mirai | f4bce97c5172f7ac3a0f0fcd3d55027688e06b039fe1b3674b0c69f9b76d987b | Triage

Submit
Reports

Overview

overview

Static

static

nabmips.elf

debian-9-mips

9

Sharing

General

Target

nabmips.elf
Size

50KB
Sample

250201-qzvwaawpgj
MD5

fcb6f0a26ef355ae9fddee67ff61e2ba
SHA1

b3ae8202807d815108f8d3f5b91da884407a9ead
SHA256

f4bce97c5172f7ac3a0f0fcd3d55027688e06b039fe1b3674b0c69f9b76d987b
SHA512

297309a620623a8ed94870b47315ad31d39b6dd83c55a0fd9eed06bae5c649eff2990af353338fa2819532081c997a4faf993ea3545a0bcf3e46689a3fb7443e
SSDEEP

1536:dMO1gEnsiOazyDuNHUPEqvmu4WtSVWlx9BASq1:d339O4Wv39SSq1

Score

10^/10

mirai credential_access defense_evasion discovery

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

nabmips.elf

Resource

debian9-mipsbe-20240611-en

credential_access defense_evasion discovery

debian-9-mips

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  nabmips.elf
- Size
  
  50KB
- MD5
  
  fcb6f0a26ef355ae9fddee67ff61e2ba
- SHA1
  
  b3ae8202807d815108f8d3f5b91da884407a9ead
- SHA256
  
  f4bce97c5172f7ac3a0f0fcd3d55027688e06b039fe1b3674b0c69f9b76d987b
- SHA512
  
  297309a620623a8ed94870b47315ad31d39b6dd83c55a0fd9eed06bae5c649eff2990af353338fa2819532081c997a4faf993ea3545a0bcf3e46689a3fb7443e
- SSDEEP
  
  1536:dMO1gEnsiOazyDuNHUPEqvmu4WtSVWlx9BASq1:d339O4Wv39SSq1
Score

9^/10

credential_access defense_evasion discovery
- Contacts a large (5449) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes itself
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
  defense_evasion
- Renames itself
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates active TCP sockets
  Gets active TCP sockets from /proc virtual filesystem.
  discovery
- Enumerates running processes
  Discovers information about currently running processes on the system
- Reads process memory
  Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
  credential_access
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

Credential Access

OS Credential Dumping

Proc Filesystem

Discovery

Network Service Discovery

System Network Configuration Discovery

Internet Connection Discovery

System Network Connections Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

credential_accessdefense_evasiondiscovery

© 2018-2025

Terms | Privacy