Malware-Traffic-Analysis.net - 2025-12-17: Mirai activity (Linux traffic)

2025-12-17 (WEDNESDAY): MIRAI ACTIVITY (LINUX TRAFFIC)

ASSOCIATED FILES:

2025-12-17-IOCs-for-Mirai-activity.txt.zip 1.2 kB (1,230 bytes)
2025-12-17-Mirai-traffic.zip 3.2 MB (3,153,184 bytes)
2025-12-17-Mirai-malware-samples.zip 109.6 kB (109,647 bytes)

2025-12-17 (WEDNESDAY): MIRAI ACTIVITY

NOTES:

- I saw in-the-wild scans/probes as recently as 2025-12-03 that used wget to run a bash script from:
  -- 158.94.210[.]88/jaws
  -- The user-agent in the HTTP headers was: Hello, world
- On 2025-12-17, I fired up a Linux VM and ran the script returned from 158.94.210[.]88/jaws
- This blog post contains the associated pcaps and malware from the activity.

ASSOCIATED FILES:

- SHA256 hash: 75eadf63fa491843ff2580532080b3e664b37a7acc44a29fdeda3922bee1b6b8
- File size: 4,816 bytes
- File type: Bourne-Again shell script text executable, ASCII text, with very long lines (349)
- File location: hxxp[:]//158.94.210[.]88/jaws
- File description: bash script to retrieve and run files for Mirai

- SHA256 hash: 5a5be8301b1b61d5ffe08de1b358574f72fad83a739b9e12ae70e93fa6ba5b14
- File size: 96,408 bytes
- File type: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
- File location: hxxp[:]//158.94.210[.]88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
- File description: Linux executable file for Mirai

- SHA256 hash: 85e6515d887fb0ddf498df540c1a71b10438f722d85b95d613e0cbe37b7c4261
- File size: 97,224 bytes
- File type: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
- File location: hxxp[:]//158.94.210[.]88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
- File description: Linux executable file for Mirai

- SHA256 hash: 74ee95ea935954d8320594f45a3ed34d956637f399d927d75f080648800106a0
- File size: 66,544 bytes
- File type: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
- File location: hxxp[:]//158.94.210[.]88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
- File description: Linux executable file for Mirai

POST INFECTION TRAFFIC:

- Various IP addresses over TCP port 23 - Attempted Telnet connections
- Various IP addresses over TCP port 37215 - Attempted TCP connections

Click here to return to the main page.