Mirai Botnet: New sophisticated Scanner
New variant of “Mirai” (precursor to Mirai including :“Bashlite,” “Gafgyt,” “Qbot” and “Remaiten” )targeting Internet of Things(IoT) devices such as video camera, routers are spreading. The new new ELF Trojan is capable of scanning the network devices or Internet of Things and try to compromise these systems especially those protected with defaults credentials. Samples were served from the IP 199[.]180.134.215
1. The downloader


2. Samples
- 13b428fa5171c8d90de633257cd41b85 : qvmxvl
- 9f868f1032e47a48c79420a19a3721e4:atxhua
- 3fc2e827e0ba28e6a175c08b151a7ff1 :fwdfvf
- 01d87ee11755b4808298e96a31dcc50b :vvglma
- 1b6e07bc6562f8c854fe1b54799478a1 : qtmzbn
- a397942f1b2724212cf0c76a7abb04df :nvitpj
- abceffc8f33f8e8a671cd9d11e7e310a :lnkfmx
- cfb3a8d8a6c90e8cdb5b8f2901a86367 :vtyhat
- 137b247b45f573d9076730ee8b1c07b6 :cemtop
- 2fbd924bc690857720168c1ca5431b59: razdzn
- 42c5f6a5b8428c72bb743bcbecdc0779 :ajoomk
- 04d729ece6c04aee4be88c4ae6055149 :earyzq
FTP:
To download the samples,we can use anonymous ftp.We can see:
- File ftp1.sh(md5:532e0d570a3292c66016dda40819eec9)
- Date of creation of ELF:09/08/18


3. Malware Analysis
3.1.Different several architectures
by using the command file,There are a different several architectures

- qvmxvl: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
- atxhua: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, with debug_info, not stripped
- fwdfvf: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped
- vvglma: ELF 64-bit LSB executable, x86–64, version 1 (SYSV), statically linked, not stripped
- qtmzbn: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, with debug_info, not stripped
- nvitpj: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
- lnkfmx: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
- vtyhat: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
- cemtop: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
- razdzn: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
- ajoomk: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
- earyzq: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
3.2.Strings :
The next step is to collecting informations by using strings command

Files not found in the server:
- NotTouchMe.sh
- NotBackDoor2.sh

Agents:
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.9a8) Gecko/2007100620 GranParadiso/3.1
Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911
Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0)
Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/20090327 Galeon/2.0.7
Mozilla/5.0 (PLAYSTATION 3; 3.55)
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2
wii libnup/1.0
Mozilla/4.0 (PSP (PlayStation Portable); 2.00)
PSP (PlayStation Portable); 2.00
Bunjalloo/0.7.6(Nintendo DS;U;en)
Doris/1.15 [en] (Symbian)
BlackBerry7520/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1
BlackBerry9700/5.0.0.743 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/100
Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Opera/9.80 (Windows NT 5.1; U;) Presto/2.7.62 Version/11.01
Mozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.39 Safari/525.19
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; chromeframe/11.0.696.57)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; uZardWeb/1.0; Server_JP)
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7; en-us) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Safari/530.17 Skyfire/2.0
SonyEricssonW800i/R1BD001/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; FDM; MSIECrawler; Media Center PC 5.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110517 Firefox/5.0 Fennec/5.0
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts)
MOT-V300/0B.09.19R MIB/2.2 Profile/MIDP-2.0 Configuration/CLDC-1.0
Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Mozilla/5.0 (compatible; Teleca Q7; Brew 3.1.5; U; en) 480X800 LGE VX11000
MOT-L7/08.B7.ACR MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1
Logins and Passwords
telnet,root,admin,support,user,Administrator,service,supervisor,guest,admin1,administrator,666666,888888,ubnt,klv1234,Zte521,hi3518,jvbzd,anko,zlxx,7ujMko0vizxv,7ujMko0admin,system,ikwb,dreambox,realtek,00000000,111111,1234,12345,54321,123456,pass,meinsm,tech,fucker,xc3511,vizxv,xmhdipc,default,juantech,password,admin1234,1111,smcadmin,klv123
Removing Previously installed malware from /tmp/*,
/var/*,/var/run/*,/var/tmp/*
rmips,mipsel,i686,i586,jack*,hack*,arm*tel*b1,wget,orion,lol*,busybox*,badbox*,DFhxdhdf,dvrHelper,FDFDHFC,FEUB,FTUdftui,GHfjfgvj,jhUOH,JIPJIPJj,JIPJuipjh,kmyx86_64,lolmipsel,RYrydry,TwoFace*,UYyuyioy,XDzdfxzf,
busybox,badbox,Mirai*,mirai*,cunty*IoT*
Subnets to scanner
%d.%d.%d.%d
37.11.%d.%d
146.158.%d.%d
185.4.%d.%d
188.76.%d.%d
188.77.%d.%d
188.78.%d.%d
188.79.%d.%d
212.106.%d.%d
212.9.%d.%d
213.179.%d.%d
37.132.%d.%d
37.133.%d.%d
37.134.%d.%d
37.135.%d.%d
37.14.%d.%d
37.15.%d.%d
37.35.%d.%d
37.97.%d.%d
62.14.%d.%d
87.216.%d.%d
87.217.%d.%d
87.218.%d.%d
87.219.%d.%d
87.220.%d.%d
87.221.%d.%d
87.222.%d.%d
87.223.%d.%d
90.94.%d.%d
92.191.%d.%d
95.16.%d.%d
95.17.%d.%d
95.18.%d.%d
95.19.%d.%d
95.20.%d.%d
95.21.%d.%d
95.22.%d.%d
95.23.%d.%d
119.157.%d.%d
119.150.%d.%d
119.151.%d.%d
119.152.%d.%d
119.153.%d.%d
119.154.%d.%d
119.155.%d.%d
119.156.%d.%d
119.158.%d.%d
119.159.%d.%d
191.24.%d.%d
187.119.%d.%d
177.215.%d.%d
152.241.%d.%d
182.185.%d.%d
179.80.%d.%d
179.81.%d.%d
179.82.%d.%d
179.83.%d.%d
179.84.%d.%d
179.86.%d.%d
179.87.%d.%d
179.88.%d.%d
179.89.%d.%d
179.90.%d.%d
179.91.%d.%d
179.92.%d.%d
179.93.%d.%d
179.94.%d.%d
179.95.%d.%d
179.96.%d.%d
179.97.%d.%d
179.98.%d.%d
179.99.%d.%d
152.240.%d.%d
152.242.%d.%d
152.243.%d.%d
152.244.%d.%d
152.245.%d.%d
152.246.%d.%d
152.247.%d.%d
152.248.%d.%d
152.249.%d.%d
182.189.%d.%d
182.190.%d.%d
182.191.%d.%d
182.188.%d.%d
182.187.%d.%d
182.186.%d.%d
182.184.%d.%d
179.100.%d.%d
179.101.%d.%d
179.102.%d.%d
179.103.%d.%d
179.110.%d.%d
179.111.%d.%d
179.112.%d.%d
179.113.%d.%d
179.114.%d.%d
179.115.%d.%d
179.116.%d.%d
179.117.%d.%d
191.193.%d.%d
191.194.%d.%d
191.195.%d.%d
191.196.%d.%d
191.197.%d.%d
191.198.%d.%d
152.250.%d.%d
152.251.%d.%d
152.252.%d.%d
152.253.%d.%d
152.254.%d.%d
152.255.%d.%d
177.112.%d.%d
177.113.%d.%d
177.114.%d.%d
177.115.%d.%d
177.116.%d.%d
177.117.%d.%d
177.118.%d.%d
177.119.%d.%d
177.120.%d.%d
177.121.%d.%d
177.138.%d.%d
177.139.%d.%d
177.144.%d.%d
177.145.%d.%d
177.146.%d.%d
177.147.%d.%d
177.160.%d.%d
177.161.%d.%d
177.162.%d.%d
177.163.%d.%d
177.168.%d.%d
177.169.%d.%d
177.170.%d.%d
177.171.%d.%d
177.172.%d.%d
189.96.%d.%d
189.97.%d.%d
189.98.%d.%d
189.99.%d.%d
39.34.%d.%d
59.103.%d.%d
191.12.%d.%d
186.117.%d.%d
179.131.%d.%d
179.129.%d.%d
179.170.%d.%d
191.206.%d.%d
187.118.%d.%d
187.116.%d.%d
179.224.%d.%d
179.166.%d.%d
124.105.%d.%d
119.93.%d.%d
122.54.%d.%d
122.52.%d.%d
122.3.%d.%d
5.78.%d.%d
91.98.%d.%d
49.150.%d.%d
191.80.%d.%d
191.81.%d.%d
191.82.%d.%d
191.83.%d.%d
191.84.%d.%d
191.85.%d.%d
210.213.%d.%d
59.69.%d.%d
125.104.%d.%d
119.92.%d.%d
119.91.%d.%d
49.144.%d.%d
103.20.%d.%d
103.30.%d.%d
103.47.%d.%d
103.57.%d.%d
12.188.%d.%d
12.34.%d.%d
179.105.%d.%d
179.152.%d.%d
189.29.%d.%d
189.32.%d.%d
189.33.%d.%d
189.34.%d.%d
189.35.%d.%d
189.39.%d.%d
189.4.%d.%d
189.54.%d.%d
112.5.%d.%d
117.165.%d.%d
85.3.%d.%d
41.252.%d.%d
104.55.%d.%d
78.186.%d.%d
78.189.%d.%d
221.120.%d.%d
88.5.%d.%d
41.254.%d.%d
45.117.%d.%d
101.51.%d.%d
137.59.%d.%d
14.204.%d.%d
27.50.%d.%d
27.54.%d.%d
27.98.%d.%d
36.32.%d.%d
36.248.%d.%d
39.64.%d.%d
43.253.%d.%d
43.230.%d.%d
163.53.%d.%d
43.245.%d.%d
123.25.%d.%d
103.54.%d.%d
27.255.%d.%d
103.204.%d.%d
123.24.%d.%d
113.191.%d.%d
113.188.%d.%d
113.189.%d.%d
14.160.%d.%d
14.161.%d.%d
14.162.%d.%d
14.163.%d.%d
14.164.%d.%d
14.165.%d.%d
14.166.%d.%d
14.167.%d.%d
14.168.%d.%d
14.169.%d.%d
14.170.%d.%d
14.171.%d.%d
14.172.%d.%d
14.173.%d.%d
14.174.%d.%d
14.175.%d.%d
14.176.%d.%d
14.177.%d.%d
14.178.%d.%d
14.179.%d.%d
14.180.%d.%d
14.181.%d.%d
14.182.%d.%d
14.183.%d.%d
14.184.%d.%d
14.185.%d.%d
14.186.%d.%d
14.187.%d.%d
14.188.%d.%d
14.189.%d.%d
14.190.%d.%d
14.191.%d.%d
45.121.%d.%d
45.120.%d.%d
45.115.%d.%d
43.252.%d.%d
43.240.%d.%d
41.174.%d.%d
45.127.%d.%d
123.16.%d.%d
202.44.%d.%d
116.93.%d.%d
41.253.%d.%d
117.173.%d.%d
113.190.%d.%d
112.196.%d.%d
113.178.%d.%d
112.45.%d.%d
183.223.%d.%d
116.71.%d.%d
103.44.%d.%d
110.235.%d.%d
124.253.%d.%d
211.237.%d.%d
117.175.%d.%d
111.9.%d.%d
222.252.%d.%d
113.174.%d.%d
113.160.%d.%d
113.161.%d.%d
113.162.%d.%d
113.163.%d.%d
113.164.%d.%d
113.165.%d.%d
113.166.%d.%d
113.167.%d.%d
113.168.%d.%d
113.169.%d.%d
123.17.%d.%d
123.21.%d.%d
123.22.%d.%d
222.253.%d.%d
222.254.%d.%d
222.255.%d.%d
41.208.%d.%d
103.198.%d.%d
88.248.%d.%d
88.105.%d.%d
88.247.%d.%d
85.105.%d.%d
188.3.%d.%d
103.203.%d.%d
103.55.%d.%d
103.220.%d.%d
183.233.%d.%d
103.242.%d.%d
103.14.%d.%d
103.195.%d.%d
103.214.%d.%d
103.218.%d.%d
103.225.%d.%d
103.228.%d.%d
103.231.%d.%d
103.60.%d.%d
103.248.%d.%d
103.253.%d.%d
103.255.%d.%d
113.176.%d.%d
113.175.%d.%d
203.134.%d.%d
203.210.%d.%d
117.176.%d.%d
117.171.%d.%d
117.162.%d.%d
203.150.%d.%d
157.119.%d.%d
43.228.%d.%d
162.12.%d.%d
115.220.%d.%d
125.114.%d.%d
37.158.%d.%d
95.9.%d.%d
58.71.%d.%d
1.56.%d.%d
1.188.%d.%d
27.0.%d.%d
27.8.%d.%d
27.112.%d.%d
27.192.%d.%d
42.4.%d.%d
42.48.%d.%d
42.52.%d.%d
42.56.%d.%d
42.63.%d.%d
42.84.%d.%d
42.176.%d.%d
42.224.%d.%d
60.0.%d.%d
60.16.%d.%d
62.30.%d.%d
62.252.%d.%d
62.254.%d.%d
62.255.%d.%d
77.96.%d.%d
77.97.%d.%d
77.98.%d.%d
77.100.%d.%d
77.102.%d.%d
81.100.%d.%d
94.174.%d.%d
49.118.%d.%d
78.188.%d.%d
14.33.%d.%d
91.83.%d.%d
146.88.%d.%d
183.71.%d.%d
192.168.%d.%d
89.71.%d.%d
244.77.%d.%d
125.27.%d.%d
101.105.%d.%d
Scanner:
At this level, I am surprised.A new scanner used by this malware.So i try to collecte information about this scanner.

3.3. New sophisticated Scanner
I use google to collect information about Scanner and Finally I get this code.

The code of the scanner(client.c) is uploaded to pastebin le 31/08/2018(https://pastebin.com/raw/JWKpuKid)

I try now to analyse the code
Many void used in the code:
- void makeRandomStr(unsigned char *buf, int length);
- void init_rand(uint32_t x)
- void advance_telstate(struct telstate_t* telstate, int new_state)
- void reset_telstate(struct telstate_t* telstate)
- void trim(char *str)
- void makeRandomStr(unsigned char *buf, int length)
- void makeIPPacket(struct iphdr *iph, uint32_t dest, uint32_t source,uint8_t protocol, int packetSize)
- void BCMscanner()
- void TelnetScanner(int wait_usec, int maxfds)
- void MiraiScanner(int wait_usec, int maxfds)
- void PhoneScanner()
- void HackaShit()
- void MiraiHackaShit()
- void sendSTD(unsigned char *ip, int port, int secs)
- void SendUDP(unsigned char *target, int port, int timeEnd, intpacketsize, int pollinterval, int spoofit)
- void SendTCP(unsigned char *target, int port, int timeEnd, unsigned char *flags, int packetsize, int pollinterval, int spoofit)
- void SendHTTP(char *method, char *host, in_port_t port, char *path, int timeEnd, int power)
- void ClearHistory()
- void RandomPythonRange()
- void processCmd(int argc, unsigned char *argv[])
- void UpdateNameSrvs()
- void RemoveTempDirs()

we can divided the code :
- 4 Scanners to brute force many subnets (telnet+ssh):
-void BCMscanner()
-void TelnetScanner(int wait_usec, int maxfds)
-void MiraiScanner(int wait_usec, int maxfds)
-void PhoneScanner()
- 4 DDoS Modules to send data to the victim
-void sendSTD(unsigned char *ip, int port, int secs)
-void SendUDP(unsigned char *target, int port, int timeEnd, int packetsize, int pollinterval, int spoofit)
-void SendTCP(unsigned char *target, int port, int timeEnd, unsigned char *flags, int packetsize, int pollinterval, int spoofit)
-void SendHTTP(char *method, char *host, in_port_t port, char *path, int timeEnd, int power)
- 1 module to Remove Temp Directory:void RemoveTempDirs()
- 1 module to clear history: void ClearHistory()
- 1 module to update the configuration of network:void UpdateNameSrvs()
- init Connection ()to connect to the server C&C




We can found the default usernames and passwords
Telnet Usernames:
char *Telnet_Usernames[] = {
“telnet\0”, //telnet:telnet
“root\0”, //root:
“root\0”, //root:1234
“admin\0”, //admin:admin
“admin\0”, //admin:
“admin\0”, //admin:password
“user\0”, //user:user
};
Telnet passwords
char *Telnet_Passwords[] = {
“telnet\0”, //telnet:telnet
“\0”, //root:
“1234\0”, //root:1234
“admin\0”, //admin:admin
“\0”, //admin:
“password\0”, //admin:
“user\0”, //user:user
};
Mirai logins
char *Mirai_Usernames[] = {
“telnet\0”, //mother:fucker
“root\0”, //root:xc3511
“root\0”, //root:vizxv
“root\0”, //root:admin
“admin\0”, //admin:admin“root\0”, //root:888888
“root\0”, //root:xmhdipc
“root\0”, //root:default
“root\0”, //root:juantech“root\0”, //root:123456
“root\0”, //root:54321
“support\0”, //support:support
“root\0”, //root:(none)“admin\0”, //admin:password
“root\0”, //root:root
“root\0”, //root:12345
“user\0”, //user:user“admin\0”, //admin:(none)
“root\0”, //root:pass
“admin\0”, //admin:admin1234
“root\0”, //root:1111“admin\0”, //admin:smcadmin
“admin\0”, //admin:1111
“root\0”, //root:666666
“root\0”, //root:password“root\0”, //root:1234
“root\0”, //root:klv123
“Administrator\0”, //Administrator:admin
“service\0”, //service:service“supervisor\0”, //supervisor:supervisor
“guest\0”, //guest:guest
“guest\0”, //guest:12345
“guest\0”, //guest:12345“admin1\0”, //admin1:password
“administrator\0”, //administrator:1234
“666666\0”, //666666:666666
“888888\0”, //888888:888888
“ubnt\0”, //ubnt:ubnt“klv1234\0”, //root:klv1234
“Zte521\0”, //root:Zte521
“hi3518\0”, //root:hi3518
“jvbzd\0”, //root:jvbzd“anko\0”, //root:anko
“zlxx\0”, //root:zlxx
“7ujMko0vizxv\0”, //root:7ujMko0vizxv
“7ujMko0admin\0”, //root:7ujMko0admin“system\0”, //root:system
“ikwb\0”, //root:ikwb
“dreambox\0”, //root:dreambox
“user\0”, //root:user“realtek\0”, //root:realtek
“00000000\0”, //root:00000000
“1111111\0”, //admin:1111111
“1234\0”, //admin:1234“12345\0”, //admin:12345
“54321\0”, //admin:54321
“123456\0”, //admin:123456
“7ujMko0admin\0”, //admin:7ujMko0admin“1234\0”, //admin:1234
“pass\0”, //admin:pass
“meinsm\0”, //admin:meinsm
“tech\0”, //tech:tech“fucker\0”, //mother:fucker
};
Mirai passwords
char *Mirai_Passwords[] = {
“telnet\0”, //mother:fucker
“xc3511\0”, //root:xc3511
“vizxv\0”, //root:vizxv
“admin\0”, //root:admin
“admin\0”, //admin:admin“888888\0”, //root:888888
“xmhdipc\0”, //root:xmhdipc
“default\0”, //root:default
“juantech\0”, //root:juantech“123456\0”, //root:123456
“54321\0”, //root:54321
“support\0”, //support:support
“\0”, //root:(none)“password\0”, //admin:password
“root\0”, //root:root
“12345\0”, //root:12345
“user\0”, //user:user“\0”, //admin:(none)
“pass\0”, //root:pass
“admin1234\0”, //admin:admin1234
“1111\0”, //root:1111“smcadmin\0”, //admin:smcadmin
“1111\0”, //admin:1111
“666666\0”, //root:666666
“password\0”, //root:password“1234\0”, //root:1234
“klv123\0”, //root:klv123
“admin\0”, //Administrator:admin
“service\0”, //service:service“supervisor\0”, //supervisor:supervisor
“guest\0”, //guest:guest
“12345\0”, //guest:12345
“12345\0”, //guest:12345“password\0”, //admin1:password
“1234\0”, //administrator:1234
“666666\0”, //666666:666666
“888888\0”, //888888:888888
“ubnt\0”, //ubnt:ubnt“klv1234\0”, //root:klv1234
“Zte521\0”, //root:Zte521
“hi3518\0”, //root:hi3518
“jvbzd\0”, //root:jvbzd“anko\0”, //root:anko
“zlxx\0”, //root:zlxx
“7ujMko0vizxv\0”, //root:7ujMko0vizxv
“7ujMko0admin\0”, //root:7ujMko0admin“system\0”, //root:system
“ikwb\0”, //root:ikwb
“dreambox\0”, //root:dreambox
“user\0”, //root:user“realtek\0”, //root:realtek
“00000000\0”, //root:00000000
“1111111\0”, //admin:1111111
“1234\0”, //admin:1234“12345\0”, //admin:12345
“54321\0”, //admin:54321
“123456\0”, //admin:123456
“7ujMko0admin\0”, //admin:7ujMko0admin“1234\0”, //admin:1234
“pass\0”, //admin:pass
“meinsm\0”, //admin:meinsm
“tech\0”, //tech:tech“fucker\0”, //mother:fucker
};
SSH usernames
char *SSH_Usernames[] = {
“root\0”, //root:root
“admin\0”, //admin:admin
“root\0”, //root:admin
“admin\0”, //admin:1234
“ubnt\0”, //ubnt:ubnt
“user\0”, //user:user
“ususario\0”, //usuario:ususario
“telnet\0”, //telnet:telnet
“support\0”, //support:support
};
SSH Passwords
char *SSH_Passwords[] = {
“root\0”, //root:root
“admin\0”, //admin:admin
“admin\0”, //root:admin
“1234\0”, //admin:1234
“ubnt\0”, //ubnt:ubnt
“user\0”, //user:user
“ususario\0”, //usuario:ususario
“telnet\0”, //telnet:telnet
“support\0”, //support:support
};
we can found bot killer binarys list
Bot_Killer_Binarys
char *Bot_Killer_Binarys[] = {
“amsjkfbns”,
“mips”,
“xdf.mips”,
“xdf.*”,
“xdf*”,
“xdf.mipsel”,
“xdf.x86_64”,
“xdf.arm7”,
“xdf.ppc”,
“xdf.sh4”,
“mipsel”,
“sh4”,
“x86”,
“i686”,
“ppc”,
“i586”,
“jack*”,
“hack*”,
“arm*”
“tel*”
“b1”,
“b2”,
“b3”,
“b4”,
“b5”,
“b6”,
“b7”,
“b8”,
“b9”,
“wget”,
“orion”,
“lol*”,
“busybox*”,
“badbox*”,
“DFhxdhdf”,
“dvrHelper”,
“FDFDHFC”,
“FEUB”,
“FTUdftui”,
“GHfjfgvj”,
“jhUOH”,
“JIPJIPJj”,
“JIPJuipjh”,
“kmyx86_64”,
“lolmipsel”,
“mips”,
“mipsel”,
“RYrydry”,
“TwoFace*”,
“UYyuyioy”,
“x86_64”,
“XDzdfxzf”,
“xx*”,
“sh”,
“1”,
“2”,
“3”,
“4”,
“5”,
“6”,
“7”,
“8”,
“9”,
“10”,
“11”,
“12”,
“13”,
“14”,
“15”,
“16”,
“17”,
“18”,
“19”,
“20”,
“busybox”,
“badbox”,
“Mirai*”,
“mirai*”,
“cunty*”
“IoT*”,
“mips”,
“mips64”,
“mipsel”,
“sh2eb”,
“sh2elf”,
“sh4”,
“x86”,
“arm”,
“armv5”,
“armv4tl”,
“armv4”,
“armv6”,
“i686”,
“powerpc”,
“powerpc440fp”,
“i586”,
“m68k”,
“sparc”,
“x86_64”,
“jackmymips”,
“jackmymips64”,
“jackmymipsel”,
“jackmysh2eb”,
“jackmysh2elf”,
“jackmysh4”,
“jackmyx86”,
“jackmyarmv5”,
“jackmyarmv4tl”,
“jackmyarmv4”,
“jackmyarmv6”,
“jackmyi686”,
“jackmypowerpc”,
“jackmypowerpc440fp”,
“jackmyi586”,
“jackmym68k”,
“jackmysparc”,
“jackmyx86_64”,
“hackmymips”,
“hackmymips64”,
“hackmymipsel”,
“hackmysh2eb”,
“hackmysh2elf”,
“hackmysh4”,
“hackmyx86”,
“hackmyarmv5”,
“hackmyarmv4tl”,
“hackmyarmv4”,
“hackmyarmv6”,
“hackmyi686”,
“hackmypowerpc”,
“hackmypowerpc440fp”,
“hackmyi586”,
“hackmym68k”,
“hackmysparc”,
“hackmyx86_64”,
“b1”,
“b2”,
“b3”,
“b4”,
“b5”,
“b6”,
“b7”,
“b8”,
“b9”,
“b10”,
“b11”,
“b12”,
“b13”,
“b14”,
“b15”,
“b16”,
“b17”,
“b18”,
“b19”,
“b20”,
“busyboxterrorist”,
“DFhxdhdf”,
“dvrHelper”,
“FDFDHFC”,
“FEUB”,
“FTUdftui”,
“GHfjfgvj”,
“jhUOH”,
“JIPJIPJj”,
“JIPJuipjh”,
“kmymips”,
“kmymips64”,
“kmymipsel”,
“kmysh2eb”,
“kmysh2elf”,
“kmysh4”,
“kmyx86”,
“kmyarmv5”,
“kmyarmv4tl”,
“kmyarmv4”,
“kmyarmv6”,
“kmyi686”,
“kmypowerpc”,
“kmypowerpc440fp”,
“kmyi586”,
“kmym68k”,
“kmysparc”,
“kmyx86_64”,
“lolmips”,
“lolmips64”,
“lolmipsel”,
“lolsh2eb”,
“lolsh2elf”,
“lolsh4”,
“lolx86”,
“lolarmv5”,
“lolarmv4tl”,
“lolarmv4”,
“lolarmv6”,
“loli686”,
“mirai.linux”,
“mirai.mips”,
“mirai*”,
“lolpowerpc”,
“lolpowerpc440fp”,
“loli586”,
“lolm68k”,
“lolsparc”,
“RYrydry”,
“telmips”,
“telmips64”,
“telmipsel”,
“telsh2eb”,
“telsh2elf”,
“telsh4”,
“telx86”,
“telarmv5”,
“telarmv4tl”,
“telarmv4”,
“telarmv6”,
“teli686”,
“telpowerpc”,
“telpowerpc440fp”,
“teli586”,
“telm68k”,
“telsparc”,
“telx86_64”,
“TwoFacemips”,
“TwoFacemips64”,
“TwoFacemipsel”,
“TwoFacesh2eb”,
“TwoFacesh2elf”,
“TwoFacesh4”,
“TwoFacex86”,
“TwoFacearmv5”,
“TwoFacearmv4tl”,
“TwoFacearmv4”,
“TwoFacearmv6”,
“TwoFacei686”,
“TwoFacepowerpc”,
“TwoFacepowerpc440fp”,
“TwoFacei586”,
“TwoFacem68k”,
“TwoFacesparc”,
“TwoFacex86_64”,
“UYyuyioy”,
“XDzdfxzf”,
“xxb1”,
“xxb2”,
“xxb3”,
“xxb4”,
“xxb5”,
“xxb6”,
“xxb7”,
“xxb8”,
“xxb9”,
“xxb10”,
“xxb11”,
“xxb12”,
“xxb13”,
“xxb14”,
“xxb15”,
“xxb16”,
“xxb17”,
“xxb18”,
“xxb19”,
“xxb20”,
“1”,
“2”,
“3”,
“4”,
“5”,
“6”,
“7”,
“8”,
“9”,
“10”,
“11”,
“12”,
“13”,
“14”,
“15”,
“16”,
“17”,
“18”,
“19”,
“20”,
“bb”,
“busybotnet”,
“pppd”,
“pppoe”,
“wput”,
“B1”,
“B2”,
“B3”,
“B4”,
“B5”,
“B6”,
“B7”,
“B8”,
“B9”,
“B10”,
“B11”,
“B12”,
“B13”,
“B14”,
“B15”,
“B16”,
“B17”,
“B18”,
“B20”,
“DVR”,
“*mirai”,
“*.mirai”,
“cunty*”,
“IoT*”,
“mips64”,
“sh4”,
“arm”,
“armv5”,
“armv4tl”,
“armv4”,
“armv6”,
“powerpc”,
“powerpc440fp”,
“pc”,
“m68k”,
“sparc”,
“mirai.mips”,
“orion.mips”,
“okiru.mips”,
“nightcore.mips”,
“ar”,
“lsp.modz”,
“mipsxd”,
“die.mips”,
“dupessh”
“*mips”,
“*.mips”,
“pps”,
“sh4*”,
“wget*”,
“ssh*”,
“vulcan”,
“jennifer*”,
“okiru*”,
“vulcana”,
“vulcanb”,
“vulcand”,
“vulcane”,
“vulcanx”,
“vulcany”,
“vulcanz”,
“vulcang”,
“apache2”,
“telnetd”
};
we can found Temp directories list
Temp directories
char *Temp_Directorys[] = {“/tmp/*”, “/root/tmp/*”, “/temp/*”, “/var/*”, “/var/run/*”, “/var/tmp/*”, (char*) 0};
4. Confirm my My hypothesis
To confirme my hypthesis, i used ida pro.
- BCMScan and the range of network

- PhoneScan and another range of network

- SShscanner and another range of network

- hackerScan and another range of network

- void clear history

- void initConnection()


- SSh usernames

- void updateNameServer()


- void clear history

- void Remove temp directories

- Mirai Passwords

- Mirai usernames

- Telnet usernames and passwords

Code Sources
After a few hours,I found the code of new Mirai in pastebin(https://pastebin.com/4Z5MkjyX)


- client :https://pastebin.com/raw/JWKpuKid
- server:https://pastebin.com/raw/yugYA1nD
- https://pastebin.com/raw/yugYA1n

Finally,i think this malware is is developed by Scarface


IoC:
- a45799ca012830ba03aec105b3ea1d49:bins.sh
- 13b428fa5171c8d90de633257cd41b85 : qvmxvl
- 9f868f1032e47a48c79420a19a3721e4:atxhua
- 3fc2e827e0ba28e6a175c08b151a7ff1 :fwdfvf
- 01d87ee11755b4808298e96a31dcc50b :vvglma
- 1b6e07bc6562f8c854fe1b54799478a1 : qtmzbn
- a397942f1b2724212cf0c76a7abb04df :nvitpj
- abceffc8f33f8e8a671cd9d11e7e310a :lnkfmx
- cfb3a8d8a6c90e8cdb5b8f2901a86367 :vtyhat
- 137b247b45f573d9076730ee8b1c07b6 :cemtop
- 2fbd924bc690857720168c1ca5431b59: razdzn
- 42c5f6a5b8428c72bb743bcbecdc0779 :ajoomk
- 04d729ece6c04aee4be88c4ae6055149 :earyzq
- 532e0d570a3292c66016dda40819eec9:ftp1.sh
- http://199[.]180.134.215/
- ftp://199[.]180.134.215/
Conclusion
the lack of security mechanisms built into the devices themselves increase the size of botnet.We recommend to changing the defaultusers and passwords