Overview

overview

10

Static

static

10

g4za.arm7.elf

debian-9-armhf

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    g4za.arm7.elf

  • Size

    163KB

  • Sample

    250223-jvpedazldz

  • MD5

    a18d08d5e585e7673a89a752326b8982

  • SHA1

    d765d80c83a2090065b9518e2e80d3cfb3afc2c8

  • SHA256

    2bc479a605c5c42fbb9da45bdd805be39c9e6dcc52b76fc5c9ddd490efc799bf

  • SHA512

    a0ab9cd99f4f5364ffb33ecff107934272a11c45d76608d82c772b0235c7e740b77d9e798b9a1f64381a3b02d6fc5b77c8402eb35d9a6a63e8f3474f100fd87d

  • SSDEEP

    3072:YsfvqoYF/RrhMZHfKPaC+LKWK6nTUCo4MbPbFJJM/9YM:Ysf/YF/AdyPaC+LKWdnEPbPbFrM/9YM

Score
10/10
miraiwickedcredential_accessdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

WICKED

Targets

    • Target

      g4za.arm7.elf

    • Size

      163KB

    • MD5

      a18d08d5e585e7673a89a752326b8982

    • SHA1

      d765d80c83a2090065b9518e2e80d3cfb3afc2c8

    • SHA256

      2bc479a605c5c42fbb9da45bdd805be39c9e6dcc52b76fc5c9ddd490efc799bf

    • SHA512

      a0ab9cd99f4f5364ffb33ecff107934272a11c45d76608d82c772b0235c7e740b77d9e798b9a1f64381a3b02d6fc5b77c8402eb35d9a6a63e8f3474f100fd87d

    • SSDEEP

      3072:YsfvqoYF/RrhMZHfKPaC+LKWK6nTUCo4MbPbFJJM/9YM:Ysf/YF/AdyPaC+LKWdnEPbPbFrM/9YM

    Score
    9/10
    credential_accessdefense_evasiondiscovery

    • Contacts a large (125327) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

      defense_evasion

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

      discovery

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads process memory

      Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

      credential_access
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks