Backdoor:Linux/Mirai.DA!MTB - Windows Defender Threat Analysis

This threat is a variant of the Mirai botnet, which typically compromises Linux systems to use in DDoS attacks. The presence of numerous Windows-specific code strings suggests this may be a hybrid threat or running within the Windows Subsystem for Linux (WSL), aiming to establish a backdoor and persist on the host.

Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

rule Backdoor_Linux_Mirai_DA_2147843278_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.DA!MTB"
        threat_id = "2147843278"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {b0 30 d7 e1 40 00 13 e3 1e 00 00 0a 38 40 87 e2 04 20 a0 e1 08 10 9d e5 05 00 a0 e1 0b c0 99 e7 0f e0 a0 e1 1c ff 2f e1 04 00 a0 e1 08 c0 99 e7 0f e0 a0 e1 1c ff 2f e1 b0 30 d7 e1 0c 20 9d e5 03 30 82 e1 05 3d 23 e2 0d 0d 13 e3 08 00 00 1a 07 00 a0 e1}  //weight: 1, accuracy: High
        $x_1_2 = {ac 30 9f e5 18 40 80 e2 04 20 a0 e1 03 10 96 e7 0d 00 a0 e1 9c 30 9f e5 03 c0 96 e7 0f e0 a0 e1 1c ff 2f e1 00 80 e0 e3 04 00 a0 e1 88 30 9f e5 03 c0 96 e7 0f e0 a0 e1 1c ff 2f e1 00 40 97 e5 01 10 a0 e3 74 30 9f e5 0d 00 a0 e1 00 80 87 e5 03 c0 96 e7 0f e0 a0 e1 1c ff 2f e1 0c 00 97 e5}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Isolate the affected system from the network immediately to prevent lateral movement or botnet activity. Run a full, updated antivirus scan to remove all malicious components. If WSL is in use, investigate for signs of compromise and consider resetting the instance. Change all credentials on the system and network devices.