mirai | 20e6b63172def8524c738b72c46cab584f9ddd0b3a47b005538bd09ad16a7d45

Analysis

max time kernel
149s
max time network
150s
platform
debian-9_mipsel
resource
debian9-mipsel-20250410-en
resource tags

arch:mipselimage:debian9-mipsel-20250410-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
14/04/2025, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pmpsl.elf
Size

36KB
MD5

171afc0afd5d870ee3dea24e1b58a324
SHA1

a8e5aef1e7e708d2168ef01a8bd818ac01fd9b89
SHA256

20e6b63172def8524c738b72c46cab584f9ddd0b3a47b005538bd09ad16a7d45
SHA512

8a8d13204734a7f3602976be6a911d8f9b56411a2ebbf29febd668b7590afcbcdbb6a6a9bd1698cf914fb2f46b66691d3be6690e00af9ab303d38f118c810ea9
SSDEEP

768:Bcic7wjLhqi2dYMSqKmBIEw9q0R/2XDpb+SiXkPNWC:Wq4tcZBuXkW

Score

10^/10

mirai mirai botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Deletes itself 1 IoCs

pid	Process
710	pmpsl.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	pmpsl.elf
File opened for modification	/dev/misc/watchdog	pmpsl.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	1b1cfkgi2a00raag0t0epa58	710	pmpsl.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/11cmdline	pmpsl.elf
File opened for reading	/proc/77cmdline	pmpsl.elf
File opened for reading	/proc/109cmdline	pmpsl.elf
File opened for reading	/proc/72cmdline	pmpsl.elf
File opened for reading	/proc/723cmdline	pmpsl.elf
File opened for reading	/proc/742cmdline	pmpsl.elf
File opened for reading	/proc/764cmdline	pmpsl.elf
File opened for reading	/proc/795cmdline	pmpsl.elf
File opened for reading	/proc/808cmdline	pmpsl.elf
File opened for reading	/proc/24cmdline	pmpsl.elf
File opened for reading	/proc/73cmdline	pmpsl.elf
File opened for reading	/proc/745cmdline	pmpsl.elf
File opened for reading	/proc/755cmdline	pmpsl.elf
File opened for reading	/proc/782cmdline	pmpsl.elf
File opened for reading	/proc/813cmdline	pmpsl.elf
File opened for reading	/proc/70cmdline	pmpsl.elf
File opened for reading	/proc/735cmdline	pmpsl.elf
File opened for reading	/proc/797cmdline	pmpsl.elf
File opened for reading	/proc/6cmdline	pmpsl.elf
File opened for reading	/proc/15cmdline	pmpsl.elf
File opened for reading	/proc/19cmdline	pmpsl.elf
File opened for reading	/proc/79cmdline	pmpsl.elf
File opened for reading	/proc/121cmdline	pmpsl.elf
File opened for reading	/proc/327cmdline	pmpsl.elf
File opened for reading	/proc/361cmdline	pmpsl.elf
File opened for reading	/proc/682cmdline	pmpsl.elf
File opened for reading	/proc/727cmdline	pmpsl.elf
File opened for reading	/proc/729cmdline	pmpsl.elf
File opened for reading	/proc/734cmdline	pmpsl.elf
File opened for reading	/proc/748cmdline	pmpsl.elf
File opened for reading	/proc/749cmdline	pmpsl.elf
File opened for reading	/proc/774cmdline	pmpsl.elf
File opened for reading	/proc/805cmdline	pmpsl.elf
File opened for reading	/proc/811cmdline	pmpsl.elf
File opened for reading	/proc/17cmdline	pmpsl.elf
File opened for reading	/proc/771cmdline	pmpsl.elf
File opened for reading	/proc/796cmdline	pmpsl.elf
File opened for reading	/proc/806cmdline	pmpsl.elf
File opened for reading	/proc/815cmdline	pmpsl.elf
File opened for reading	/proc/328cmdline	pmpsl.elf
File opened for reading	/proc/709cmdline	pmpsl.elf
File opened for reading	/proc/753cmdline	pmpsl.elf
File opened for reading	/proc/3cmdline	pmpsl.elf
File opened for reading	/proc/155cmdline	pmpsl.elf
File opened for reading	/proc/719cmdline	pmpsl.elf
File opened for reading	/proc/779cmdline	pmpsl.elf
File opened for reading	/proc/786cmdline	pmpsl.elf
File opened for reading	/proc/788cmdline	pmpsl.elf
File opened for reading	/proc/4cmdline	pmpsl.elf
File opened for reading	/proc/713cmdline	pmpsl.elf
File opened for reading	/proc/746cmdline	pmpsl.elf
File opened for reading	/proc/761cmdline	pmpsl.elf
File opened for reading	/proc/756cmdline	pmpsl.elf
File opened for reading	/proc/803cmdline	pmpsl.elf
File opened for reading	/proc/9cmdline	pmpsl.elf
File opened for reading	/proc/22cmdline	pmpsl.elf
File opened for reading	/proc/332cmdline	pmpsl.elf
File opened for reading	/proc/732cmdline	pmpsl.elf
File opened for reading	/proc/768cmdline	pmpsl.elf
File opened for reading	/proc/769cmdline	pmpsl.elf
File opened for reading	/proc/807cmdline	pmpsl.elf
File opened for reading	/proc/23cmdline	pmpsl.elf
File opened for reading	/proc/74cmdline	pmpsl.elf
File opened for reading	/proc/683cmdline	pmpsl.elf

/tmp/pmpsl.elf
/tmp/pmpsl.elf
1⤵
- Deletes itself
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:710

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads