mirai | d87823ee98db0ae6bff52751d9b52a0aa4edbd811e667a7ae618b4bce98b93cd

Analysis

max time kernel
102s
max time network
150s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
23/03/2025, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pmips.elf
Size

48KB
MD5

50b99e65e56d9aa3d0d24aac7d2cf9d9
SHA1

2d0a69cab04c3db5fbe0c4ace2a3085f9354ebe8
SHA256

d87823ee98db0ae6bff52751d9b52a0aa4edbd811e667a7ae618b4bce98b93cd
SHA512

3964f7cd4d724f1a16a81443ff2085b269762a5d505e4475fb467c6f5ac2e803b07bb76e53532837608cd435b5508ca828546a16a7337287ecdeaa5a2c91af48
SSDEEP

1536:YW8syYKPBnbabtiIajMKbalcUVJuUm5sK2:YpDVbYorMh9VQUm5f2

Score

10^/10

mirai mirai botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Deletes itself 1 IoCs

pid	Process
704	pmips.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	pmips.elf
File opened for modification	/dev/misc/watchdog	pmips.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	du77aektriqm	704	pmips.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/790cmdline	pmips.elf
File opened for reading	/proc/326cmdline	pmips.elf
File opened for reading	/proc/2cmdline	pmips.elf
File opened for reading	/proc/10cmdline	pmips.elf
File opened for reading	/proc/148cmdline	pmips.elf
File opened for reading	/proc/724cmdline	pmips.elf
File opened for reading	/proc/785cmdline	pmips.elf
File opened for reading	/proc/14cmdline	pmips.elf
File opened for reading	/proc/15cmdline	pmips.elf
File opened for reading	/proc/709cmdline	pmips.elf
File opened for reading	/proc/728cmdline	pmips.elf
File opened for reading	/proc/753cmdline	pmips.elf
File opened for reading	/proc/756cmdline	pmips.elf
File opened for reading	/proc/805cmdline	pmips.elf
File opened for reading	/proc/706cmdline	pmips.elf
File opened for reading	/proc/796cmdline	pmips.elf
File opened for reading	/proc/9cmdline	pmips.elf
File opened for reading	/proc/674cmdline	pmips.elf
File opened for reading	/proc/800cmdline	pmips.elf
File opened for reading	/proc/1cmdline	pmips.elf
File opened for reading	/proc/111cmdline	pmips.elf
File opened for reading	/proc/668cmdline	pmips.elf
File opened for reading	/proc/708cmdline	pmips.elf
File opened for reading	/proc/715cmdline	pmips.elf
File opened for reading	/proc/787cmdline	pmips.elf
File opened for reading	/proc/788cmdline	pmips.elf
File opened for reading	/proc/23cmdline	pmips.elf
File opened for reading	/proc/696cmdline	pmips.elf
File opened for reading	/proc/733cmdline	pmips.elf
File opened for reading	/proc/749cmdline	pmips.elf
File opened for reading	/proc/750cmdline	pmips.elf
File opened for reading	/proc/762cmdline	pmips.elf
File opened for reading	/proc/797cmdline	pmips.elf
File opened for reading	/proc/4cmdline	pmips.elf
File opened for reading	/proc/679cmdline	pmips.elf
File opened for reading	/proc/698cmdline	pmips.elf
File opened for reading	/proc/732cmdline	pmips.elf
File opened for reading	/proc/754cmdline	pmips.elf
File opened for reading	/proc/774cmdline	pmips.elf
File opened for reading	/proc/794cmdline	pmips.elf
File opened for reading	/proc/748cmdline	pmips.elf
File opened for reading	/proc/376cmdline	pmips.elf
File opened for reading	/proc/382cmdline	pmips.elf
File opened for reading	/proc/6cmdline	pmips.elf
File opened for reading	/proc/8cmdline	pmips.elf
File opened for reading	/proc/21cmdline	pmips.elf
File opened for reading	/proc/701cmdline	pmips.elf
File opened for reading	/proc/718cmdline	pmips.elf
File opened for reading	/proc/75cmdline	pmips.elf
File opened for reading	/proc/725cmdline	pmips.elf
File opened for reading	/proc/739cmdline	pmips.elf
File opened for reading	/proc/789cmdline	pmips.elf
File opened for reading	/proc/70cmdline	pmips.elf
File opened for reading	/proc/120cmdline	pmips.elf
File opened for reading	/proc/18cmdline	pmips.elf
File opened for reading	/proc/778cmdline	pmips.elf
File opened for reading	/proc/803cmdline	pmips.elf
File opened for reading	/proc/807cmdline	pmips.elf
File opened for reading	/proc/16cmdline	pmips.elf
File opened for reading	/proc/740cmdline	pmips.elf
File opened for reading	/proc/743cmdline	pmips.elf
File opened for reading	/proc/751cmdline	pmips.elf
File opened for reading	/proc/802cmdline	pmips.elf
File opened for reading	/proc/355cmdline	pmips.elf

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
704	pmips.elf

/tmp/pmips.elf
/tmp/pmips.elf
1⤵
- Deletes itself
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
- System Network Configuration Discovery
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...