1 Sample Introduction
1.1 Sample Type
This sample is a trojan, similar to Satori which is a Mirai variant.
This sample mainly affects Android devices which opens port 5555 for Android Debug Bridge (ADB).
1.3 Attack Method
Scan port 5555 of other devices and send a shell command;
Launch a UDP flood DDoS attack using the C2 command.
2 Propagation and Infection
This sample is spread by scanning Android devices for port 5555 which is opened for ADB.
3 In-depth Analysis
3.1 File Structure
IDA 7.0 i64
3.2 Network Behaviors
Scan a random target for port 5555.
Connect the remote control end (the sample went live in the same way as Mirai) and launch a UDP flood DDoS attack using the C2 command (crafted in the same way as Mirai).
In the case of no command, the sample sends heartbeat packets of the fixed content (the same as Mirai).
3.3 Anti-analysis Techniques
Deleting itself during running
3.4 Scanning for Port 5555
This sample is quite similar to Storis, a variant of Mirai, as it can spread by exploiting the vulnerability existing in port 5555 opened for ADB (this method is the same as the exploit described in the analysis report released in July 2018). However, the creator declares that it does not belong to Miari, Stori, or Masuta. The sample generates a certain number of IP addresses and scans them for port 5555 before sending a shell command to the devices which opens port 5555.
The shell command downloads and runs three scripts from the specified server for installing malicious code on multiple platforms and forcibly killing the bot client on target devices.
4 Attack Location
The IP address of the C2 server connecting to the sample is 220.127.116.11, located in Italy.
5 IoC Output
5.1 Hardcoded IP and Domain Name