mirai | 6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856

Analysis

max time kernel
149s
max time network
149s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24/03/2025, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
Size

57KB
MD5

54df6b48d75c9577b17343f47d909729
SHA1

02ede141fc2e93e0aeb2c885517cfade324acc55
SHA256

6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856
SHA512

89aaa5a55a46e093a49f55fd52054830d8353e210b9e29855a57de4c1bec6c3f3d0aeb3959c181324656cb3d71b3d894a4805c80aaf575b65900a9dff284f9fd
SSDEEP

768:e9SZLq7S4tG8w+LrjGEsJwTptVGqB7oOzAjlmI79U9q3UELiNwj8/5XDWBYVt6uD:ePS4tG8FL/+wTpnv2UilmIPLCYYH9rX

Score

10^/10

mirai mirai botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Deletes itself 1 IoCs

pid	Process
639	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for modification	/dev/misc/watchdog	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	msc8qh457crer7fh585oc12mdlvg	639	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/666679cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/66664cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/1111�#cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666a3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666p4cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/77775cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/33cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/44cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/5555�/cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/5555�/cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666]3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�8cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/88ll�"cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/99cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/111m�"cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/777s�"cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/5555h2cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�2cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666X4cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/1111�(cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/66665cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/5555�2cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/77773cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/77775cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777i5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/222cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�6cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�8cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/222i�"cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/3333U3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666d4cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�4cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�4cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/77772cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/111cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666r3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/111c�"cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�4cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/1111S3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666&4cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�4cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/66666cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666-8cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/2222x*cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/5555o/cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666c3cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf

/tmp/6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
/tmp/6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
1⤵
- Deletes itself
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:639

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...