Backdoor:Linux/Mirai.EF!MTB

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Backdoor:Linux/Mirai.EF!MTB

Backdoor:Linux/Mirai.EF!MTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Backdoor:Linux/Mirai.EF!MTB

Classification:

Type:Backdoor

Platform:Linux

Family:Mirai

Detection Type:Concrete

Known malware family with identified signatures

Variant:EF

Specific signature variant within the malware family

Suffix:!MTB

Detected via machine learning and behavioral analysis

Detection Method:Behavioral

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai

Summary:

This threat is a Linux backdoor from the Mirai botnet family, which primarily targets IoT and networked devices. It infects systems by scanning for vulnerable services and default credentials. Once compromised, the device is used to participate in large-scale Distributed Denial-of-Service (DDoS) attacks.

Severity:

Medium

VDM Static Detection:

No specific strings found for this threat

YARA Rule:

rule Backdoor_Linux_Mirai_EF_2147897547_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.EF!MTB"
        threat_id = "2147897547"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "3"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "/anko-app/" ascii //weight: 1
        $x_1_2 = {73 65 72 76 69 63 65 73 07 5f 64 6e 73 2d 73 64 04 5f 75 64 70 05 6c 6f 63 61 6c}  //weight: 1, accuracy: High
        $x_1_3 = "urn:dial-multiscreen-org:service:dial:1" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Known malware which is associated with this threat:

Filename: bot.mpsl

14060b4f4a579859e01bb149145e3377665ff7dd1ab16bf01227be95249af38c

06/12/2025

→VirusTotal ↓Download Sample

Filename: bot.ppc

5969670d9632e1e3b734623b7e929c2009a6440e74689f1efe095402c9fa469b

06/12/2025

→VirusTotal ↓Download Sample

Filename: bot.mips

6cea73b8c0fede36f6d0dc61d8416ebdce29ade0a358e9061fa88328f174f1e1

06/12/2025

→VirusTotal ↓Download Sample

Filename: mips

b695eed485955436ac3ac4835a3985d5872782221514796036a9e9163664bda1

03/12/2025

→VirusTotal ↓Download Sample

Filename: arm

708722783217cdba34f377d1af37d72671683563eda9cade928862d76a5b5a11

03/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

1. Immediately isolate the infected device from the network to prevent further spread or participation in DDoS attacks. 2. Perform a factory reset or re-image the device to remove the infection. 3. Change all default passwords to strong, unique credentials and update the device's firmware to the latest version.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 17/11/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Backdoor:Linux/Mirai.EF!MTB - Windows Defender Threat Analysis