mirai | fbcb989ddfedbb581ced2361e642e7bbe82a6c66b1374e66df042e2083056c46 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

morte.mips.elf
Size

119KB
Sample

250706-f7r49a1vgy
MD5

e85c12cc5f30189acd55e052cd29ddd2
SHA1

5a8f1cc7148ff425aabd90841d3e24b0de575698
SHA256

fbcb989ddfedbb581ced2361e642e7bbe82a6c66b1374e66df042e2083056c46
SHA512

7ea2d2294074289ad6d8f8dbaaa1a8a953372187acb93f64e05b50e927cc9627cbf1e91b9ca48e11e9f3844264abbcaf006fb0558c8848aefabd8468da7e7748
SSDEEP

1536:5cLWP2C2Sf348tJUarjhwwC3+bYRB+JUjNZznRBsPenKRh4QN7y:cWP2e34QJUarw3+bYz+JUjDnXq42y

Score

10^/10

mirai botnet credential_access defense_evasion discovery persistence

Malware Config

Extracted

Family

mirai

C2

cnc.jssaytcp.lat

Targets

- Target
  
  morte.mips.elf
- Size
  
  119KB
- MD5
  
  e85c12cc5f30189acd55e052cd29ddd2
- SHA1
  
  5a8f1cc7148ff425aabd90841d3e24b0de575698
- SHA256
  
  fbcb989ddfedbb581ced2361e642e7bbe82a6c66b1374e66df042e2083056c46
- SHA512
  
  7ea2d2294074289ad6d8f8dbaaa1a8a953372187acb93f64e05b50e927cc9627cbf1e91b9ca48e11e9f3844264abbcaf006fb0558c8848aefabd8468da7e7748
- SSDEEP
  
  1536:5cLWP2C2Sf348tJUarjhwwC3+bYRB+JUjNZznRBsPenKRh4QN7y:cWP2e34QJUarw3+bYz+JUjDnXq42y
Score

10^/10

mirai botnet credential_access defense_evasion discovery persistence
- Mirai
  Mirai is a prevalent Linux malware infecting exposed network devices.
  botnet mirai
- Mirai family
  mirai
- Deletes itself
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
  defense_evasion
- Enumerates active TCP sockets
  Gets active TCP sockets from /proc virtual filesystem.
  discovery
- Enumerates running processes
  Discovers information about currently running processes on the system
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Write file to user bin folder
  persistence
- Writes file to system bin folder
- Reads process memory
  Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
  credential_access
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Boot or Logon Initialization Scripts

RC Scripts

Privilege Escalation

Boot or Logon Autostart Execution

Boot or Logon Initialization Scripts

RC Scripts

Defense Evasion

Impair Defenses

Credential Access

OS Credential Dumping

Proc Filesystem

Discovery

System Network Configuration Discovery

Internet Connection Discovery

System Network Connections Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

miraibotnetcredential_accessdefense_evasiondiscoverypersistence