ioc[.]one - OSINT Cyber Threat Intelligence Database

Persirai: New IoT Botnet Targets IP Cameras

Tags

attack-pattern:

Data Models Botnet - T1583.005 Botnet - T1584.005 Dns - T1071.004 Dns - T1590.002 Exploits - T1587.004 Exploits - T1588.005 Firmware - T1592.003 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 Web Shell - T1505.003 Web Shell - T1100

Show in Graph

Common Information

Type	Value
UUID	d7d08da5-3369-49c4-a160-f01f47bec8b4
Fingerprint	84916cf1d93361e7
Analysis status	DONE
Considered CTI value	2
Text language
Published	May 9, 2017, midnight
Added to db	Oct. 15, 2024, 9:27 p.m.
Last updated	Oct. 16, 2024, 2:30 a.m.
Headline	Persirai: New IoT Botnet Targets IP Cameras
Title	Persirai: New IoT Botnet Targets IP Cameras
Detected Hints/Tags/Attributes	52/1/23

Source URLs

	Redirection	Url
Details	Source	https://www.trendmicro.com/en_in/research/17/e/persirai-new-internet-things-iot-botnet-targets-ip-cameras.html

URL Provider

Details	Provider	Source level domain
Details	trendmicro.com	www.trendmicro.com

Attributes

Details	Type	#Events	Value
Details	CVE	3	cve-2017-5674
Details	Domain	4	ntp.gtpnet.ir
Details	Domain	3	wificam.sh
Details	Domain	3	ftpupdate.sh
Details	Domain	6	ftpupload.sh
Details	Domain	4	load.gtpnet.ir
Details	File	29	system.ini
Details	File	6	picsdesc.xml
Details	sha256	2	f736948bb4575c10a3175f0078a2b5d36cce1aa4cd635307d03c826e305a7489
Details	sha256	2	e0b5c9f874f260c840766eb23c1f69828545d7820f959c8601c41c024044f02c
Details	sha256	2	ff5db7bdb4de17a77bd4a552f50f0e5488281cedc934fc3707833f90484ef66c
Details	sha256	2	d00b79a0b47ae38b2d6fbbf994a2075bc70dc88142536f283e8447ed03917e45
Details	sha256	2	f974695ae560c6f035e089271ee33a84bebeb940be510ab5066ee958932e310a
Details	sha256	2	af4aa29d6e3fce9206b0d21b09b7bc40c3a2128bc5eb02ff239ed2f3549532bb
Details	sha256	2	aa443f81cbba72e1692246b5647a9278040400a86afc8e171f54577dc9324f61
Details	sha256	2	4a5ff1def77deb11ddecd10f96e4a1de69291f2f879cd83186c6b3fc20bb009a
Details	sha256	2	44620a09441305f592fb65d606958611f90e85b62b7ef7149e613d794df3a778
Details	sha256	2	a58769740a750a8b265df65a5b143a06972af2e7d82c5040d908e71474cbaf92
Details	sha256	2	7d7aaa8c9a36324a2c5e9b0a3440344502f28b90776baa6b8dac7ac88a83aef0
Details	sha256	2	4a5d00f91a5bb2b6b89ccdabc6c13eab97ede5848275513ded7dfd5803b1074b
Details	IPv4	2	185.62.189.232
Details	IPv4	2	95.85.38.103
Details	Yara rule	1	rule Persirai { meta: description = "Detects Persirai Botnet Malware" author = "Tim Yeh" reference = "Internal Research" date = "2017-04-21" hash1 = "f736948bb4575c10a3175f0078a2b5d36cce1aa4cd635307d03c826e305a7489" hash2 = "e0b5c9f874f260c840766eb23c1f69828545d7820f959c8601c41c024044f02c" hash3 = "35317971e346e5b2a8401b2e66b9e62e371coe9532f816cb313216c3647973c32" hash4 = "ff5db7bdb4de17a77bd4a552f50f0e5488281cedc934fc3707833f90484ef66c" hash5 = "aec2c39f1dfb75e7b33daceaeda4dbadb8efd9015a9b7e41d595bb28d2cd0180f" strings: $x1 = "ftpupload.sh" ascii fullword $x2 = "/dev/misc/watchdog" ascii fullword $x3 = "/dev/watchdog" $x4 = ":52869/picsdesc.xml" ascii fullword $x5 = "npxXoudifFeEgGaACScs" ascii fullword $s1 = "ftptest.cgi" ascii fullword $s2 = "set_ftp.cgi" ascii fullword $s3 = "2580e538f3723927f1ea2fdb8d57b99e9cc37ced1" ascii fullword $s4 = "023ea8c671c0abf77241886465200cf81b1a2bf5e" ascii fullword condition: uint16(0) == 0x457f and filesize < 300KB and ((1 of ($x) and 1 of ($s)) or 2 of ($s*)) }