felixrayyen-alt/Mirai-Botnet-Static-Analysis

# Mirai-Botnet-Static-Analysis Static Analysis and Reverse Engineering of Mirai Malware ELF 32-bit binary. # 🦠 Mirai Botnet - Malware Static Analysis This repository contains a comprehensive **Static Analysis** and **Reverse Engineering** report of the notorious **Mirai Malware** (ELF 32-bit binary). This project was conducted as part of the Reverse Engineering Midterm Exam at Universitas Amikom Yogyakarta. ## 📌 Executive Summary Mirai is a self-propagating botnet malware designed to infect Linux-based Internet of Things (IoT) devices. It targets vulnerable smart devices to recruit them into a botnet network for launching massive Distributed Denial of Service (DDoS) attacks. This analysis focuses on uncovering the binary structure, embedded strings, network dependencies, and internal tactical functions without executing the malware directly (Static Analysis). ## 🔍 Technical Specifications (Basic Information) Based on the static analysis tools, the target binary has the following specifications: * **File Name:** `mirai.elf` * **File Size:** 184 Kilobytes * **File Type:** ELF 32-bit LSB executable, Intel 80386 (x86), version 1 (SYSV) * **Linking:** Statically linked * **Symbols:** Not stripped (Debugging information available) * **MD5 Hash:** `f5db0e21d290bf7b2d23959a530f2e3e` * **SHA-256 Hash:** `d03dab10036fc5967786b13a2f5ef4d71f330eda1a575e0b6f62ae38c96361b1` ## 🛠️ Tools Used * **Ghidra (v11.x):** For binary decompilation, Control Flow Graph analysis, and defined strings extraction. * **Linux CLI Utilities:** `file`, `readelf`, `md5sum`, `sha256sum`, and `strings`. ## 💡 Key Findings & Methodology ### 1. Header Analysis The analysis confirmed a valid Linux executable header structure. Ghidra successfully identified the **Magic Bytes** text string `ds "ELF"` at the base memory address, confirming it as a valid executable format for Unix/Linux systems. ### 2. String Extraction & Capabilities Using Ghidra's *Defined Strings* and Linux CLI utilities, 486 string locations were discovered. Critical strings extracted include: * References to the `/proc/` file system directory (`/proc/%d/maps`, `/proc/%d/exe`) used for intensive process enumeration. * Embedded Command and Control (C2) server IP address: **`176.65.139.79`**. * Indicators of internal modules like `[attack]_Starting...` and `[killer]_starting...`. ### 3. Decompiled Logic & Behavior Through Ghidra's decompilation tool, two main core functions were reverse-engineered: * **Fungsi Killer (`killer_mirai_exists`):** Automatically scans the `/proc/` directory to discover and forcefully terminate (`kill -9`) competing malware processes based on file name heuristics to fully monopolize the device's resources. * **Fungsi Serangan (`udp_gen_worker`):** Utilizes **Raw Sockets** to construct spoofed UDP packets (IP Spoofing) transmitted massively via multithreading to conduct highly disruptive Distributed Denial of Service (DDoS) attacks. ## 📂 Repository Contents * `MIRAI_ANALYSIS_REVERSE_ENGINEERING.pdf` - Full academic analysis report (in Indonesian). * `/screenshots/` - Technical screenshots from Ghidra and Terminal operations. ## ⚠️ Disclaimer This analysis is strictly for educational, academic research, and cybersecurity awareness purposes. **No malicious binaries or live exploits are shared within this repository.**