mirai | 71c4c735861f35ed4b7ed9c75b5c4f89bd4c71f2d70f287f5f9d0b113ad5a667

General

Target

71c4c735861f35ed4b7ed9c75b5c4f89bd4c71f2d70f287f5f9d0b113ad5a667.elf
Size

50KB
Sample

250307-fnt5hatzfz
MD5

5e7253073feb9d2c9c6cac939d268605
SHA1

f9d217ff05787659ea65277423210b40964e6585
SHA256

71c4c735861f35ed4b7ed9c75b5c4f89bd4c71f2d70f287f5f9d0b113ad5a667
SHA512

8385baa9c51a2d4d653c9008fde411cd40229df265ee5b12dbebbfdad2cd917fb7ed84db532aa4b53d9bad31b62a0c9d8973777eff518a492e59a80d9fd2ff7f
SSDEEP

768:oFcd7FeDfdgTFlAHJ9YbpVJXqU7fBwDsi1VJJodoeoxaoyotaoQj4YoYn79BTJEg:ci7FsfO8efGMj4079BlEwEl8t3kVc3

Score

10^/10

Malware Config

Targets

- Target
  
  71c4c735861f35ed4b7ed9c75b5c4f89bd4c71f2d70f287f5f9d0b113ad5a667.elf
- Size
  
  50KB
- MD5
  
  5e7253073feb9d2c9c6cac939d268605
- SHA1
  
  f9d217ff05787659ea65277423210b40964e6585
- SHA256
  
  71c4c735861f35ed4b7ed9c75b5c4f89bd4c71f2d70f287f5f9d0b113ad5a667
- SHA512
  
  8385baa9c51a2d4d653c9008fde411cd40229df265ee5b12dbebbfdad2cd917fb7ed84db532aa4b53d9bad31b62a0c9d8973777eff518a492e59a80d9fd2ff7f
- SSDEEP
  
  768:oFcd7FeDfdgTFlAHJ9YbpVJXqU7fBwDsi1VJJodoeoxaoyotaoQj4YoYn79BTJEg:ci7FsfO8efGMj4079BlEwEl8t3kVc3
Score

9^/10

credential_access defense_evasion discovery
- Contacts a large (14896) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
  defense_evasion
- Renames itself
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates active TCP sockets
  Gets active TCP sockets from /proc virtual filesystem.
  discovery
- Enumerates running processes
  Discovers information about currently running processes on the system
- Reads process memory
  Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
  credential_access
behavioral1