mirai | cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400

Analysis

max time kernel
149s
max time network
10s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
26/01/2025, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
Size

45KB
MD5

99e90ead98720d05415d5f26a5149396
SHA1

8839063c1ca002534c3ae02b352ae336dd1d9e63
SHA256

cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400
SHA512

79e7654f5cd04b438323ac05b72d8a745f4061c6060b3dadc8a4ac80c3a8cc41d178dba3ad7cee2f90989bea8c929bf8166d76c99b1a7f8905094e9a26f4d0d7
SSDEEP

768:S/TYCoIxdEk+AxoTZAZHFeq8b3B39q3UELbUXfi6nVMQHI4vcGpvh:SECFd+A6YHAxwLRQZh

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for modification	/dev/misc/watchdog	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for modification	/bin/watchdog	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf

Reads runtime system information 42 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/768/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/655/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/680/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/731/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/742/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/769/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/775/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/643/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/649/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/462/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/642/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/745/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/766/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/785/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/self/exe	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/461/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/751/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/761/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/783/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/787/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/700/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/706/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/712/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/777/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/414/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/648/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/760/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/779/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/781/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/656/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/686/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/647/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/662/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/713/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/717/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/771/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/788/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/401/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/605/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/773/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/654/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
File opened for reading	/proc/725/cmdline	cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf

/tmp/cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
/tmp/cb4255c05917626e7855d9214d3d023cd02257893388fa3acb70c2392aeec400.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:650

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...