Mirai IOC Report

3 min readMar 3, 2023

--

IoC: hxxp://121.37.5[.]54/x/2sh, hxxp://121.37.5[.]54/x/1sh, hxxp://121.37.5[.]54/x/3sh

The IP (121.37.5[.]54) has been reported a total of 2 times from 2 different sources. It was initially reported on AbuseIPDB of abusive behaviors during the previous week and is probably currently actively involved in abusive operations such as hacking and hosting malware.

Following additional analysis, the IP address was linked to a Mirai Botnet published in a Russian blog article on February 22, 2023. More info on the blog post can be found here.

Further investigation revealed two files that were both recent and identical to the IoC in question.

When the first URL (hxxp://121.37.5[.]54/x/1sh) was accessed, a series of wget statements were observed that download files from a server at IP address 121.37.5[.]54. After that, the downloaded files are made executable, and some are run in the background.

It’s worth noting that both URLs have instructions to download the same executable files (ELF), which are given below. Tsunami Malware has been tied to these elf files.

Tsunami is a harmful Linux backdoor that allows remote access to compromised machines.

I ran the elf executable file (tty0) in a sandbox, and once unpacked, you can see a list of strings obtained from the file here. This includes UPX Packer and other unidentified strings. There were no strings addressing program functionality or indicators associated with suspicious binaries, filenames, IPs, attack instructions, registry keys, or URLs other than UPX.

Malicious behaviors such as the following were observed:

Network Traffic

195.20.125[.]38:8080 (TCP)

203.141.149[.]20:8080 (TCP)

66.178.182[.]1:8080 (TCP)

140.112.12[.]20:8080 (TCP)

140.112.13[.]244:8080 (TCP)

103.3.46[.]2:8080 (TCP)

195.70.197[.]29:8080 (TCP)

195.133.232[.]91:8080 (TCP)

Related Indicators of Compromise (IOCs)

IP addresses:
121.37.5[.]54
195.20.125[.]38
203.141.149[.]20
66.178.182[.]1
140.112.12[.]20
140.112.13[.]244
103.3.46[.]2
195.70.197[.]29
195.133.232[.]91
URLs/Domain names:
hxxp://121.37.5[.]54
hxxp://121.37.5[.]54/x/2sh
hxxp://121.37.5[.]54/x/1sh
hxxp://121.37.5[.]54/x/3sh
hxxp://121.37.5[.]54/x/irq2
hxxp://121.37.5[.]54/x/irq1
hxxp://121.37.5[.]54/x/tty3
hxxp://121.37.5[.]54/x/tty0
hxxp://121.37.5[.]54/x/irq0
hxxp://121.37.5[.]54/x/pty
hxxp://121.37.5[.]54/x/tty5
hxxp://121.37.5[.]54/x/tty4
hxxp://121.37.5[.]54/x/tty6
hxxp://121.37.5[.]54/x/tty2
Hashes:
ccb9300816fa32803c25bd1090954c49
e5463383f03592aafafbc34780482444cc6ab721
9a402397a0e5f56682a1afa1ef97c22767dbdc1d0c164496986c78cd1627406d
3884d8f692bdbb965985aec1fe6836c6
cbb2a9e6710d3065f83c560c9035b78b02880d24
9f07137bc6e4d7e58ea0fe22285599fd56d62f61141a2a745e2d6583c332c9a8
a51c33ee97c3df3dcf6cb3a67e2deadd
36058df865909ca4d56fe1738e61e61fb73e67b1
5befe5c9e0ca212361cd8f5a7490bcd358d721f2dd8644d70b0f81bbc3e3e307
4828b6dfe2f542f5763109c015a1fc57
08b0e90b15ef106b1a67273788ab42763b728e0a
af736d0466d0c88fe66666676ca09462fddedbbe8befe49dd2dc691053c293c6
9a053da89eecf62e3f7a8990b2b16f34
c7f3ce035931d2537b8ca0839fc8716864085ca8
b0a894c5e5020bd64df8e50e7bff04fd62cafc0a13b88281cbf148e133b25a8a
4a2cd14d592008ddcbeec2a7d8668be6
8433fc2b79ec52ef39ff4bba80f6d6993447b4a6
b16f46e2364607aa8bf031a28e9645827748b1742a46963ffd66d7d8a4fc3483
658e189217ec38fae85c1381ba1f8036
6a7cd8eacdfbf40a77bd15a0b795e70ac39f2c1f
53cdde158630cd2dce5fe7fbfe29a93ba496738e8a307a167f19c71ee1ccfa88
43ebe4bdb882ca5dd68ea96ba96cbd5f
184d2d9b092b19b18a5705a4ecc9964e43140afa
5499a3643fdb945722bdb8ab531b348b0ca8d08cbfdf2b056880a40117254a97
01f9782702eadfa4c9ea67918ca3bb00
5c9771e167dd7fc3e1250b8e851904f1daa063e7
8b9bfe8d5d32d7218059fcd24660a15a177a4ee75670cc1af86b357d59903cc7

References

Recommendations

Block the IP addresses and URLs/domains listed in the IOCs at the network perimeter.
Add hash values to block list.

Malware Analysis

Cybercure

Written by Cybercure

cybercure.ai Cyber Intelligence briefing

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams