{
	"id": "eac1466f-7be7-4f7f-b5ed-67598108bf20",
	"created_at": "2026-04-06T00:14:49.947907Z",
	"updated_at": "2026-04-10T13:12:20.603833Z",
	"deleted_at": null,
	"sha1_hash": "54ac6a13988f98197394332ae129216ca6879dad",
	"title": "Warning: Satori, a Mirai Branch Is Spreading in Worm Style on Port 37215 and 52869",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 126053,
	"plain_text": "Warning: Satori, a Mirai Branch Is Spreading in Worm Style on\r\nPort 37215 and 52869\r\nBy Li Fengpei\r\nPublished: 2017-12-05 · Archived: 2026-04-05 15:26:47 UTC\r\nAuthor: 360 netlab\r\n[Update History]\r\n- At 2017-12-05 18:56:40 UTC, 2 hours after our blog goes live, we observed the C2 sending kill scan command to\r\n- The C2 address 95.211.123.69:7654 is the typo for 95.211.123.69:7645\r\nIn our last blog, we mentioned there were almost 100k unique scanner IPs from Argentina scanning port 2323 and\r\nport 23, and we concluded it was a new mirai variant. For the last few days, the scanning behavior has gotten\r\nmore intense, and more countries started to show up on our ScanMon platform as scan source. We have been able\r\nto dig more into this situation and see some bigger picture, and realized that the 2323|23 scan is only a piece of a\r\nbig puzzler, while we are still doing more in-depth research into this matter, we bumped into a new situation today\r\nwhich we think needs some immediate attention from the security community, so here is a very brief and rough\r\nwrite-up.\r\nAbout 12 hours ago (2017-12-05 11:57 AM GMT+8), we noticed a new version of Satori (a mirai variant which\r\nwe named Satori), starting to propagate very quickly on port 37215 and 52869. This new variant has two\r\nsignificant differences from known mirai variants:\r\nThe bot itself now does NOT rely on loader|scanner mechanism to perform remote planting, instead, bot\r\nitself performs the scan activity. This worm like behavior is quite significant.\r\nTwo new exploits, which work on port 37215 and 52869 have been added, see below for more details. Due\r\nto the worm like behavior, we all should be on the lookout for the port 37215 and 52869 scan traffic. (For\r\nthose who don’t have the visibility, feel free to check out our free Scanmon system for port 37215 and\r\n52869, or ISC port pages for 37215 and 52869.\r\nThis malware is the newest version of Satori. We have been tracking Satori for months, and have strong\r\nevidence this new wave of attack can be linked to previous attack on port 23 and 2323 scanning traffic upticks.\r\nThe scanning IP (aka, the bot) numbers are now climbing straight up. For example, during last recent 12 hours we\r\nhave seen 263,250 different IPs scanning port 37215, and 19,403 IPs scanning port 52869.\r\nhttp://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/\r\nPage 1 of 4\n\nThe Malware Sample and the C2s\r\nWe have collected following samples from our honeypot.\r\ndf9c48e8bc7e7371b4744a2ef8b83ddf hxxp://95.211.123.69/b\r\na7922bce9bb0cf58f305d17ccbc78d98 hxxp://95.211.123.69/fahwrzadws/okiru.mipsel\r\n37b7c9831334de97c762dff7a1ba7b3f hxxp://95.211.123.69/fahwrzadws/okiru.arm7\r\ne1411cc1726afe6fb8d09099c5fb2fa6 hxxp://95.211.123.69/fahwrzadws/okiru.x86\r\ncd4de0ae80a6f11bca8bec7b590e5832 hxxp://95.211.123.69/fahwrzadws/okiru.x86\r\n7de55e697cd7e136dbb82b0713a01710 hxxp://95.211.123.69/fahwrzadws/okiru.mips\r\n797458f9cee3d50e8f651eabc6ba6031 hxxp://95.211.123.69/fahwrzadws/okiru.m68k\r\n353d36ad621e350f6fce7a48e598662b hxxp://95.211.123.69/fahwrzadws/okiru.arm\r\n8db073743319c8fca5d4596a7a8f9931 hxxp://95.211.123.69/fahwrzadws/okiru.sparc\r\n0a8efeb4cb15c5b599e0d4fb9faba37d hxxp://95.211.123.69/fahwrzadws/okiru.powerpc\r\n08d48000a47af6f173eba6bb16265670 hxxp://95.211.123.69/fahwrzadws/okiru.x86_64\r\ne9038f7f9c957a4e1c6fc8489994add4 hxxp://95.211.123.69/fahwrzadws/okiru.superh\r\nSatori borrows code from mirai with some major changes.\r\nthere are 3 C2s in the sample e1411cc1726afe6fb8d09099c5fb2fa6 we got,\r\n95.211.123.69:7645\r\nnetwork.bigbotpein.com:23\r\ncontrol.almashosting.ru\r\nNote: the only working c2 is 95.211.123.69:7645, the other network.bigbotpein.com:23 and\r\ncontrol.almashosting.ru is not actually being used here, they might be there just to trick security researcher to\r\nconnect to the wrong C2s. (Note again, we also have old samples, as well as some fresh new samples coming in,\r\nin which control.almashosting.ru is really been used.)\r\nhttp://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/\r\nPage 2 of 4\n\nThe Scanning Activity\r\nAs can be seen from the following picture, the bot will scan port 37215 and 52869 randomly, determined by the\r\nremainder of a random integer mod 3.\r\nThe Exploits\r\nDuring the scanning, Satori will utilize two different exploits, one on port 37215, while the other on 52869.\r\nThe one on port 37215 is not fully disclosed yet, our team has been tracking this in the last few days and\r\ngot quite some insight, but we will not discuss it here right now.(stay tuned for our update later).\r\nThe one on port 52869 is derived from CVE-2014-8361.\r\nNot only are Satori penetrating with these exploits, but they also drive infected devices to download themselves\r\nfrom the same original download URL. This makes a loop, and causes Satori spreading in a worm manner.\r\nThe Connection to Previous Port 23 and 2323 Scanning Upticks\r\nIn our previous blog, we have mentioned an upticks on port 23 and 2323 scanning traffic in Argentina.\r\nActually, in the next few days, more countries such as Egypt, Tunisia, Columbia have been picked up by our\r\nmonitoring system, as we mentioned in the beginning of this blogpost, our investigation reveals the port scan is\r\nonly part of the whole picture.\r\nRight now we just want to point out that the 2323|23 attacks and today Satori’s attack shares some common\r\nfactors, for example, the samples’ name and static features, some of the C2 protocols and sharing of the same\r\nexploits. These make we believe they two are connected.\r\nhttp://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/\r\nPage 3 of 4\n\nWe will share more details on our blog later on.\r\nIoC\r\nSamples in This Wave\r\nSatori is evolving as of our writing, we have capture some more samples with difference c2..etc, so here is only\r\nsome of the IoCs.\r\ndf9c48e8bc7e7371b4744a2ef8b83ddf hxxp://95.211.123.69/b\r\na7922bce9bb0cf58f305d17ccbc78d98 hxxp://95.211.123.69/fahwrzadws/okiru.mipsel\r\n37b7c9831334de97c762dff7a1ba7b3f hxxp://95.211.123.69/fahwrzadws/okiru.arm7\r\ne1411cc1726afe6fb8d09099c5fb2fa6 hxxp://95.211.123.69/fahwrzadws/okiru.x86\r\ncd4de0ae80a6f11bca8bec7b590e5832 hxxp://95.211.123.69/fahwrzadws/okiru.x86\r\n7de55e697cd7e136dbb82b0713a01710 hxxp://95.211.123.69/fahwrzadws/okiru.mips\r\n797458f9cee3d50e8f651eabc6ba6031 hxxp://95.211.123.69/fahwrzadws/okiru.m68k\r\n353d36ad621e350f6fce7a48e598662b hxxp://95.211.123.69/fahwrzadws/okiru.arm\r\n8db073743319c8fca5d4596a7a8f9931 hxxp://95.211.123.69/fahwrzadws/okiru.sparc\r\n0a8efeb4cb15c5b599e0d4fb9faba37d hxxp://95.211.123.69/fahwrzadws/okiru.powerpc\r\n08d48000a47af6f173eba6bb16265670 hxxp://95.211.123.69/fahwrzadws/okiru.x86_64\r\ne9038f7f9c957a4e1c6fc8489994add4 hxxp://95.211.123.69/fahwrzadws/okiru.superh\r\nSome Earlier Samples\r\nc63820d8aff3b18b3ee0eaee4e9d26b0 hxxp://172.93.97.219/okiru.mipsel\r\nfd2bd0bf25fc306cc391bdcde1fcaeda hxxp://172.93.97.219/okiru.arm\r\nba98c78a65ebf17615fee9a7ef34b405 hxxp://172.93.97.219/okiru.arm7\r\n8a561bda915c89668e611b0ba72b0429 hxxp://172.93.97.219/okiru.m68k\r\nf8130e86dc0fcdbcfa0d3b2425d3fcbf hxxp://172.93.97.219/okiru.x86\r\n7a38ee6ee15bd89d50161b3061b763ea hxxp://172.93.97.219/okiru.mips\r\n3f401fc6b8a5847376e4d070505bd9fe hxxp://172.93.97.219/cryptonite.mips\r\na69692a2506f2127b23a8c35abe11427 hxxp://165.227.220.202/bins/mips\r\nhxxp://198.7.59.177/fahwrzadws/okiru.mips\r\nhxxp://198.7.59.177/cryptonite.mips\r\nSource: http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/\r\nhttp://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/"
	],
	"report_names": [
		"warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434489,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/54ac6a13988f98197394332ae129216ca6879dad.pdf",
		"text": "https://archive.orkl.eu/54ac6a13988f98197394332ae129216ca6879dad.txt",
		"img": "https://archive.orkl.eu/54ac6a13988f98197394332ae129216ca6879dad.jpg"
	}
}