user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:Linux/Mirai!rfn
Backdoor:Linux/Mirai!rfn - Windows Defender threat signature analysis

Backdoor:Linux/Mirai!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:Linux/Mirai!rfn
Classification:
Type:Backdoor
Platform:Linux
Family:Mirai
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai

Summary:

Backdoor:Linux/Mirai!rfn is a variant of the Mirai botnet malware. Although running on a Linux system, this variant is equipped with capabilities to scan for and exploit vulnerable Microsoft SQL (MSSQL) servers, enabling it to spread to Windows environments and add them to the botnet.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - /ver.txt (PEHSTR_EXT)
 - /update.txt (PEHSTR_EXT)
 - http://%s:8888/ (PEHSTR_EXT)
 - \msinfo.exe (PEHSTR_EXT)
 - /delete /f /tn msinfo (PEHSTR_EXT)
 - //%s:8888/ups.rar (PEHSTR_EXT)
 - //%s:8888/wpd.dat (PEHSTR_EXT)
 - //%s:8888/wpdmd5.txt (PEHSTR_EXT)
 - //down2.b5w91.com:8443 (PEHSTR_EXT)
 - /shell?%s (PEHSTR_EXT)
 - ;exec sp_add_jobserver (PEHSTR_EXT)
 - ;EXEC sp_droplogin (PEHSTR_EXT)
 - ;exec(@a); (PEHSTR_EXT)
 - <sip:carol@chicago.com> (PEHSTR_EXT)
 - @name='bat.exe',@freq_type=4,@active_start_date (PEHSTR_EXT)
 - @shell INT EXEC SP_ (PEHSTR_EXT)
 - [Cracker:MSSQL] Host:%s, blindExec CMD: %s (PEHSTR_EXT)
 - [ExecCode] (PEHSTR_EXT)
 - [ExecCode]AUTHORIZATION [dbo] FROM 0x4D5A (PEHSTR_EXT)
 - \Run','rundll32'; (PEHSTR_EXT)
 - C:\Progra~1\kugou2010&attrib (PEHSTR_EXT)
 - C:\Progra~1\mainsoft&attrib (PEHSTR_EXT)
 - C:\Progra~1\shengda&attrib (PEHSTR_EXT)
 - cmd3:[%s] (PEHSTR_EXT)
 - DROP ASSEMBLY ExecCode (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: Labelloperc80.i686
5e4d8cbc31a954ee161ac1efd1eac269202116af368f9477d115e3ebf979cc49
11/12/2025
VirusTotalDownload Sample
Filename: arm7
12febb28eb7f9bca091bd063b00a7185c2bfa8a2468b6f68a69be050335a7c79
16/11/2025
VirusTotalDownload Sample
Filename: spc
49b66bdd7e4a32ba2423391c1e86b3813309122eff5bd7c245a5359675b1d581
16/11/2025
VirusTotalDownload Sample
Filename: arm6
97b8f890d1c48ebf72004ea561bf43ae33ed46332c07497db3c7853e2600d877
16/11/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the compromised Linux host to prevent further scanning and lateral movement. Investigate network logs for outbound connections to MSSQL servers (port 1433). Scan and patch all MSSQL servers for vulnerabilities, ensure strong 'sa' passwords, and block the identified command-and-control domains at the network perimeter.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 16/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$