user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:Linux/Mirai.CE!xp
Backdoor:Linux/Mirai.CE!xp - Windows Defender threat signature analysis

Backdoor:Linux/Mirai.CE!xp - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:Linux/Mirai.CE!xp
Classification:
Type:Backdoor
Platform:Linux
Family:Mirai
Detection Type:Concrete
Known malware family with identified signatures
Variant:CE
Specific signature variant within the malware family
Suffix:!xp
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai

Summary:

Backdoor:Linux/Mirai.CE!xp is a concrete detection for a variant of the Mirai malware family, infamous for compromising Linux-based IoT devices. This threat transforms infected systems into bots for launching large-scale Distributed Denial-of-Service (DDoS) attacks, while also establishing a backdoor for remote control over the compromised Linux system.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - |#26190899-1602-49e8-8b27-eb1d0a1ce869 (NID)
 - }#26190899-1602-49e8-8b27-eb1d0a1ce869 (NID)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
YARA Rule:
rule Backdoor_Linux_Mirai_CE_2147822367_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.CE!xp"
        threat_id = "2147822367"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "xp: an internal category used to refer to some threats"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "1"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {c0 30 9f e5 00 30 d3 e5 00 00 53 e3 d3 ff ff 0a b0 30 9f e5 00 30 d3 e5 c0}  //weight: 1, accuracy: High
        $x_1_2 = {30 4b e5 14 30 1b e5 23 34 a0 e1 14 30 0b e5 0d 30 5b e5 a3 31 a0 e1 0d 30 4b e5 0d 30 5b e5}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (1 of ($x*))
}
Known malware which is associated with this threat:
Filename: bot.arm6
bb673fee82ba897cdd610bee644ed823384007cdd4121ab87a1448fcef1bc161
31/01/2026
VirusTotalDownload Sample
Filename: bot.arm4
09610940f2b32ad725a8c323dd24f5fbe80cf5df11a6efb4f3ac077da0f0c904
31/01/2026
VirusTotalDownload Sample
Filename: bot.arm5
51663e747e9c00087a93fa1b39bcc4b3b2dc81a278f70aeb2fb36c15740a29bf
31/01/2026
VirusTotalDownload Sample
Filename: bot.arm7
7ca6c6ba23a348f9a32435f72f63660e5a6f3adebf9d0e752318d562f48994b8
27/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the compromised Linux system from the network. Conduct a thorough forensic analysis and remove the malware, ideally by reimaging the device if feasible. Enforce strong, unique credentials across all Linux and IoT devices, update all system firmware and software to patch known vulnerabilities, and implement network segmentation and egress filtering to prevent command and control (C2) communication.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 27/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$