user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:Linux/Mirai.BL!xp
Backdoor:Linux/Mirai.BL!xp - Windows Defender threat signature analysis

Backdoor:Linux/Mirai.BL!xp - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:Linux/Mirai.BL!xp
Classification:
Type:Backdoor
Platform:Linux
Family:Mirai
Detection Type:Concrete
Known malware family with identified signatures
Variant:BL
Specific signature variant within the malware family
Suffix:!xp
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai

Summary:

This is a detection for a component of the Mirai botnet, which targets Linux-based systems and IoT devices. The malware spreads by scanning for weak or default credentials, and once a device is compromised, it is used to participate in large-scale Distributed Denial of Service (DDoS) attacks.

Severity:
Critical
VDM Static Detection:
No specific strings found for this threat
YARA Rule:
rule Backdoor_Linux_Mirai_BL_2147819180_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.BL!MTB"
        threat_id = "2147819180"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "dsnctodtoeupeupeup" ascii //weight: 1
        $x_1_2 = "vfmgufnhvgnhwhoiwhoiwhoi" ascii //weight: 1
        $x_1_3 = "1veqhbnf0veqicog1wfricog2xgsjdph2xgsjdph2xgsjdph" ascii //weight: 1
        $x_2_4 = {89 e8 8b 7c 24 50 89 f2 25 ff f7 f7 ff 89 44 24 10 8b 44 24 58 8d 4c 24 0c c7 44 24 18 00 00 00 00 89 7c 24 0c c7 44 24 1c 00 00 00 00 89 44 24 14 89 d8 c7 44 24 20 00 00 00 00}  //weight: 2, accuracy: High
    condition:
        (filesize < 20MB) and
        (
            ((1 of ($x_2_*) and 2 of ($x_1_*))) or
            (all of ($x*))
        )
}
Known malware which is associated with this threat:
Filename: colonna.ppc
848833cb1e3273d305cb532934f2582495d3d7814edbc1bd5655bc9e06e333b9
10/12/2025
VirusTotalDownload Sample
Filename: Fantazy.ppc
65507883ad78ecacbe5a13863e6b26f691d9204a005d088c1d8a07f72bc9e7b6
09/12/2025
VirusTotalDownload Sample
Filename: hoho.ppc
9647a2928608c9fa2440c589256ca9a4f397dfae3a822c7fa9078017292880b8
06/12/2025
VirusTotalDownload Sample
Filename: ppc
3a070a266d3c1b231c899bb477d7a70a9e9690ef2f5b582fed59ce97699a4b77
06/12/2025
VirusTotalDownload Sample
Filename: jew.ppc
9566bcde6b6f6db97aacc9c66336116829c0a7f830da367e66e8ef00a1587d44
04/12/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected device from the network immediately. Re-image the system or perform a factory reset to ensure complete removal. Change all default credentials to strong, unique passwords and apply the latest security patches to prevent reinfection.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 08/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$