General

  • Target

    def66ddad4892f25da8ed7dc18359ab5f62915d65cbb475a92cf6df5d88dea32.elf

  • Size

    82KB

  • Sample

    250320-ewnf9axlz4

  • MD5

    31e516ce6c5fc7b6da97c38e18dfda2b

  • SHA1

    f5f41ea7c7d384df77844fc264d6323bb52047ec

  • SHA256

    def66ddad4892f25da8ed7dc18359ab5f62915d65cbb475a92cf6df5d88dea32

  • SHA512

    8b7c2f11da24b98ce501563cca3ffd7135da786ee34284b3d3d0f46c2cfc2842443ef69fa4763e5c059d9e27f3854a4aa2feb2e3bfc5e3564eb98e6463903cf8

  • SSDEEP

    1536:pNniE2DPxWXa1Jo+FXMqxqHKqzrhhaa3nh9G/Okt4ijfcPsq7ll09iEnwr8VXPbT:D27xFJo+FXFxqHK+0CTG/rt4ijfcP+rR

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Targets

    • Target

      def66ddad4892f25da8ed7dc18359ab5f62915d65cbb475a92cf6df5d88dea32.elf

    • Size

      82KB

    • MD5

      31e516ce6c5fc7b6da97c38e18dfda2b

    • SHA1

      f5f41ea7c7d384df77844fc264d6323bb52047ec

    • SHA256

      def66ddad4892f25da8ed7dc18359ab5f62915d65cbb475a92cf6df5d88dea32

    • SHA512

      8b7c2f11da24b98ce501563cca3ffd7135da786ee34284b3d3d0f46c2cfc2842443ef69fa4763e5c059d9e27f3854a4aa2feb2e3bfc5e3564eb98e6463903cf8

    • SSDEEP

      1536:pNniE2DPxWXa1Jo+FXMqxqHKqzrhhaa3nh9G/Okt4ijfcPsq7ll09iEnwr8VXPbT:D27xFJo+FXFxqHK+0CTG/rt4ijfcP+rR

    • Contacts a large (73846) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Renames itself

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads process memory

      Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

MITRE ATT&CK Enterprise v15

Tasks