mirai | 6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856

Analysis

max time kernel
149s
max time network
159s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24/03/2025, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
Size

57KB
MD5

54df6b48d75c9577b17343f47d909729
SHA1

02ede141fc2e93e0aeb2c885517cfade324acc55
SHA256

6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856
SHA512

89aaa5a55a46e093a49f55fd52054830d8353e210b9e29855a57de4c1bec6c3f3d0aeb3959c181324656cb3d71b3d894a4805c80aaf575b65900a9dff284f9fd
SSDEEP

768:e9SZLq7S4tG8w+LrjGEsJwTptVGqB7oOzAjlmI79U9q3UELiNwj8/5XDWBYVt6uD:ePS4tG8FL/+wTpnv2UilmIPLCYYH9rX

Score

10^/10

mirai mirai botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Deletes itself 1 IoCs

pid	Process
658	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for modification	/dev/misc/watchdog	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	p0a8uek4lfor76lv	658	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/2222�,cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/66666cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/222i�"cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/66cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/77cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/66668ll�"cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/77776cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/77777cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777j7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666:cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/99cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/222v�"cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/1111O$cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�6cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�8cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666V5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/77777cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666R9cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�:cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/2222_+cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/5555U5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/77/stat	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666D6cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�6cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777^7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666B8cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/1111�-cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/3333�-cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/3333cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�4cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777/stat	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/77777cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777,7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/77775cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/222cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/222l�"cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/3333�,cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/5555�0cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�6cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/66669cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�9cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/1111�%cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/444/stat	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666(;cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777x7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/7777�7cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�9cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/222/stat	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�8cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�:cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/6666�5cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
File opened for reading	/proc/1111�-cmdline	6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf

/tmp/6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
/tmp/6ac918962c801644c0a8773801657cdee81180ae46a417f7171ac196e9a84856.elf
1⤵
- Deletes itself
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:658

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...