user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:Linux/Mirai!pz
Backdoor:Linux/Mirai!pz - Windows Defender threat signature analysis

Backdoor:Linux/Mirai!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:Linux/Mirai!pz
Classification:
Type:Backdoor
Platform:Linux
Family:Mirai
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai

Summary:

Despite its 'Linux/Mirai' name, this threat is a backdoor that primarily targets Windows systems by exploiting Microsoft SQL Server (MSSQL) vulnerabilities. It attempts to execute remote commands, download additional payloads, and establish persistence on the compromised server, effectively giving the attacker control over the machine.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - /ver.txt (PEHSTR_EXT)
 - /update.txt (PEHSTR_EXT)
 - http://%s:8888/ (PEHSTR_EXT)
 - \msinfo.exe (PEHSTR_EXT)
 - /delete /f /tn msinfo (PEHSTR_EXT)
 - //%s:8888/ups.rar (PEHSTR_EXT)
 - //%s:8888/wpd.dat (PEHSTR_EXT)
 - //%s:8888/wpdmd5.txt (PEHSTR_EXT)
 - //down2.b5w91.com:8443 (PEHSTR_EXT)
 - /shell?%s (PEHSTR_EXT)
 - ;exec sp_add_jobserver (PEHSTR_EXT)
 - ;EXEC sp_droplogin (PEHSTR_EXT)
 - ;exec(@a); (PEHSTR_EXT)
 - <sip:carol@chicago.com> (PEHSTR_EXT)
 - @name='bat.exe',@freq_type=4,@active_start_date (PEHSTR_EXT)
 - @shell INT EXEC SP_ (PEHSTR_EXT)
 - [Cracker:MSSQL] Host:%s, blindExec CMD: %s (PEHSTR_EXT)
 - [ExecCode] (PEHSTR_EXT)
 - [ExecCode]AUTHORIZATION [dbo] FROM 0x4D5A (PEHSTR_EXT)
 - \Run','rundll32'; (PEHSTR_EXT)
 - C:\Progra~1\kugou2010&attrib (PEHSTR_EXT)
 - C:\Progra~1\mainsoft&attrib (PEHSTR_EXT)
 - C:\Progra~1\shengda&attrib (PEHSTR_EXT)
 - cmd3:[%s] (PEHSTR_EXT)
 - DROP ASSEMBLY ExecCode (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: DEMONS.spc
6a5dc203104030f81e63436fb9792946b43bb295b37b9775883c71e6806974e7
05/12/2025
VirusTotalDownload Sample
Filename: DEMONS.arm5
5cbb5a492b911278645048727e1dc3abe59c8b566073cfea66ba58055d8a547c
05/12/2025
VirusTotalDownload Sample
Filename: DEMONS.spc
acc43514f6a6d323bd90d6eaefcc72e9ce9e645c8fa77253c34faa6e86a0fe4d
04/12/2025
VirusTotalDownload Sample
Filename: DEMONS.arm5
5ebad3c86772c9171e79ab9ea43205f2ecbe113176cd1f9324564d08ca34b441
04/12/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected system immediately. Secure all MSSQL accounts with strong passwords, especially the 'sa' account, and apply the latest security patches. Investigate for and remove any unauthorized SQL jobs, logins, or files dropped by the malware. Block the C2 domains and IPs at the firewall.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 04/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$