15-01-2025 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ub8ehJSePAfc9FYqZIT6.mpsl.elf
Size

22KB
MD5

08234ec1fab991b0c3763a6b4f73cab0
SHA1

6f22b383ee3ca5e50f089224ce8d17f13c14caf8
SHA256

9ddb0b6777a2b71e2faa2c63ec596fbedc1adfa55acc9bea30d2e1b5e92caeb1
SHA512

f00748331b52ceda74d0961ca48bd0c57aeaa0a2e3391321fefcc68a1c9541eeca24b2a9a793648d185a44c90ce45f21b2c67250a381842390762fe19a052703
SSDEEP

384:5vOFxqEIQqIedKKZ99UGJ3UZdo2/fwlj3tWRmYi4Fr3uORYdzRWGVCz0Nv9aI:ArpXq3McUjfXfwl8kYHJuOyd9WO

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for modification	/dev/misc/watchdog	ub8ehJSePAfc9FYqZIT6.mpsl.elf

Traces itself 1 IoCs

Traces itself to prevent debugging attempts

pid	Process
709	ub8ehJSePAfc9FYqZIT6.mpsl.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for modification	/bin/watchdog	ub8ehJSePAfc9FYqZIT6.mpsl.elf

Reads runtime system information 33 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/765/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/778/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/811/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/475/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/708/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/748/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/713/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/785/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/805/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/686/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/701/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/702/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/737/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/741/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/759/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/769/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/782/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/468/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/707/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/712/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/793/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/501/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/719/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/747/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/770/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/812/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/706/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/715/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/777/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/818/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/509/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/742/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf
File opened for reading	/proc/774/cmdline	ub8ehJSePAfc9FYqZIT6.mpsl.elf

/tmp/ub8ehJSePAfc9FYqZIT6.mpsl.elf
/tmp/ub8ehJSePAfc9FYqZIT6.mpsl.elf sh "\$MOZILLA/" "%SIGILL%" "\"SIGTERM|DESTROY|SIGKILL\""
1⤵
- Modifies Watchdog functionality
- Traces itself
- Writes file to system bin folder
- Reads runtime system information
PID:709

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads