General

  • Target

    thinkphp.sh

  • Size

    2KB

  • Sample

    241217-shbgesskcw

  • MD5

    db3a7457f4154588f7433e2942262840

  • SHA1

    643f9177e1c2e4fb068a738aed39d9f4077a1b40

  • SHA256

    b70f72d434a70753f21c18e3f40d2a36883f06d8875c343102b624057f6d69c7

  • SHA512

    d7fecb9613574057145723589f2f34a5b957791f4b63c8529301e6cd4829a1538b38f4e55900303b73124855b67e6af97dfd57c2008c9f87f620675d40ffd9bd

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

C2

servers.vlrt-gap.com

Extracted

Family

mirai

Botnet

UNSTABLE

Extracted

Family

mirai

Botnet

UNSTABLE

C2

servers.vlrt-gap.com

Targets

    • Target

      thinkphp.sh

    • Size

      2KB

    • MD5

      db3a7457f4154588f7433e2942262840

    • SHA1

      643f9177e1c2e4fb068a738aed39d9f4077a1b40

    • SHA256

      b70f72d434a70753f21c18e3f40d2a36883f06d8875c343102b624057f6d69c7

    • SHA512

      d7fecb9613574057145723589f2f34a5b957791f4b63c8529301e6cd4829a1538b38f4e55900303b73124855b67e6af97dfd57c2008c9f87f620675d40ffd9bd

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

    • Mirai family

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Deletes itself

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Writes file to system bin folder

MITRE ATT&CK Enterprise v15

Tasks