mirai | ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed

Analysis

max time kernel
149s
max time network
129s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
30/01/2025, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
Size

31KB
MD5

3121b7d8112e6bbf273e7279ecb10d76
SHA1

3d0698e163561c151067b22a272d7e301494ebd2
SHA256

ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed
SHA512

b82d6e0d502f07c89bc5ccdc6741481a8a65b4658ce6b26d88b56724e43f2477b37fcea66e3b7f5a5f62cfd5a4d22533de1d48afa1a00b4fe381c505894776cd
SSDEEP

768:LAGs1DDudwSC64ADv1pI0eijRiStR4p3UedT9ix07h:QjSJ9Bu05jRiSn4p3UedYOh

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for modification	/dev/misc/watchdog	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for modification	/bin/watchdog	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/531/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1155/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1567/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/427/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1098/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1163/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1504/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1551/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1061/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/741/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1284/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/505/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/612/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/770/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1167/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1269/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/588/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1097/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/768/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1191/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1522/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1154/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/754/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1077/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1106/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1366/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/713/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1221/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/859/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/994/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1130/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1159/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/748/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1052/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1346/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/649/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1434/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/587/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1143/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1297/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/731/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1157/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1173/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1190/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1566/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1156/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/871/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1171/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/504/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1037/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1160/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1257/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/634/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/609/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/828/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1043/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/414/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/452/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/412/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1179/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1352/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1079/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/701/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/962/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf

/tmp/ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
/tmp/ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1563

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...