mirai | d51aa3762d34af64d942a947cf4cdd2818bdc70e6a68bc70c95a4565392c4e69

Resubmissions

07-02-2025 20:13

250207-yzxc4swjet 10

07-02-2025 20:10

250207-yxsbdaxjfn 10

Analysis

max time kernel
149s
max time network
147s
platform
debian-12_armhf
resource
debian12-armhf-20240729-en
resource tags

arch:armhfimage:debian12-armhf-20240729-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
07-02-2025 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
Size

45KB
MD5

c5d5ac2f70d45c13a0c9296115a7b9cb
SHA1

46bb74b604ac5a7a55396fdd319c4702e915c155
SHA256

d51aa3762d34af64d942a947cf4cdd2818bdc70e6a68bc70c95a4565392c4e69
SHA512

66d73348695eaf0031ae5bfd490c7d0cad3f16785674f0befecb0e0ba111df68a3e956eca0c2fb5cd15ad030b5c837656de72d4170fd7aebf98d55fc04370f96
SSDEEP

768:D/TYCoIxdEk+AxoTZAZHFeq8b3J9q3UELmjfTgdGwdh5WGES3yi:DECFd+A6YHAx8L+fMJJp

Score

10^/10

mirai lzrd botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for modification	/dev/misc/watchdog	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for modification	/bin/watchdog	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/687/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/703/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/720/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/self/exe	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/665/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/668/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/681/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/634/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/649/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/650/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/711/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/814/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/712/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
File opened for reading	/proc/724/cmdline	5.175.249.223-boatnet.arm6-2025-02-07T185132.elf

/tmp/5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
/tmp/5.175.249.223-boatnet.arm6-2025-02-07T185132.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:714

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads