mirai | 0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8

Analysis

max time kernel
149s
max time network
150s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
29-06-2024 01:02

Target

0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf
Size

56KB
MD5

342b4cb1e1a52cfe203a091204e8fee0
SHA1

6a5747cce3c15f955662c13b33842c9a8273db36
SHA256

0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8
SHA512

40c469534afe660c2fd8932f3792950dd907b41d851b6ac1bb3a40b1365c75dfdc3200ed2782a2e28292316cfa8fbb1e505bb121e4c2974c17c3657ba859dcd2
SSDEEP

1536:9411ZTIKYHt+FnjrL790vgCJ6yDjlRY2+2huk:KmKYHeXL79141K2hT

Score

10^/10

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Deletes itself 1 IoCs

Processes:

0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf

pid process

638 0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf
Traces itself 1 IoCs
Traces itself to prevent debugging attempts

Processes:

0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf

pid process

638 0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf
Changes its process name 1 IoCs

Processes:

0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself sshd 638 0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf

description ioc process

File opened for reading /proc/self/exe 0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf

pid	process
638	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf

pid	process
638	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	sshd	638	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf

description	ioc	process
File opened for reading	/proc/self/exe	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf

Writes file to tmp directory 9 IoCs

Malware often drops required files in the /tmp directory.

Processes:

0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf

description	ioc	process
File opened for modification	/tmp/45&a`a'1$384?7P	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf
File opened for modification	/tmp/45&a`a'1$384?7P	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf
File opened for modification	/tmp/5$34561%<$'1$384?7P	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf
File opened for modification	/tmp/45&'1$384?7P	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf
File opened for modification	/tmp/45&=9#3'1$384?7P	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf
File opened for modification	/tmp/#29>'1$384?7P	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf
File opened for modification	/tmp/29>'1$384?7P	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf
File opened for modification	/tmp/45&'1$384?7`P	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf
File opened for modification	/tmp/5$3'1$384?7P	0d0defbfee4473d9ab5878e8974fbdecd34e7a7c2559cfe726ecea882a0790f8.elf