mirai | f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559

Analysis

max time kernel
149s
max time network
5s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
30/01/2025, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
Size

23KB
MD5

c6a98c2349ea6c265984816454048463
SHA1

0ea150b95c47489b1b345b24f67145d0031ca07f
SHA256

f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559
SHA512

6bccfd2c7f95e3e56e1490559cacfd437b3d5f197d1474ad80a0393eb555177803c8ad44a2f83c88814da8bf07eb3c74ef7ae32c6c03424a7c2b37c783cc4a25
SSDEEP

384:r2eaWjsHPe7rG3HpEsr78p+1J1cIvkW8eg6eq6LFdfv4oMKCZ8JgGlzDpH7uNj1B:qeaKugrGXOw7yAJ1cdWZnwdIbKCeJgGi

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for modification	/dev/misc/watchdog	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for modification	/bin/watchdog	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf

Reads runtime system information 26 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/416/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/705/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/706/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/707/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/714/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/757/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/811/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/687/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/756/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/781/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/797/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/671/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/677/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/700/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/701/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/769/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/770/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/771/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/773/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/812/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/667/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/676/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/712/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/722/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/742/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
File opened for reading	/proc/814/cmdline	f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf

/tmp/f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
/tmp/f953642ee3f66def19210969ac7b21cc89a1397bb15a7ded5618a41a5b672559.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...