Overview

overview

10

Static

static

1

a.sh

ubuntu-18.04-amd64

10

a.sh

debian-9-armhf

9

a.sh

debian-9-mips

10

a.sh

debian-9-mipsel

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.sh

  • Size

    2KB

  • Sample

    230428-tseghafb34

  • MD5

    96356ee0827a85636db9ca1346673617

  • SHA1

    eb0af33f1788f935b5c74f3bdb6151b336388851

  • SHA256

    6ce6a09cc43b05563309bfee1e3aa77240e87ff28fc0340736eee93f4acd7ba2

  • SHA512

    bb4efc748ba2439487b6d2a92a9639210e437ef41791bd10aadb6566d0c9b0db7ad5674548e50c1a169bd78de069bed22f96236f109e54fe09b89c7cff0a6c88

Score
10/10
miraisorabotnetdiscoverylinuxupx

Malware Config

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Targets

    • Target

      a.sh

    • Size

      2KB

    • MD5

      96356ee0827a85636db9ca1346673617

    • SHA1

      eb0af33f1788f935b5c74f3bdb6151b336388851

    • SHA256

      6ce6a09cc43b05563309bfee1e3aa77240e87ff28fc0340736eee93f4acd7ba2

    • SHA512

      bb4efc748ba2439487b6d2a92a9639210e437ef41791bd10aadb6566d0c9b0db7ad5674548e50c1a169bd78de069bed22f96236f109e54fe09b89c7cff0a6c88

    Score
    10/10
    miraisorabotnetdiscoveryupx

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

      botnetmirai

    • Contacts a large (196247) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Contacts a large (198421) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Contacts a large (199728) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Contacts a large (2687) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies the Watchdog daemon

      Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

    • Changes its process name

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Discovery

Network Service Scanning

5
T1046

System Network Connections Discovery

1
T1049

System Network Configuration Discovery

1
T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks