Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    bins.sh

  • Size

    10KB

  • Sample

    240809-mr8wdstcqg

  • MD5

    f064b93641da57ab1b510a06a284bacd

  • SHA1

    77ebf690333960186de349f1ccd1d6ac9df3748a

  • SHA256

    1a8b53d206810f02a59c8a0ce14bd3ff49a31f78802ef24e0a3e63fd4e857b2d

  • SHA512

    02e4910ae45ca7e75053ede74511bcf417a72a1d15fb60c2e44bae30320b0e89dd98d383aefec312b23dca671892d0e1d6991fb45c5d5af0bcf21d84388c0e54

  • SSDEEP

    48:pccGoQSoGFIAw6YQFaak0xrr6TofZKYn6ra/oSY9QJgnmlt6YLupG:+cGoQSoGFhw6ZFaakwrhcsd/+wa4t

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    154.216.19.139
  • Port:
    21
  • Username:
    anonymous
  • Password:
    busybox@

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    secure.microsoftconnect.net
  • Port:
    21
  • Username:
    anonymous
  • Password:
    busybox@

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

Botnet

MIRAI

C2

secure.microsoftconnect.net

Targets

    • Target

      bins.sh

    • Size

      10KB

    • MD5

      f064b93641da57ab1b510a06a284bacd

    • SHA1

      77ebf690333960186de349f1ccd1d6ac9df3748a

    • SHA256

      1a8b53d206810f02a59c8a0ce14bd3ff49a31f78802ef24e0a3e63fd4e857b2d

    • SHA512

      02e4910ae45ca7e75053ede74511bcf417a72a1d15fb60c2e44bae30320b0e89dd98d383aefec312b23dca671892d0e1d6991fb45c5d5af0bcf21d84388c0e54

    • SSDEEP

      48:pccGoQSoGFIAw6YQFaak0xrr6TofZKYn6ra/oSY9QJgnmlt6YLupG:+cGoQSoGFhw6ZFaakwrhcsd/+wa4t

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

    • Contacts a large (21042) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Deletes itself

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

MITRE ATT&CK Enterprise v15

Tasks