Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Mirai

72
Global rank
20 infographic chevron month
Month rank
27 infographic chevron week
Week rank
0
IOCs

Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining.

Botnet
Type
USA
Origin
1 September, 2016
First seen
17 March, 2025
Last seen

How to analyze Mirai with ANY.RUN

Type
USA
Origin
1 September, 2016
First seen
17 March, 2025
Last seen

IOCs

IP addresses
119.123.76.233
182.247.149.144
181.5.249.167
181.225.149.247
123.11.37.128
182.246.57.58
201.238.0.244
118.36.113.109
196.185.119.41
59.178.67.110
177.188.94.100
181.225.148.219
59.94.100.185
123.175.54.196
1.70.99.13
111.92.10.204
1.48.38.194
88.238.25.110
59.178.0.251
112.86.153.79
Domains
server1988.ignorelist.com
errorcoders.com
bot.ddosing.online
hoaxcalls.pw
vstress.pw
panel.devilsden.net
internetpolice.tk
rischyo.cf
neverwinwlaq.xyz
xabolfpzbz.ukrainianhorseriding.com
rippr.cc
dotheneedfull.xyz
3732g6dg.ws
fksdjfaksj321bots.mybiadboats.xyz
1216khw.kro.kr
networkmapping.xyz
u-suck-my-dick.xyz
ililililililililil.hopto.org
panel.miraibotnet.eu
tyx35qmt7pni4pdg.onion
Last Seen at

Recent blog posts

post image
New Pre-Installed Dev Tools for Deep Sandbox...
watchers 459
comments 0
post image
AI Safety: Key Threats and Solutions 
watchers 547
comments 0
post image
5 Common Evasion Techniques in Malware 
watchers 746
comments 0

What is Mirai malware?

Mirai is a botnet that has been targeting Internet of Things (IoT) devices since September 2016. It initially gained notoriety with denial-of-service attacks on several high-profile targets, including Krebs on Security, a blog run by the notable cybersecurity expert and journalist Brian Krebs. The botnet exploited the lack of security in IoT devices in the form of weak passwords, using them to generate massive traffic to overwhelm the target services.

The original developers, three college students from the United States, made the Mirai malware source code public in 2017 in an attempt to demonstrate their willingness to abandon criminal activity. However, this led to the creation of numerous variants of the malware, such as Hajime and Sylveon, as well as an influx of new threat actors employing these in their attacks.

Since then, the botnet has been experiencing a continuous evolution, gaining additional capabilities and exploiting new vulnerabilities found in different devices. It has been employed in numerous campaigns, by 2022 becoming one the largest botnets. According to some estimates, the Mirai malware has been used to infect over half a million IoT products.

Mirai's rise and scale can be attributed to a combination of factors. These include efficient spreading based on Internet-wide scanning and the widespread use of insecure default passwords in IoT products.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Mirai malware technical details

On the basic level, Mirai uses brute forcing to infect new devices. Here are the four stages that define its typical operation:

  • It begins by scanning the internet for vulnerable IoT devices by sending TCP probes to IPv4 addresses.
  • Once it identifies a potential victim, it attempts to log in using a list of popular credentials.
  • Upon successful login, the malware uses its loader module to download and execute a malicious program on the device. Once a device is infected, it becomes part of the botnet and begins scanning the internet for other vulnerable devices to infect.
  • Mirai then engages the infected devices to launch DDoS attacks.

The malware usually communicates with the command-and-control (C2) over the TCP protocol. Yet, there are also TLS-capable variants.

After establishing its presence on a device, Mirai kills any processes associated with the activity of other botnets, such as Gafgyt, that might have infected it prior.

Over the past years, Mirai variants have been able to infect thousands of devices by abusing various vulnerabilities. For instance, in 2020, one Mirai variant took advantage of a security flaw (CVE-2020-9054) in Zyxel NAS devices, which allowed the malware to employ special characters to inject malicious commands and take control of devices.

Another vulnerability used by Mirai, which was identified in Comtrend VR-3033 routers in 2020, was CVE-2020-10173. It enabled attackers to compromise the network managed by the router by injecting malicious commands into its authentication process.

In 2022, Mirai was observed to explore the Spring4Shell vulnerability (CVE-2022-22965) by uploading its executable to target devices’ '/tmp' folder and leveraging the 'chmod' command to launch it.

Many variants of Mirai implement modified UPX packing to complicate the analysis process of their executables and make them more lightweight.

One of the latest variants of Mirai, NoaBot, which was first spotted in 2024, leverages SSH login brute forcing capabilities. Instead of launching DDoS attacks, it turns infected devices into crypto-mining machines.

Mirai execution process

Let’s take a look at how a typical Mirai malware attack unfolds by submitting a sample of this malware to the ANY.RUN sandbox.

Mirai infects the Ubuntu system typically through exposed and vulnerable Telnet or SSH ports. Once access is gained, Mirai downloads its binary from a C2server or through a peer-to-peer network onto the infected system.

To ensure persistence, Mirai may attempt to disable security software, delete competing malware, and create copies of itself in various system directories. It may also modify system startup scripts or use cron jobs to ensure it is executed on system reboot.

The infected system starts scanning the internet for other vulnerable devices by randomly generating IP addresses and attempting to log in using the same list of default credentials, infecting more devices.

The infected device establishes a connection with a C2 server to receive instructions from the botnet operator. These instructions can include launching DDoS attacks, downloading additional payloads, or updating.

It's important to note that the exact execution chain can vary depending on the variant of Mirai and the specific configuration of the infected system.

Mirai Suricata rule in ANY.RUN Suricata rule used for detecting Mirai in ANY.RUN

Mirai malware distribution methods

Unlike most malware families, such as Remcos and NjRAT, Mirai is not distributed via phishing emails or other common attack vectors. Instead, since it is a botnet, Mirai relies on self-propagation. This allows the botnet to grow rapidly and become more powerful, enabling it to launch larger and more devastating attacks.

Conclusion

To protect against Mirai and its variants, it is important to ensure that all IoT devices are secured with strong, unique passwords and that any known vulnerabilities are patched as soon as possible. To conduct Mirai malware analysis to see how the latest variants operate, use the ANY.RUN sandbox.

By executing Mirai in a controlled environment, you can observe its behavior and network activity without risking infection of your own infrastructure. This will enable you to identify the vulnerabilities employed by the malware, as well as expose its C2 servers.

Sign up for ANY.RUN now – it’s free!

HAVE A LOOK AT

Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More