Cross-Architecture Mirai Configuration Extractor Utilizing Standalone Ghidra Script
- Supported architectures
- ARM
- MC68000
- MIPS
- PowerPC
- SPARC
- SuperH4
- x86
- x86_64
This work was presented at Botconf2025.
- Slide: https://www.botconf.eu/wp-content/uploads/formidable/2/BOTCONF2025-mirai-toushi-botconf2025.pdf
- Paper: https://cyberjournal.cecyf.fr/index.php/cybin/article/view/56
@article{morishita2025mirai,
title={mirai-toushi: Cross-Architecture Mirai Configuration Extractor Utilizing Standalone Ghidra Script},
author={Morishita, Shun and Kobayashi, Satoshi and Hombu, Eisei},
journal={The Journal on Cybercrime and Digital Investigations},
volume={10},
number={1},
pages={1--11},
year={2025}
}
- Extract xor data (password list) from Mirai scanner.c
- Extract xor data (e.g., C2, Scan Receiver, DoS parameter) from Mirai table.c
- Extract additional data (e.g., C2 in resolv_cnc_addr(), DoS function) from Mirai main.c/attack.c
*** Malware must be unpacked before running Ghidra script
Two ways of mirai-toushi usage without additional library/tool
- Jython interpreter
- Headless analyzer
- Open target malware with Ghidra GUI
- Start Ghidra Jython interpreter
- "Window" menu -> "Jython" (or "Python" before Ghidra 11.2)
- Copy-paste target Ghidra script to interpreter
- Check your $GHIDRA_INSTALL_DIR
- At REMnux case, default directory is
/opt/ghidra
- At REMnux case, default directory is
- Start runner.sh
$ chmod +x runner.sh
$ GHIDRA_INSTALL_DIR=<GHIDRA_INSTALL_DIR> ./runner.sh <ELF_FILE>- mirai-toushi results will be output to
./output/<SHA256>/directory by default- output JSON Schema: ./jsonschema
- output sample: ./sample