mirai | 61148d244ab002d5fc0382b84c40ddb0c6801e3feefe5bd68d22fff0bcb39dcf

Analysis

max time kernel
69s
max time network
151s
platform
debian-9_mips
resource
debian9-mipsbe-20250410-en
resource tags

arch:mipsimage:debian9-mipsbe-20250410-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
14/04/2025, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pmips.elf
Size

35KB
MD5

8edab3f54e0d07d07f4a2c78b58f6aee
SHA1

a9d4104ead918423519e7dcf6971ee32ffc42569
SHA256

61148d244ab002d5fc0382b84c40ddb0c6801e3feefe5bd68d22fff0bcb39dcf
SHA512

95eb842d297d80f2e116e650e4a62c45c5aa7c0863bdf43401d2bc8915bdfac06d97b16ee2d3c11c3219fd8187bb66195c5eb24f39cd44ad1a3a42d5961a1e30
SSDEEP

768:ylWqYyhCL7njgXf9ZWlFbNKlgwYS2PEVbqehfJgGlzDpbuR1JQIK:Jq+Ljj6ZtYS2sVueLVJueIK

Score

10^/10

mirai mirai botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

Deletes itself 1 IoCs

pid	Process
709	pmips.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	pmips.elf
File opened for modification	/dev/misc/watchdog	pmips.elf

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	206.212.246.10
Destination IP	176.135.161.184

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	ktvhs2t4difiwl80	709	pmips.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/777cmdline	pmips.elf
File opened for reading	/proc/778cmdline	pmips.elf
File opened for reading	/proc/794cmdline	pmips.elf
File opened for reading	/proc/13cmdline	pmips.elf
File opened for reading	/proc/76cmdline	pmips.elf
File opened for reading	/proc/661cmdline	pmips.elf
File opened for reading	/proc/721cmdline	pmips.elf
File opened for reading	/proc/731cmdline	pmips.elf
File opened for reading	/proc/744cmdline	pmips.elf
File opened for reading	/proc/773cmdline	pmips.elf
File opened for reading	/proc/810cmdline	pmips.elf
File opened for reading	/proc/11cmdline	pmips.elf
File opened for reading	/proc/128cmdline	pmips.elf
File opened for reading	/proc/686cmdline	pmips.elf
File opened for reading	/proc/687cmdline	pmips.elf
File opened for reading	/proc/729cmdline	pmips.elf
File opened for reading	/proc/797cmdline	pmips.elf
File opened for reading	/proc/20cmdline	pmips.elf
File opened for reading	/proc/79cmdline	pmips.elf
File opened for reading	/proc/365cmdline	pmips.elf
File opened for reading	/proc/710cmdline	pmips.elf
File opened for reading	/proc/757cmdline	pmips.elf
File opened for reading	/proc/763cmdline	pmips.elf
File opened for reading	/proc/788cmdline	pmips.elf
File opened for reading	/proc/747cmdline	pmips.elf
File opened for reading	/proc/783cmdline	pmips.elf
File opened for reading	/proc/16cmdline	pmips.elf
File opened for reading	/proc/17cmdline	pmips.elf
File opened for reading	/proc/815cmdline	pmips.elf
File opened for reading	/proc/708cmdline	pmips.elf
File opened for reading	/proc/749cmdline	pmips.elf
File opened for reading	/proc/755cmdline	pmips.elf
File opened for reading	/proc/781cmdline	pmips.elf
File opened for reading	/proc/786cmdline	pmips.elf
File opened for reading	/proc/80cmdline	pmips.elf
File opened for reading	/proc/720cmdline	pmips.elf
File opened for reading	/proc/723cmdline	pmips.elf
File opened for reading	/proc/756cmdline	pmips.elf
File opened for reading	/proc/766cmdline	pmips.elf
File opened for reading	/proc/768cmdline	pmips.elf
File opened for reading	/proc/790cmdline	pmips.elf
File opened for reading	/proc/8cmdline	pmips.elf
File opened for reading	/proc/384cmdline	pmips.elf
File opened for reading	/proc/732cmdline	pmips.elf
File opened for reading	/proc/737cmdline	pmips.elf
File opened for reading	/proc/739cmdline	pmips.elf
File opened for reading	/proc/740cmdline	pmips.elf
File opened for reading	/proc/804cmdline	pmips.elf
File opened for reading	/proc/702cmdline	pmips.elf
File opened for reading	/proc/719cmdline	pmips.elf
File opened for reading	/proc/771cmdline	pmips.elf
File opened for reading	/proc/12cmdline	pmips.elf
File opened for reading	/proc/77cmdline	pmips.elf
File opened for reading	/proc/160cmdline	pmips.elf
File opened for reading	/proc/440cmdline	pmips.elf
File opened for reading	/proc/677cmdline	pmips.elf
File opened for reading	/proc/779cmdline	pmips.elf
File opened for reading	/proc/812cmdline	pmips.elf
File opened for reading	/proc/2cmdline	pmips.elf
File opened for reading	/proc/72cmdline	pmips.elf
File opened for reading	/proc/75cmdline	pmips.elf
File opened for reading	/proc/338cmdline	pmips.elf
File opened for reading	/proc/84cmdline	pmips.elf
File opened for reading	/proc/707cmdline	pmips.elf

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
709	pmips.elf

/tmp/pmips.elf
/tmp/pmips.elf
1⤵
- Deletes itself
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
- System Network Configuration Discovery
PID:709

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads