mirai | 8325ad7ebed7fdd287cc0cd89f81a51617a64b38d09fa3d84c9141477e0dd415 | Triage

Sharing

General

Target

bash.sh
Size

2KB
Sample

250326-lcdw2a1tey
MD5

e9d282fe04078b2d45522facfce2df0b
SHA1

3cf77dfbbc7cf114515f94e5ecd0c38c3819fd83
SHA256

8325ad7ebed7fdd287cc0cd89f81a51617a64b38d09fa3d84c9141477e0dd415
SHA512

26e33128cbbacccc6897c50e723342c6f11c31668353ae553de4a96ac6af7634921a0f269141f11acc4928d8d17edcd9dacd022b949b7a42776df5c248629096

Score

10^/10

mirai owari antivm botnet defense_evasion discovery linux persistence privilege_escalation

Malware Config

Extracted

Family

mirai

Botnet

OWARI

C2

newageofkifirempire.camdvr.org

Extracted

Family

mirai

Botnet

OWARI

Extracted

Family

mirai

Botnet

OWARI

Extracted

Family

mirai

Botnet

OWARI

C2

newageofkifirempire.camdvr.org

Extracted

Family

mirai

Botnet

OWARI

C2

newageofkifirempire.camdvr.org

Extracted

Family

mirai

Botnet

OWARI

C2

newageofkifirempire.camdvr.org

Targets

- Target
  
  bash.sh
- Size
  
  2KB
- MD5
  
  e9d282fe04078b2d45522facfce2df0b
- SHA1
  
  3cf77dfbbc7cf114515f94e5ecd0c38c3819fd83
- SHA256
  
  8325ad7ebed7fdd287cc0cd89f81a51617a64b38d09fa3d84c9141477e0dd415
- SHA512
  
  26e33128cbbacccc6897c50e723342c6f11c31668353ae553de4a96ac6af7634921a0f269141f11acc4928d8d17edcd9dacd022b949b7a42776df5c248629096
Score

10^/10

mirai owari botnet defense_evasion discovery persistence privilege_escalation antivm
- Mirai
  Mirai is a prevalent Linux malware infecting exposed network devices.
  botnet mirai
- Mirai family
  mirai
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Executes dropped EXE
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
  defense_evasion
- Creates/modifies environment variables
  Creating/modifying environment variables is a common persistence mechanism.
  persistence privilege_escalation defense_evasion
- Enumerates active TCP sockets
  Gets active TCP sockets from /proc virtual filesystem.
  discovery
- Enumerates running processes
  Discovers information about currently running processes on the system
- Modifies Bash startup script
  persistence
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Event Triggered Execution

Unix Shell Configuration Modification

Hijack Execution Flow

Path Interception by PATH Environment Variable

Privilege Escalation

Boot or Logon Autostart Execution

Event Triggered Execution

Unix Shell Configuration Modification

Hijack Execution Flow

Path Interception by PATH Environment Variable

Defense Evasion

File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification

Hijack Execution Flow

Path Interception by PATH Environment Variable

Impair Defenses

Virtualization/Sandbox Evasion

System Checks

Credential Access

Discovery

System Network Configuration Discovery

Internet Connection Discovery

System Network Connections Discovery

Virtualization/Sandbox Evasion

System Checks

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

miraiowaribotnetdefense_evasiondiscoverypersistenceprivilege_escalation

behavioral2

miraiowariantivmbotnetdefense_evasiondiscoverypersistenceprivilege_escalation

behavioral3

miraiowaribotnetdefense_evasiondiscoverypersistenceprivilege_escalation

behavioral4

miraiowaribotnetdefense_evasiondiscoverypersistenceprivilege_escalation