![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/11\/img_5bf66213b3348.png\")
<\/p>\nThis sample is a trojan, similar to Satori which is a Mirai variant.<\/p>\n
This sample mainly affects Android devices which opens port 5555 for Android Debug Bridge (ADB).<\/p>\n
Scan port 5555 of other devices and send a shell command;<\/p>\n
Launch a UDP flood DDoS attack using the C2 command.<\/p>\n
This sample is spread by scanning Android devices for port 5555 which is opened for ADB.<\/p>\n
IDA 7.0 i64<\/p>\n
Scan a random target for port 5555.<\/p>\n
Connect the remote control end (the sample went live in the same way as Mirai) and launch a UDP flood DDoS attack using the C2 command (crafted in the same way as Mirai).<\/p>\n
In the case of no command, the sample sends heartbeat packets of the fixed content (the same as Mirai).<\/p>\n
Packing<\/p>\n
Anti-virus settings<\/p>\n
Deleting itself during running<\/p>\n
This sample is quite similar to Storis, a variant of Mirai, as it can spread by exploiting the vulnerability existing in port 5555 opened for ADB (this method is the same as the exploit described in the analysis report released in July 2018). However, the creator declares that it does not belong to Miari, Stori, or Masuta. The sample generates a certain number of IP addresses and scans them for port 5555 before sending a shell command to the devices which opens port 5555.<\/p>\n
<\/p>\n
The shell command downloads and runs three scripts from the specified server for installing malicious code on multiple platforms and forcibly killing the bot client on target devices.<\/p>\n
The IP address of the C2 server connecting to the sample is 80.211.117.113, located in Italy.<\/p>\n
80.211.117.11<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
1 Sample Introduction 1.1 Sample Type This sample is a trojan, similar to Satori which is a Mirai variant.<\/p>\n","protected":false},"author":1,"featured_media":1909,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"categories":[17,20],"tags":[],"class_list":["post-7685","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerability-analysis","category-uncategorized"],"acf":[],"yoast_head":"\n