Hriscv64.cloudbot: 64-bit LSB UCB RISC-V, version 1 (SYSV), dynamically linked Hnios2.cloudbot: 32-bit LSB Altera Nios II, version 1 (SYSV), dynamically linked M68k-68xxx.cloudbot: 32-bit MSB Motorola m68k, 68020, version 1 (SYSV), statically linked This type of binaries seem to be started appearing in the early August, 2019, in the internet.īelow is the additional list of the compiled binaries meant to run on several non-Intel CPU running Linux operating systems, they can affect network devices like routers, bridges, switches, and other the small internet of things that we may already use on daily basis: If you see the filenames you can guess some of those binaries are meant to aim specific IoT/router platforms and not only for several randomly cross-compiled architecture supported result.
#MMD GLITCH MME EFFECT SERIES#
This sample is just one of a series of badness, my honeypots, OSINT and a given information was leading me into 26 types of samples that are meant to pwned series of internet of thing (IoT) devices running on Linux OS, and this MIPS-32 ELF binary one I received is just one of the flocks. It is a newly coded Linux malware picking up several idea and codes from other known malware, including Mirai. But the fact after my analysis is saying differently, these are not Mirai, Remaiten, GafGyt (Qbot/Torlus base), Hajime, Luabots, nor China series DDoS binaries or Kaiten (or STD like). and according to its detection report in the Virus Total hash it is supposed to be a "Mirai-like" or Mirai variant malware, (thank's to good people for uploading the sample to VirusTotal). Version 1 (SYSV), statically linked, stripped Ĭloudbot-mips: ELF 32-bit MSB executable, MIPS, MIPS-I So I was sent with this MIPS 32bit binary.
#MMD GLITCH MME EFFECT HOW TO#
This time I decided to write the report along with my style on how to reverse engineering this sample, which is compiled in the MIPS processor architecture.
Like the most of other posts of our analysis reports in MalwareMustDie blog, this post has been started from a friend's request to take a look at a certain Linux executable malicious binary that was having a low (or no) detection, and at that time the binary hasn't been categorized into a correct threat ID. There are a lot of botnet aiming multiple architecture of Linux basis internet of thing, and this story is just one of them, but I haven't seen the one was coded like this before.