1 Sample Introduction

1.1 Sample Type

This sample is a trojan, similar to Satori which is a Mirai variant.

1.2 Target

This sample mainly affects Android devices which opens port 5555 for Android Debug Bridge (ADB).

1.3 Attack Method

Scan port 5555 of other devices and send a shell command;

Launch a UDP flood DDoS attack using the C2 command.

2 Propagation and Infection

This sample is spread by scanning Android devices for port 5555 which is opened for ADB.

3 In-depth Analysis

3.1 File Structure

IDA 7.0 i64

3.2 Network Behaviors

Scan a random target for port 5555.

Connect the remote control end (the sample went live in the same way as Mirai) and launch a UDP flood DDoS attack using the C2 command (crafted in the same way as Mirai).

In the case of no command, the sample sends heartbeat packets of the fixed content (the same as Mirai).

3.3 Anti-analysis Techniques

Packing

Anti-virus settings

Deleting itself during running

3.4 Scanning for Port 5555

This sample is quite similar to Storis, a variant of Mirai, as it can spread by exploiting the vulnerability existing in port 5555 opened for ADB (this method is the same as the exploit described in the analysis report released in July 2018). However, the creator declares that it does not belong to Miari, Stori, or Masuta. The sample generates a certain number of IP addresses and scans them for port 5555 before sending a shell command to the devices which opens port 5555.

The shell command downloads and runs three scripts from the specified server for installing malicious code on multiple platforms and forcibly killing the bot client on target devices.

4 Attack Location

The IP address of the C2 server connecting to the sample is 80.211.117.113, located in Italy.

5 IoC Output

5.1 Hardcoded IP and Domain Name

80.211.117.11