user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat TrojanDownloader:Linux/Mirai.K!MTB
TrojanDownloader:Linux/Mirai.K!MTB - Windows Defender threat signature analysis

TrojanDownloader:Linux/Mirai.K!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: TrojanDownloader:Linux/Mirai.K!MTB
Classification:
Type:TrojanDownloader
Platform:Linux
Family:Mirai
Detection Type:Concrete
Known malware family with identified signatures
Variant:K
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan Downloader - Downloads additional malware for Linux platform, family Mirai

Summary:

This threat is identified as a Linux-based trojan downloader from the Mirai botnet family, which typically compromises IoT devices for use in DDoS attacks. The detection is based on machine learning behavioral analysis, but the associated technical details are contradictory, suggesting a possible misclassification that requires careful investigation.

Severity:
Medium
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - InvokeV (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - WH_KEYBOARD (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
YARA Rule:
rule TrojanDownloader_Linux_Mirai_K_2147917788_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "TrojanDownloader:Linux/Mirai.K!MTB"
        threat_id = "2147917788"
        type = "TrojanDownloader"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {54 00 a2 27 40 00 a2 af 40 00 a3 8f 00 00 00 00 04 00 62 24 40 00 a2 af 21 10 60 00 00 00 42 8c 00 00 00 00 3c 00 a2 af 40 00 a3 8f 00 00 00 00 04 00 62 24 40 00 a2 af 21 10 60 00 00 00 42 8c}  //weight: 1, accuracy: High
        $x_1_2 = {21 28 60 02 21 c8 00 02 09 f8 20 03 80 00 06 24 21 30 40 00 10 00 bc 8f 21 20 80 02 07 ?? ?? ?? 21 28 60 02 21 c8 40 02 09 f8 20 03 00 00 00 00 10 00 bc 8f f2 ?? ?? ?? 21 20 20 02}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: dlr.mipsel
4a8af19872a460ed85df7e9d13dc5c4344b03cd67fb8c507a18654f4202b3d78
06/12/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected Linux system from the network immediately. Use an up-to-date security tool to scan for and remove the identified malicious file. Investigate the system for persistence mechanisms (e.g., cron jobs) and change all credentials.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 06/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$