Overview

overview

10

Static

static

10

splarm7.elf

debian-9-armhf

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    splarm7.elf

  • Size

    78KB

  • Sample

    250307-pf7kas1jx3

  • MD5

    1dd98f27660ce0ccc01211d62fe3be21

  • SHA1

    826fd3cc4bc681989fa2705950fed06d3d307acb

  • SHA256

    01a9ec1c0c0fe6b18d23a3282d5388fa64477ae5cc9573644e90659b98ae9b84

  • SHA512

    85112e442bd33ade4aa37e50d6518952c862762dcd48608cfac017ad61f13320eb4ea4bad3d0e6d3551355a159edf8b7e88fa70912f9fd1b0076c0141d365dde

  • SSDEEP

    1536:vlBnAdZrtZouhs8WvWH04odDp9R4KB7fpLF2LgJ9hdiivQ/dlMokiba1T4m:UZ5Ze8WvWH04qDKKB7fpLFMgJ9hdiiSK

Score
10/10
miraibotnetcredential_accessdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Targets

    • Target

      splarm7.elf

    • Size

      78KB

    • MD5

      1dd98f27660ce0ccc01211d62fe3be21

    • SHA1

      826fd3cc4bc681989fa2705950fed06d3d307acb

    • SHA256

      01a9ec1c0c0fe6b18d23a3282d5388fa64477ae5cc9573644e90659b98ae9b84

    • SHA512

      85112e442bd33ade4aa37e50d6518952c862762dcd48608cfac017ad61f13320eb4ea4bad3d0e6d3551355a159edf8b7e88fa70912f9fd1b0076c0141d365dde

    • SSDEEP

      1536:vlBnAdZrtZouhs8WvWH04odDp9R4KB7fpLF2LgJ9hdiivQ/dlMokiba1T4m:UZ5Ze8WvWH04qDKKB7fpLFMgJ9hdiiSK

    Score
    9/10
    credential_accessdefense_evasiondiscovery

    • Contacts a large (66559) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

      defense_evasion

    • Renames itself

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

      discovery

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads process memory

      Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

      credential_access
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks