Analysis of a sample from Malware bazaar: MalwareBazaar | SHA256 a01d53662d83c31a5b4478bc57fc4fee1ba9d4f6178a94a107c472133adea368 (Mirai)
Stage 1
The initial download is a linux script in cleartext with comments in Chinese. I have added english translations in brackets for each comment. This script connects to a server in order to download 13 binaries, one for each type of processor. Props to the author of the script for doing least privilege and only granting execution privs. It then attempts to run the binary with a command such as ./x86 x86.test?
Static Analysis of arm7
I initially tried the x86 binary, which essentially just had an infinite loop that appeared to do nothing:
The arm7 binary is significantly bigger. Opening it inside of Ghidra provides a number of more functions and non-encrypted strings and encrypted strings that seem to be a part of a table. arm7 is a processor used in the late 90s, and Mirai is known to try and control devices to add them to their botnet.
An interesting note is that comments remain from the compilation of the program from c, including the username of the user who built it, landley:
The main
function of the application setups up a srv_addr
matrix and calls a table_init()
to store important information. Many of the strings here are obfuscated and or encrypted. It also calls attack_init()
, ioctl_keepalive()
, scanner_init()
and killer_init()
.These functions respectively setup the paths for DOS/flood attacks, used for preventing the system from hanging, scanning for available machines to compromise, and kill services via port.
There are several methods for attack as listed in the functions pane, the attack_init goes down the list through multiple different types.
XOR Brute Force in Cyber Chef found the key for several encrypted strings seen in the binary, 37. we can take these strings into cyberchef to return them. For example. SRQVB[C
resolves to default
. The scanner class is used for attempting to find possible default credentials to further compromise more devices. Here is a view of all the options with passwords. default:default, admin:admin, root:vizxv, bin:0000, adm:0000, root:default, root:root, root:admin, root:1001chin, root:D13hh[, root:ZLXX, root:xc3511, root:5up.
You can find an almost decade old source code dump of Mirai on GitHub, here. While there are some differences, such as generating the table, other aspects of the source code are virtually identical to this repo. It shows a check for debuggers, and if one is present, the table is not unlocked.
One string when XORd back with 37 returns /bin/busybox WICKED
. Wicked is variant of Mirai, typically targeting IoT devices.
Many other notable strings after being XORd show the creation of things such as the POST request. It mentions a server: dos arrest
and server: cloudflare-nginx
as headers. There are some unusual strings, and one profane string before the remainder of them seem to be unintelligible, or under another level of encryption:
Several of these strings can be seen under the original Table.h source code.
There’s also a 1337C0D3 key found here under the unlock function that uses that with a series of XOR operations to further decrypt certain addresses.
Dynamic Analysis
Using ps -e
we can see strange process names. Re-running the binary confirms the name randomly generates:
During the execution, it shows connecting back to the original IP over port 5555. This CNC appears like this if you connect via telnet and requests a username and password.
My VM hangs on this stage and is in a constant loop of reaching out to the CNC server on port 5555.
VirusTotal’s sandbox shows after connection to the CNC server, it proceeds to connect to over 300 connections for devices via port 23 or 2323.
Indicators
IP
45.221.96[.]37
URLs
hxxp://45.221.96[.]37/bins
telnet[:]//45.221.96[.]37:5555
SHA256
1eedc607dad9447de65c6cec87a5056061f93c4a9613bd1b2490e516850ebb40 – arm5
2819286d2a3bbd3eaf053b76d8fa793b6b083e644749dcaae8989a1c2c0c7074 – arm
32fbcfdd4e3a032cf3d10c8b32eb395ca3ad286f29d4f355ccfe43c7d1e88e8e – ppc
43f5ff4d7772f1971762b6bb9b07f9a312047137c25af58ec3c357f59a5211eb – arm6
4a36a56a5cb80c758d167025a7d24729ef46a05c7eb7b1b98517f9d330bcc934 – arm7
906b9479702bc85c78b47cfda8458df2de676d2ba44bfdecf9d2567b50ea731e – mpsl
98a4cade937c06972cc9fea3ae709671a184a521663b455916d522d4b5d0b0a0 – m68k
b2e20a0872c5655d8cfdaf04af712dff9b9ce73c26caad5c039280fc738cfd33 – spc
b9782775086aa0d972edb1c8977cbf85ee0787a772ba5600e5e478e98ce36ea7 – mips
bd79770c08676da572634233061f4f821b89cc182853a2e5bc9a0abfd9cd9514 – x86
c6cd8c56a159ac440c807f8576d39a60462d62db9c054bf11e306fb9ebf4ce42 – sh4
f0c5e09caedea9ee5cebf2366a680ad0590cb2024e7afc062d6cdf955eec8105 – arc
MD5
81bdfcae2e518a8e9201cf6bc30c98f3 – arm5
85a550d202cbe94c5bf8ed43e69ea2bb – arm
e3abfa6136b6004687eecee5bed69cbe – ppc
cc9580a4aa490b6609747aa8fc9d1360 – arm6
48e2be001db9a4da901886e00f564d43 – arm7
bd4abf664c56da6754d883fac2d22019 – mpsl
6a761808fd9ef943bc91d8da695b2ea8 – m68k
44be1b5c620f650463152013a174350c – spc
bdc77d8814dc759983a3d76c17614161 – mips
5e76a63da5729d3a5f83f4ccdbe79374 – x86
5abe6eb7b40a7e84a4878c6b04f68b88 – sh4
b00d1adf1347139583c76f5df80dbe76 – arc