Analysis Overview
SHA256
f3088adfb9e90eb440b58382bcf4ea286b5fc726da9695a2f141e1ee5199f22c
Threat Level: Known bad
The file f3088adfb9e90eb440b58382bcf4ea286b5fc726da9695a2f141e1ee5199f22c was found to be: Known bad.
Malicious Activity Summary
Mirai family
Mirai_x86corona family
Detect Mirai Payload
Detected x86corona Mirai Variant
Identified Kaiten Bot
Kaiten family
Reads CPU attributes
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-21 22:52
Signatures
Detect Mirai Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected x86corona Mirai Variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identified Kaiten Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiten family
Mirai family
Mirai_x86corona family
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-21 22:52
Reported
2022-01-21 23:01
Platform
ubuntu1804-amd64-en-20211208
Max time kernel
0s
Max time network
102s
Command Line
Signatures
Reads CPU attributes
| Description | Indicator | Process | Target |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| /proc/422/cmdline | /proc/422/cmdline | /usr/bin/pkill | N/A |
| /proc/10/cmdline | /proc/10/cmdline | /usr/bin/pkill | N/A |
| /proc/168/cmdline | /proc/168/cmdline | /usr/bin/pkill | N/A |
| /proc/393/status | /proc/393/status | /usr/bin/pkill | N/A |
| /proc/541/cmdline | /proc/541/cmdline | /usr/bin/pkill | N/A |
| /proc/168/cmdline | /proc/168/cmdline | /usr/bin/pkill | N/A |
| /proc/193/cmdline | /proc/193/cmdline | /usr/bin/pkill | N/A |
| /proc/310/status | /proc/310/status | /usr/bin/pkill | N/A |
| /proc/83/cmdline | /proc/83/cmdline | /usr/bin/pkill | N/A |
| /proc/98/cmdline | /proc/98/cmdline | /usr/bin/pkill | N/A |
| /proc/192/cmdline | /proc/192/cmdline | /usr/bin/pkill | N/A |
| /proc/350/status | /proc/350/status | /usr/bin/pkill | N/A |
| /proc/10/status | /proc/10/status | /usr/bin/pkill | N/A |
| /proc/350/status | /proc/350/status | /usr/bin/pkill | N/A |
| /proc/115/status | /proc/115/status | /usr/bin/pkill | N/A |
| /proc/310/cmdline | /proc/310/cmdline | /usr/bin/pkill | N/A |
| /proc/27/cmdline | /proc/27/cmdline | /usr/bin/pkill | N/A |
| /proc/157/cmdline | /proc/157/cmdline | /usr/bin/pkill | N/A |
| /proc/25/status | /proc/25/status | /usr/bin/pkill | N/A |
| /proc/22/status | /proc/22/status | /usr/bin/pkill | N/A |
| /proc/573/status | /proc/573/status | /usr/bin/pkill | N/A |
| /proc/85/cmdline | /proc/85/cmdline | /usr/bin/pkill | N/A |
| /proc/370/cmdline | /proc/370/cmdline | /usr/bin/pkill | N/A |
| /proc/349/status | /proc/349/status | /usr/bin/pkill | N/A |
| /proc/162/status | /proc/162/status | /usr/bin/pkill | N/A |
| /proc/84/status | /proc/84/status | /usr/bin/pkill | N/A |
| /proc/25/status | /proc/25/status | /usr/bin/pkill | N/A |
| /proc/11/cmdline | /proc/11/cmdline | /usr/bin/pkill | N/A |
| /proc/157/status | /proc/157/status | /usr/bin/pkill | N/A |
| /proc/26/cmdline | /proc/26/cmdline | /usr/bin/pkill | N/A |
| /proc/578/cmdline | /proc/578/cmdline | /usr/bin/pkill | N/A |
| /proc/10/status | /proc/10/status | /usr/bin/pkill | N/A |
| /proc/600/cmdline | /proc/600/cmdline | /usr/bin/pkill | N/A |
| /proc/310/cmdline | /proc/310/cmdline | /usr/bin/pkill | N/A |
| /proc/32/cmdline | /proc/32/cmdline | /usr/bin/pkill | N/A |
| /proc/154/status | /proc/154/status | /usr/bin/pkill | N/A |
| /proc/238/cmdline | /proc/238/cmdline | /usr/bin/pkill | N/A |
| /proc/9/cmdline | /proc/9/cmdline | /usr/bin/pkill | N/A |
| /proc/6/status | /proc/6/status | /usr/bin/pkill | N/A |
| /proc/sys/kernel/osrelease | /proc/sys/kernel/osrelease | /usr/bin/pkill | N/A |
| /proc/165/cmdline | /proc/165/cmdline | /usr/bin/pkill | N/A |
| /proc/115/status | /proc/115/status | /usr/bin/pkill | N/A |
| /proc/342/status | /proc/342/status | /usr/bin/pkill | N/A |
| /proc/36/status | /proc/36/status | /usr/bin/pkill | N/A |
| /proc/32/cmdline | /proc/32/cmdline | /usr/bin/pkill | N/A |
| /proc/1/status | /proc/1/status | /usr/bin/pkill | N/A |
| /proc/sys/kernel/osrelease | /proc/sys/kernel/osrelease | /usr/bin/pkill | N/A |
| /proc/162/cmdline | /proc/162/cmdline | /usr/bin/pkill | N/A |
| /proc/391/cmdline | /proc/391/cmdline | /usr/bin/pkill | N/A |
| /proc/569/status | /proc/569/status | /usr/bin/pkill | N/A |
| /proc/657/status | /proc/657/status | /usr/bin/pkill | N/A |
| /proc/23/cmdline | /proc/23/cmdline | /usr/bin/pkill | N/A |
| /proc/6/cmdline | /proc/6/cmdline | /usr/bin/pkill | N/A |
| /proc/32/status | /proc/32/status | /usr/bin/pkill | N/A |
| /proc/1/status | /proc/1/status | /usr/bin/pkill | N/A |
| /proc/19/cmdline | /proc/19/cmdline | /usr/bin/pkill | N/A |
| /proc/31/status | /proc/31/status | /usr/bin/pkill | N/A |
| /proc/89/cmdline | /proc/89/cmdline | /usr/bin/pkill | N/A |
| /proc/115/status | /proc/115/status | /usr/bin/pkill | N/A |
| /proc/193/status | /proc/193/status | /usr/bin/pkill | N/A |
| /proc/334/cmdline | /proc/334/cmdline | /usr/bin/pkill | N/A |
| /proc/18/status | /proc/18/status | /usr/bin/pkill | N/A |
| /proc/21/status | /proc/21/status | /usr/bin/pkill | N/A |
| /proc/18/cmdline | /proc/18/cmdline | /usr/bin/pkill | N/A |
Processes
./f3088adfb9e90eb440b58382bcf4ea286b5fc726da9695a2f141e1ee5199f22c
[./f3088adfb9e90eb440b58382bcf4ea286b5fc726da9695a2f141e1ee5199f22c]
/bin/sh
[sh -c pkill -9 mirai.* || busybox pkill -9 mirai.*]
/usr/bin/pkill
[pkill -9 mirai.*]
/bin/busybox
[busybox pkill -9 mirai.*]
/bin/sh
[sh -c pkill -9 dlr.*mips || busybox pkill -9 dlr.*mips]
/usr/bin/pkill
[pkill -9 dlr.*mips]
/bin/busybox
[busybox pkill -9 dlr.*mips]
/bin/sh
[sh -c pkill -9 mips64 || busybox pkill -9 mips64]
/usr/bin/pkill
[pkill -9 mips64]
/bin/busybox
[busybox pkill -9 mips64]
/bin/sh
[sh -c pkill -9 mipsel || busybox pkill -9 mipsel]
/usr/bin/pkill
[pkill -9 mipsel]
/bin/busybox
[busybox pkill -9 mipsel]
/bin/sh
[sh -c pkill -9 sh2eb || busybox pkill -9 sh2eb]
/usr/bin/pkill
[pkill -9 sh2eb]
/bin/busybox
[busybox pkill -9 sh2eb]
/bin/sh
[sh -c pkill -9 sh2elf || busybox pkill -9 sh2elf]
/usr/bin/pkill
[pkill -9 sh2elf]
/bin/busybox
[busybox pkill -9 sh2elf]
/bin/sh
[sh -c pkill -9 sh4 || busybox pkill -9 sh4]
/usr/bin/pkill
[pkill -9 sh4]
/bin/busybox
[busybox pkill -9 sh4]
/bin/sh
[sh -c pkill -9 x86 || busybox pkill -9 x86]
/usr/bin/pkill
[pkill -9 x86]
/bin/busybox
[busybox pkill -9 x86]
/bin/sh
[sh -c pkill -9 arm || busybox pkill -9 arm]
/usr/bin/pkill
[pkill -9 arm]
/bin/busybox
[busybox pkill -9 arm]
/bin/sh
[sh -c pkill -9 armv5 || busybox pkill -9 armv5]
/usr/bin/pkill
[pkill -9 armv5]
/bin/busybox
[busybox pkill -9 armv5]
/bin/sh
[sh -c pkill -9 armv4tl || busybox pkill -9 armv4tl]
/usr/bin/pkill
[pkill -9 armv4tl]
/bin/busybox
[busybox pkill -9 armv4tl]
/bin/sh
[sh -c pkill -9 armv4 || busybox pkill -9 armv4]
/usr/bin/pkill
[pkill -9 armv4]
/bin/busybox
[busybox pkill -9 armv4]
/bin/sh
[sh -c pkill -9 armv6 || busybox pkill -9 armv6]
/usr/bin/pkill
[pkill -9 armv6]
/bin/busybox
[busybox pkill -9 armv6]
/bin/sh
[sh -c pkill -9 i686 || busybox pkill -9 i686]
/usr/bin/pkill
[pkill -9 i686]
/bin/busybox
[busybox pkill -9 i686]
/bin/sh
[sh -c pkill -9 powerpc || busybox pkill -9 powerpc]
/usr/bin/pkill
[pkill -9 powerpc]
/bin/busybox
[busybox pkill -9 powerpc]
/bin/sh
[sh -c pkill -9 powerpc440fp || busybox pkill -9 powerpc440fp]
/usr/bin/pkill
[pkill -9 powerpc440fp]
/bin/busybox
[busybox pkill -9 powerpc440fp]
/bin/sh
[sh -c pkill -9 i586 || busybox pkill -9 i586]
/usr/bin/pkill
[pkill -9 i586]
/bin/busybox
[busybox pkill -9 i586]
/bin/sh
[sh -c pkill -9 m68k || busybox pkill -9 m68k]
/usr/bin/pkill
[pkill -9 m68k]
/bin/busybox
[busybox pkill -9 m68k]
/bin/sh
[sh -c pkill -9 sparc || busybox pkill -9 sparc]
/usr/bin/pkill
[pkill -9 sparc]
/bin/busybox
[busybox pkill -9 sparc]
/bin/sh
[sh -c pkill -9 x86_64 || busybox pkill -9 x86_64]
/usr/bin/pkill
[pkill -9 x86_64]
/bin/busybox
[busybox pkill -9 x86_64]
/bin/sh
[sh -c pkill -9 jackmy* || busybox pkill -9 jackmy*]
/usr/bin/pkill
[pkill -9 jackmy*]
/bin/busybox
[busybox pkill -9 jackmy*]
/bin/sh
[sh -c pkill -9 hackmy* || busybox pkill -9 hackmy*]
/usr/bin/pkill
[pkill -9 hackmy*]
/bin/busybox
[busybox pkill -9 hackmy*]
/bin/sh
[sh -c pkill -9 b1 || busybox pkill -9 b1]
/usr/bin/pkill
[pkill -9 b1]
/bin/busybox
[busybox pkill -9 b1]
/bin/sh
[sh -c pkill -9 b2 || busybox pkill -9 b2]
/usr/bin/pkill
[pkill -9 b2]
/bin/busybox
[busybox pkill -9 b2]
/bin/sh
[sh -c pkill -9 b3 || busybox pkill -9 b3]
/usr/bin/pkill
[pkill -9 b3]
/bin/busybox
[busybox pkill -9 b3]
/bin/sh
[sh -c pkill -9 b4 || busybox pkill -9 b4]
/usr/bin/pkill
[pkill -9 b4]
/bin/busybox
[busybox pkill -9 b4]
/bin/sh
[sh -c pkill -9 b5 || busybox pkill -9 b5]
/usr/bin/pkill
[pkill -9 b5]
/bin/busybox
[busybox pkill -9 b5]
/bin/sh
[sh -c pkill -9 b6 || busybox pkill -9 b6]
/usr/bin/pkill
[pkill -9 b6]
/bin/busybox
[busybox pkill -9 b6]
/bin/sh
[sh -c pkill -9 b7 || busybox pkill -9 b7]
/usr/bin/pkill
[pkill -9 b7]
/bin/busybox
[busybox pkill -9 b7]
/bin/sh
[sh -c pkill -9 b8 || busybox pkill -9 b8]
/usr/bin/pkill
[pkill -9 b8]
/bin/busybox
[busybox pkill -9 b8]
/bin/sh
[sh -c pkill -9 b9 || busybox pkill -9 b9]
/usr/bin/pkill
[pkill -9 b9]
Network
| Country | Destination | Domain | Proto |
| CN | 212.64.67.230:6667 | tcp | |
| HK | 154.92.16.67:6667 | tcp | |
| CN | 212.64.67.230:6667 | tcp | |
| CN | 212.64.67.230:6667 | tcp | |
| HK | 154.92.16.67:6667 | tcp | |
| CN | 212.64.67.230:6667 | tcp | |
| CN | 106.52.68.18:6667 | tcp |