Malware Analysis Report

2024-12-01 00:51

Sample ID 220121-2tr3zscbeq
Target f3088adfb9e90eb440b58382bcf4ea286b5fc726da9695a2f141e1ee5199f22c
SHA256 f3088adfb9e90eb440b58382bcf4ea286b5fc726da9695a2f141e1ee5199f22c
Tags
kaiten mirai mirai_x86corona
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3088adfb9e90eb440b58382bcf4ea286b5fc726da9695a2f141e1ee5199f22c

Threat Level: Known bad

The file f3088adfb9e90eb440b58382bcf4ea286b5fc726da9695a2f141e1ee5199f22c was found to be: Known bad.

Malicious Activity Summary

kaiten mirai mirai_x86corona

Mirai family

Mirai_x86corona family

Detect Mirai Payload

Detected x86corona Mirai Variant

Identified Kaiten Bot

Kaiten family

Reads CPU attributes

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-21 22:52

Signatures

Detect Mirai Payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected x86corona Mirai Variant

Description Indicator Process Target
N/A N/A N/A N/A

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Mirai family

mirai

Mirai_x86corona family

mirai_x86corona

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-21 22:52

Reported

2022-01-21 23:01

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Max time network

102s

Command Line

[./f3088adfb9e90eb440b58382bcf4ea286b5fc726da9695a2f141e1ee5199f22c]

Signatures

Reads CPU attributes

Description Indicator Process Target
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A
/sys/devices/system/cpu/online /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

Description Indicator Process Target
/proc/422/cmdline /proc/422/cmdline /usr/bin/pkill N/A
/proc/10/cmdline /proc/10/cmdline /usr/bin/pkill N/A
/proc/168/cmdline /proc/168/cmdline /usr/bin/pkill N/A
/proc/393/status /proc/393/status /usr/bin/pkill N/A
/proc/541/cmdline /proc/541/cmdline /usr/bin/pkill N/A
/proc/168/cmdline /proc/168/cmdline /usr/bin/pkill N/A
/proc/193/cmdline /proc/193/cmdline /usr/bin/pkill N/A
/proc/310/status /proc/310/status /usr/bin/pkill N/A
/proc/83/cmdline /proc/83/cmdline /usr/bin/pkill N/A
/proc/98/cmdline /proc/98/cmdline /usr/bin/pkill N/A
/proc/192/cmdline /proc/192/cmdline /usr/bin/pkill N/A
/proc/350/status /proc/350/status /usr/bin/pkill N/A
/proc/10/status /proc/10/status /usr/bin/pkill N/A
/proc/350/status /proc/350/status /usr/bin/pkill N/A
/proc/115/status /proc/115/status /usr/bin/pkill N/A
/proc/310/cmdline /proc/310/cmdline /usr/bin/pkill N/A
/proc/27/cmdline /proc/27/cmdline /usr/bin/pkill N/A
/proc/157/cmdline /proc/157/cmdline /usr/bin/pkill N/A
/proc/25/status /proc/25/status /usr/bin/pkill N/A
/proc/22/status /proc/22/status /usr/bin/pkill N/A
/proc/573/status /proc/573/status /usr/bin/pkill N/A
/proc/85/cmdline /proc/85/cmdline /usr/bin/pkill N/A
/proc/370/cmdline /proc/370/cmdline /usr/bin/pkill N/A
/proc/349/status /proc/349/status /usr/bin/pkill N/A
/proc/162/status /proc/162/status /usr/bin/pkill N/A
/proc/84/status /proc/84/status /usr/bin/pkill N/A
/proc/25/status /proc/25/status /usr/bin/pkill N/A
/proc/11/cmdline /proc/11/cmdline /usr/bin/pkill N/A
/proc/157/status /proc/157/status /usr/bin/pkill N/A
/proc/26/cmdline /proc/26/cmdline /usr/bin/pkill N/A
/proc/578/cmdline /proc/578/cmdline /usr/bin/pkill N/A
/proc/10/status /proc/10/status /usr/bin/pkill N/A
/proc/600/cmdline /proc/600/cmdline /usr/bin/pkill N/A
/proc/310/cmdline /proc/310/cmdline /usr/bin/pkill N/A
/proc/32/cmdline /proc/32/cmdline /usr/bin/pkill N/A
/proc/154/status /proc/154/status /usr/bin/pkill N/A
/proc/238/cmdline /proc/238/cmdline /usr/bin/pkill N/A
/proc/9/cmdline /proc/9/cmdline /usr/bin/pkill N/A
/proc/6/status /proc/6/status /usr/bin/pkill N/A
/proc/sys/kernel/osrelease /proc/sys/kernel/osrelease /usr/bin/pkill N/A
/proc/165/cmdline /proc/165/cmdline /usr/bin/pkill N/A
/proc/115/status /proc/115/status /usr/bin/pkill N/A
/proc/342/status /proc/342/status /usr/bin/pkill N/A
/proc/36/status /proc/36/status /usr/bin/pkill N/A
/proc/32/cmdline /proc/32/cmdline /usr/bin/pkill N/A
/proc/1/status /proc/1/status /usr/bin/pkill N/A
/proc/sys/kernel/osrelease /proc/sys/kernel/osrelease /usr/bin/pkill N/A
/proc/162/cmdline /proc/162/cmdline /usr/bin/pkill N/A
/proc/391/cmdline /proc/391/cmdline /usr/bin/pkill N/A
/proc/569/status /proc/569/status /usr/bin/pkill N/A
/proc/657/status /proc/657/status /usr/bin/pkill N/A
/proc/23/cmdline /proc/23/cmdline /usr/bin/pkill N/A
/proc/6/cmdline /proc/6/cmdline /usr/bin/pkill N/A
/proc/32/status /proc/32/status /usr/bin/pkill N/A
/proc/1/status /proc/1/status /usr/bin/pkill N/A
/proc/19/cmdline /proc/19/cmdline /usr/bin/pkill N/A
/proc/31/status /proc/31/status /usr/bin/pkill N/A
/proc/89/cmdline /proc/89/cmdline /usr/bin/pkill N/A
/proc/115/status /proc/115/status /usr/bin/pkill N/A
/proc/193/status /proc/193/status /usr/bin/pkill N/A
/proc/334/cmdline /proc/334/cmdline /usr/bin/pkill N/A
/proc/18/status /proc/18/status /usr/bin/pkill N/A
/proc/21/status /proc/21/status /usr/bin/pkill N/A
/proc/18/cmdline /proc/18/cmdline /usr/bin/pkill N/A

Processes

./f3088adfb9e90eb440b58382bcf4ea286b5fc726da9695a2f141e1ee5199f22c

[./f3088adfb9e90eb440b58382bcf4ea286b5fc726da9695a2f141e1ee5199f22c]

/bin/sh

[sh -c pkill -9 mirai.* || busybox pkill -9 mirai.*]

/usr/bin/pkill

[pkill -9 mirai.*]

/bin/busybox

[busybox pkill -9 mirai.*]

/bin/sh

[sh -c pkill -9 dlr.*mips || busybox pkill -9 dlr.*mips]

/usr/bin/pkill

[pkill -9 dlr.*mips]

/bin/busybox

[busybox pkill -9 dlr.*mips]

/bin/sh

[sh -c pkill -9 mips64 || busybox pkill -9 mips64]

/usr/bin/pkill

[pkill -9 mips64]

/bin/busybox

[busybox pkill -9 mips64]

/bin/sh

[sh -c pkill -9 mipsel || busybox pkill -9 mipsel]

/usr/bin/pkill

[pkill -9 mipsel]

/bin/busybox

[busybox pkill -9 mipsel]

/bin/sh

[sh -c pkill -9 sh2eb || busybox pkill -9 sh2eb]

/usr/bin/pkill

[pkill -9 sh2eb]

/bin/busybox

[busybox pkill -9 sh2eb]

/bin/sh

[sh -c pkill -9 sh2elf || busybox pkill -9 sh2elf]

/usr/bin/pkill

[pkill -9 sh2elf]

/bin/busybox

[busybox pkill -9 sh2elf]

/bin/sh

[sh -c pkill -9 sh4 || busybox pkill -9 sh4]

/usr/bin/pkill

[pkill -9 sh4]

/bin/busybox

[busybox pkill -9 sh4]

/bin/sh

[sh -c pkill -9 x86 || busybox pkill -9 x86]

/usr/bin/pkill

[pkill -9 x86]

/bin/busybox

[busybox pkill -9 x86]

/bin/sh

[sh -c pkill -9 arm || busybox pkill -9 arm]

/usr/bin/pkill

[pkill -9 arm]

/bin/busybox

[busybox pkill -9 arm]

/bin/sh

[sh -c pkill -9 armv5 || busybox pkill -9 armv5]

/usr/bin/pkill

[pkill -9 armv5]

/bin/busybox

[busybox pkill -9 armv5]

/bin/sh

[sh -c pkill -9 armv4tl || busybox pkill -9 armv4tl]

/usr/bin/pkill

[pkill -9 armv4tl]

/bin/busybox

[busybox pkill -9 armv4tl]

/bin/sh

[sh -c pkill -9 armv4 || busybox pkill -9 armv4]

/usr/bin/pkill

[pkill -9 armv4]

/bin/busybox

[busybox pkill -9 armv4]

/bin/sh

[sh -c pkill -9 armv6 || busybox pkill -9 armv6]

/usr/bin/pkill

[pkill -9 armv6]

/bin/busybox

[busybox pkill -9 armv6]

/bin/sh

[sh -c pkill -9 i686 || busybox pkill -9 i686]

/usr/bin/pkill

[pkill -9 i686]

/bin/busybox

[busybox pkill -9 i686]

/bin/sh

[sh -c pkill -9 powerpc || busybox pkill -9 powerpc]

/usr/bin/pkill

[pkill -9 powerpc]

/bin/busybox

[busybox pkill -9 powerpc]

/bin/sh

[sh -c pkill -9 powerpc440fp || busybox pkill -9 powerpc440fp]

/usr/bin/pkill

[pkill -9 powerpc440fp]

/bin/busybox

[busybox pkill -9 powerpc440fp]

/bin/sh

[sh -c pkill -9 i586 || busybox pkill -9 i586]

/usr/bin/pkill

[pkill -9 i586]

/bin/busybox

[busybox pkill -9 i586]

/bin/sh

[sh -c pkill -9 m68k || busybox pkill -9 m68k]

/usr/bin/pkill

[pkill -9 m68k]

/bin/busybox

[busybox pkill -9 m68k]

/bin/sh

[sh -c pkill -9 sparc || busybox pkill -9 sparc]

/usr/bin/pkill

[pkill -9 sparc]

/bin/busybox

[busybox pkill -9 sparc]

/bin/sh

[sh -c pkill -9 x86_64 || busybox pkill -9 x86_64]

/usr/bin/pkill

[pkill -9 x86_64]

/bin/busybox

[busybox pkill -9 x86_64]

/bin/sh

[sh -c pkill -9 jackmy* || busybox pkill -9 jackmy*]

/usr/bin/pkill

[pkill -9 jackmy*]

/bin/busybox

[busybox pkill -9 jackmy*]

/bin/sh

[sh -c pkill -9 hackmy* || busybox pkill -9 hackmy*]

/usr/bin/pkill

[pkill -9 hackmy*]

/bin/busybox

[busybox pkill -9 hackmy*]

/bin/sh

[sh -c pkill -9 b1 || busybox pkill -9 b1]

/usr/bin/pkill

[pkill -9 b1]

/bin/busybox

[busybox pkill -9 b1]

/bin/sh

[sh -c pkill -9 b2 || busybox pkill -9 b2]

/usr/bin/pkill

[pkill -9 b2]

/bin/busybox

[busybox pkill -9 b2]

/bin/sh

[sh -c pkill -9 b3 || busybox pkill -9 b3]

/usr/bin/pkill

[pkill -9 b3]

/bin/busybox

[busybox pkill -9 b3]

/bin/sh

[sh -c pkill -9 b4 || busybox pkill -9 b4]

/usr/bin/pkill

[pkill -9 b4]

/bin/busybox

[busybox pkill -9 b4]

/bin/sh

[sh -c pkill -9 b5 || busybox pkill -9 b5]

/usr/bin/pkill

[pkill -9 b5]

/bin/busybox

[busybox pkill -9 b5]

/bin/sh

[sh -c pkill -9 b6 || busybox pkill -9 b6]

/usr/bin/pkill

[pkill -9 b6]

/bin/busybox

[busybox pkill -9 b6]

/bin/sh

[sh -c pkill -9 b7 || busybox pkill -9 b7]

/usr/bin/pkill

[pkill -9 b7]

/bin/busybox

[busybox pkill -9 b7]

/bin/sh

[sh -c pkill -9 b8 || busybox pkill -9 b8]

/usr/bin/pkill

[pkill -9 b8]

/bin/busybox

[busybox pkill -9 b8]

/bin/sh

[sh -c pkill -9 b9 || busybox pkill -9 b9]

/usr/bin/pkill

[pkill -9 b9]

Network

Country Destination Domain Proto
CN 212.64.67.230:6667 tcp
HK 154.92.16.67:6667 tcp
CN 212.64.67.230:6667 tcp
CN 212.64.67.230:6667 tcp
HK 154.92.16.67:6667 tcp
CN 212.64.67.230:6667 tcp
CN 106.52.68.18:6667 tcp

Files

N/A