ebceb9dbc06f796c199744d45c3e81654dbf6f928ab844c6b5af59d39e45ff26Deep Dive — ebceb9dbc06f
Family: Mirai variant (ARMv5LE dropper, nova.armv5l)
First seen: 2026-05-27 (MalwareBazaar, reporter BlinkzSec, tagged Mirai)
C2 domain: nova.podril1ak2.online
C2 IP: 176.65.149.142
ELF: 32-bit LSB, ARM, version 1, statically linked, stripped — no embedded debug symbols.
Build / RE
Toolchain
Compiled for ARMv5LE using a GCC-based cross toolchain. The binary is fully statically linked (-static or equivalent) and stripped. There is no .dynamic section, no symbol table, and no string table beyond the .rodata blob. The build produces position-independent code compatible with ARM Linux environments (typical for IoT routers, IP cameras, and ARM-based NAS devices).
Packing / Obfuscation
No packer or encrypted payload detected.^[strings.txt:1] The binary is compiled straight to ELF with no UPX, no custom stub, and no overlay compression. All strings are cleartext in .rodata.
Anti-analysis
Minimal. The binary does not perform debugger detection, VM checks, or anti-disassembly tricks. Stripping and static linking are its primary obfuscation. The lack of IAT and the use of raw syscall wrappers via software_interrupt(0x9000...) (ARM SWI/SVC) make library-call identification harder, but Ghidra resolves most as internal wrappers.
Dropbear payload staging
The binary references Dropbear paths with a clear installer/update pattern:
/usr/sbin/dropbear^[strings.txt:28]/tmp/.dropbear_upd.XXXXXX^[strings.txt:22]/var/run/.dropbear.lock^[strings.txt:26]/tmp/.dropbear.lock^[strings.txt:27]
Function FUN_000083a4 (the switch-based command dispatcher) reads the numeric mode from DAT_00030b64 and branches to task-specific functions. Mode 0xd specifically spawns 24 threads via FUN_000150dc each running FUN_0000871c (the upload worker) with per-thread state objects configured from &DAT_0002c7d8.^[ghidra:FUN_000083a4]
Notable functions
| Address | Role |
|---|---|
FUN_000083a4 |
Main command dispatcher (switch (mode)) — maps numeric modes to worker functions. Spawns thread pools for modes 0xb–0xd.^[ghidra:FUN_000083a4] |
FUN_0000871c |
HTTP POST uploader. Builds the request POST /api/upload HTTP/1.1\r\nHost: %s\r\nUser-Agent: Mozilla/5.0\r\nContent-Type: application/octet-stream\r\nContent-Length: 1000000000\r\n\r\n, opens TCP socket, sends header, then loops reading response with a 2-second delay.^[ghidra:FUN_0000871c] |
FUN_0000c058 |
Raw-socket DoS worker (suspected). Opens SOCK_RAW (socket(2,3,6)), builds Ethernet+IP headers, and sends crafted traffic in a tight loop.^[ghidra:FUN_0000c058] |
FUN_00009030 |
TCP SYN flood / packet worker. Opens SOCK_RAW, sets IP_HDRINCL, randomises source fields, and floods target IP/port.^[ghidra:FUN_00009030] |
Deploy / ATT&CK
TTPs mapped
| Technique | ID | Evidence |
|---|---|---|
| Command and Scripting Interpreter | T1059 | The dispatcher branches on mode values; modes 0xb–0xd spawn thread pools.^[ghidra:FUN_000083a4] |
| Network Service Exploitation | T1190 | Mirai historically brute-forces and exploits IoT services; this binary’s static payload is consistent with post-exploitation bot deployment. |
| Ingress Tool Transfer | T1105 | FUN_0000871c uploads data to C2 via HTTP POST; the .dropbear_upd temp file suggests a self-update or secondary download mechanism.^[strings.txt:22] |
| Exfiltration Over C2 Channel | T1041 | HTTP POST with Content-Type: application/octet-stream and hardcoded Content-Length: 1000000000 implies bulk data upload.^[ghidra:FUN_0000871c] |
| Network Denial of Service | T1498 | FUN_0000c058 and FUN_00009030 craft raw IP packets and flood targets — classic Mirai DDoS modules.^[ghidra:FUN_0000c058]^[ghidra:FUN_00009030] |
| Resource Exhaustion | T1499 | Multiple threads (up to 24) spawned per mode, each sending large volumes of traffic or polling C2.^[ghidra:FUN_000083a4] |
Persistence
None observed in this binary itself. Mirai variants typically reside in /tmp/ or RAM and rely on reboot reinfection or cron jobs planted by the dropper chain. The .dropbear.lock files suggest a rudimentary singleton / anti-reexecution mechanism, not true persistence.^[strings.txt:26]^[strings.txt:27]
C2 protocol
- Protocol: HTTP/1.1 over TCP
- Method:
POST /api/upload HTTP/1.1 - Host injected via:
printf-style format string (Host: %s) where%sis resolved from&DAT_0002c7d8— confirmed to contain the C2 domain/IP at runtime.^[ghidra:FUN_0000871c] - User-Agent:
Mozilla/5.0^[strings.txt:4] - Content-Length: Hardcoded
1000000000(likely a placeholder or maximum-size hint).^[strings.txt:6]
DDoS modules
Two raw-socket workers (FUN_0000c058, FUN_00009030) construct Ethernet/IP headers with randomised fields (source IP, checksums, TTL, flags). Both use SOCK_RAW and IP_HDRINCL. This aligns with Mirai’s documented TCP/UDP flood and GRE attack modules.
Attribution
Tagged Mirai by MalwareBazaar reporter BlinkzSec. Build pattern (ARM32, stripped, static, raw-socket DoS + HTTP C2 uploader) is textbook Mirai. The nova.podril1ak2.online domain is not a known historic Mirai C2; it may be a spin-off or reseller panel.
Confidence: high
Dynamic Analysis
CAVE sandbox task #8 (linux-ubuntu-22-01) failed after 8 seconds. No runtime behavioural IOCs available. All TTPs above are inferred from static decompilation.^[dynamic-analysis.md:1]
IOCs
| Indicator | Type |
|---|---|
176.65.149.142 |
IPv4 C2 |
nova.podril1ak2.online |
Domain C2 |
POST /api/upload HTTP/1.1 |
HTTP request signature |
/tmp/.dropbear_upd.XXXXXX |
Temporary update staging path |
/var/run/.dropbear.lock |
Singleton lock file |
/tmp/.dropbear.lock |
Singleton lock file |
/usr/sbin/dropbear |
Dropbear masquerade / overwrite target |
Mozilla/5.0 |
HTTP User-Agent in uploader |
Report written 2026-05-27. Static only; dynamic analysis unavailable (CAPE failure).