Mirai botnet:New sophisticated Scanner

Haythem Elmir
0 1
Read Time1 Minute, 58 Second

Mirai botnet:New sophisticated Scanner

New variant of “Mirai” targeting Internet of Things(IoT) devices such as video camera, routers are spreading. The new new ELF Trojan is capable of scanning the network devices or Internet of Things and try to compromise these systems especially those protected with defaults credentials. Samples were served from the IP 199[.]180.134.215

1. The downloader

http://199[.]180.134.215/bins.sh(md5:a45799ca012830ba03aec105b3ea1d49)
bins.sh

2. Samples

  • 13b428fa5171c8d90de633257cd41b85 : qvmxvl
  • 9f868f1032e47a48c79420a19a3721e4:atxhua
  • 3fc2e827e0ba28e6a175c08b151a7ff1 :fwdfvf
  • 01d87ee11755b4808298e96a31dcc50b :vvglma
  • 1b6e07bc6562f8c854fe1b54799478a1 : qtmzbn
  • a397942f1b2724212cf0c76a7abb04df :nvitpj
  • abceffc8f33f8e8a671cd9d11e7e310a :lnkfmx
  • cfb3a8d8a6c90e8cdb5b8f2901a86367 :vtyhat
  • 137b247b45f573d9076730ee8b1c07b6 :cemtop
  • 2fbd924bc690857720168c1ca5431b59: razdzn
  • 42c5f6a5b8428c72bb743bcbecdc0779 :ajoomk
  • 04d729ece6c04aee4be88c4ae6055149 :earyzq

FTP:

To download the samples,we can use anonymous ftp.We can see:

  • File ftp1.sh(md5:532e0d570a3292c66016dda40819eec9)
  • Date of creation of ELF:09/08/18
ftp://199[.]180.134.215/
ftp://199[.]180.134.215/ftp.sh

3. Malware Analysis

3.1.Different several architectures

by using the command file,There are a different several architectures

Different several architectures
  • qvmxvl: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
  • atxhua: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, with debug_info, not stripped
  • fwdfvf: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped
  • vvglma: ELF 64-bit LSB executable, x86–64, version 1 (SYSV), statically linked, not stripped
  • qtmzbn: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, with debug_info, not stripped
  • nvitpj: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
  • lnkfmx: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
  • vtyhat: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
  • cemtop: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
  • razdzn: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
  • ajoomk: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
  • earyzq: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

3.2.Strings :

The next step is to collecting informations by using strings command

strings

Files not found in the server:

  • NotTouchMe.sh
  • NotBackDoor2.sh

To read the original article:
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

British Airways annonce un vol de données qui pourrait concerner 380 000 cartes de paiement

British Airways annonce un vol de données qui pourrait concerner 380 000 cartes de paiement En raison d’une faille informatique, les réservations faites sur le site Internet et sur l’application de la compagnie aérienne entre le 21 août et le 5 septembre ont pu être compromises. La compagnie aérienne britannique British Airways a […]