mirai | ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed

Analysis

max time kernel
149s
max time network
128s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
30-01-2025 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
Size

31KB
MD5

3121b7d8112e6bbf273e7279ecb10d76
SHA1

3d0698e163561c151067b22a272d7e301494ebd2
SHA256

ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed
SHA512

b82d6e0d502f07c89bc5ccdc6741481a8a65b4658ce6b26d88b56724e43f2477b37fcea66e3b7f5a5f62cfd5a4d22533de1d48afa1a00b4fe381c505894776cd
SSDEEP

768:LAGs1DDudwSC64ADv1pI0eijRiStR4p3UedT9ix07h:QjSJ9Bu05jRiSn4p3UedYOh

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for modification	/dev/watchdog	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for modification	/bin/watchdog	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/440/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2226/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/511/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/829/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1067/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1749/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1054/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1402/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2078/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1619/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1892/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1893/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2420/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/595/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1714/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1886/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1891/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1915/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2214/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2235/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2424/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/432/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1741/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1911/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2268/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1059/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1647/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1751/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1781/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2452/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1876/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2145/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/825/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2088/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2126/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2204/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1125/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1729/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1403/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1082/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1952/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2151/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/592/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1121/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1126/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1882/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2032/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2073/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2183/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/779/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1917/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1958/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2132/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2354/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1629/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/1721/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2169/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2179/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/2207/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/418/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/512/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/585/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/832/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
File opened for reading	/proc/890/cmdline	ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf

/tmp/ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
/tmp/ca058bb3d20578aedbae2fc4a4dab479e96cac00d6e879eacf30dbf0c9bc08ed.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads