{
	"id": "98902cd1-87c1-4ba3-a33b-72882ae8742d",
	"created_at": "2026-04-06T00:08:32.573583Z",
	"updated_at": "2026-04-10T13:12:20.869521Z",
	"deleted_at": null,
	"sha1_hash": "6c703ae135c251fe4c121ad90150008c9464e36e",
	"title": "New Mirai Variant Targets Zyxel Network-Attached Storage Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 557481,
	"plain_text": "New Mirai Variant Targets Zyxel Network-Attached Storage Devices\r\nBy Ken Hsu, Zhibin Zhang, Ruchna Nigam\r\nPublished: 2020-03-19 · Archived: 2026-04-05 18:13:39 UTC\r\nExecutive Summary\r\nAs soon as the proof-of-concept (PoC) for CVE-2020-9054 was made publicly available last month, this vulnerability was\r\npromptly abused to infect vulnerable versions of Zyxel network-attached storage (NAS) devices with a new Mirai variant -\r\nMukashi.\r\nMukashi brute forces the logins using different combinations of default credentials, while informing its command and\r\ncontrol (C2) server of the successful login attempts. Multiple, if not all, Zyxel NAS products running firmware versions up\r\nto 5.21 are vulnerable to this pre-authentication command injection vulnerability. The vendor advisory is also available.\r\nYou can test to see if a Zyxel NAS device is vulnerable here.\r\nThis vulnerability has a critical rating (i.e CVSS v3.1 score of 9.8) due to its trivial-to-exploit nature. It’s not surprising that\r\nthe threat actors weaponize this vulnerability and start wreaking havoc in the Internet of Things (IoT) realm. It was initially\r\ndiscovered via the sale of its exploit code as a 0-day i.e. while it was still unreported to the vendor. This initial discovery\r\nalso mentioned “the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet”.\r\nThis blog includes a walkthrough of the entire killchain, including images and IoCs.\r\nVulnerability Analysis\r\nThe executable weblogin.cgi doesn’t properly sanitize the username parameter during authentication. The attacker can use a\r\nsingle quote ‘ to close the string and a semicolon ; to concat arbitrary commands to achieve command injection. Since\r\nweblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these\r\nHTTP requests and gain code execution.\r\nExploit in the Wild\r\nThe first incident happened at 19:07 (UTC) on March 12, 2020 and was caught on our Next-Generation Firewall. As shown\r\nin Figure 1 and 2 below, this threat actor attempted to download a shell script to the tmp directory, execute the downloaded\r\nscript, and remove the evidence on a vulnerable device.\r\nFigure 1. Exploit request spotted in the wild\r\nUpon execution, the zi script downloads different architectures of Mirai bot, runs the downloaded binaries, and removes the\r\nbinaries. All these binaries were not available on VirusTotal at the time of discovery -- 4 out of 8 are in VirusTotal at the time\r\nof writing.\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 1 of 13\n\nFigure 2. Shell script that downloads and launches the bots\r\nNew Mirai Variant - Mukashi\r\nMukashi is a bot that scans the TCP port 23 of random hosts, brute forces the logins using different combinations of default\r\ncredentials, and reports the successful login attempt to its C2 server. Like other Mirai variants, Mukashi is also capable of\r\nreceiving C2 commands and launching DDoS attacks.\r\nWhen it’s executed, Mukashi prints the message “Protecting your device from further infections.” to the console. The\r\nmalware then proceeds to change its process name to dvrhelper, suggesting Mukashi may inherit certain traits from its\r\npredecessor.\r\nPrior to carrying out its intended operation, Mukashi binds to the TCP port 23448 in order to ensure only a single instance is\r\nrunning on the infected system.\r\nThe malware decodes a couple of strings on the fly during its initialization. These decoded strings, as shown in the following\r\ntable, include credentials as well as C2 commands. Unlike its predecessors that use conventional xor encryption, Mukashi\r\nuses a custom decryption routine to encrypt these commands and credentials. A decryption script is provided in the\r\nappendix.\r\n/cmdline .udprand .udpbypass .udphex user tsgoingon\r\n/proc/ .udpplain .tcpbypass default daemon zlxx.\r\n/status .http .tcp admin juantech Zte521\r\n/maps /exe killallbots root 123456 hunt5759\r\n/proc/self/cmdline None ./ guest solokey samsung\r\nself POST killer dvr2580222 xc3511 vizxv\r\nping GET scanner support 12345\r\n.udp / world guest xmhdipc\r\nTable 1. Decoded credentials and commands\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 2 of 13\n\nWhen the malware performs credential brute-force attacks, Mukashi uses well known default passwords like t0talc0ntr0l4!\r\nand taZz@23495859, in addition to the decoded credentials that it has decoded before the scanning phase. Figure 3, below,\r\nshows the initiation traffic captured when Mukashi was scanning the random hosts, and Figure 4 shows the malware’s\r\nattempt to brute-force authentication.\r\nFigure 3. Scanning TCP port 23 of random hosts\r\nFigure 4. Brute forcing\r\nUpon successful login attempt, Mukashi reports the working combination of the credentials to its C2 server\r\n45[.]84[.]196[.]75 on TCP port 34834.\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 3 of 13\n\nThe message has the following format - \u003chost ip addr\u003e:23 \u003cusername\u003e:\u003cpassword\u003e. The following figure shows an\r\nexample of such a message.\r\nFigure 5. Reporting successful login attempt\r\nOnce the malware is up and initialized, it sends a beacon back to its C2 server 45[.]84[.]196[.]75 listening on TCP port 4864,\r\nnotifying its C2 server that it’s ready for command. An example of the beacon is shown in Figure 6 below. The beacon has\r\nthe following format: \u003cname\u003e.\u003cinput argument\u003e. The \u003cname\u003e substring depends on the return value of a socket creation; if\r\nthe socket is successfully created, then \u003cname\u003e is root, else it’s default. The \u003cinput argument\u003e substring is the input\r\nargument passed to the binary when it’s being executed. If no input argument is provided, the beacon string would be None.\r\nFigure 6. C2 beacon from the x86 bot\r\nMirai’s and its variants’ DDoS attack mechanics (e.g UDP, TCP, UDP bypass, and TCP bypass) have already been analyzed\r\nin-depth, and Mukashi’s DDoS capabilities are no different from these variants. The presence of DDoS defense bypass\r\nconfirms our speculation from earlier that Mukashi includes certain capabilities from the dvrhelper variant -- Mukashi also\r\npossesses the anti-DDoS-defense capabilities. The following table shows the C2 commands that Mukashi supports.\r\nPING scanner .udpplain .tcp\r\nkillallbots .udp .udpbypass .tcpbypass\r\nkiller .udprand .udphex .http\r\nTable 2. C2 commands\r\nThe attack_parsing() function is responsible for processing C2 command strings that Mukashi receives from its C2 server. In\r\naddition to the type of command and target address, the C2 command strings include relevant information like SYN flag,\r\nACK flag, URG flag, PSH flag, Rst flag, time field, destination port value, and length value that Mukashi needs to construct\r\nthe packet header. If destination port value is not available, Mukashi chooses a random port. And if the length of the packet\r\nis not specified, Mukashi uses the default value 1458.\r\nEven though there are numerous Mukashi binaries compiled for different architectures, they are pretty much the same\r\ncapabilities-wise -- except that the x86 version doesn’t have the cleaner() function that allows it to kill processes by process\r\ncommand line, specific strings, and permissions. The following figures show how the x86 version is different from the arm7\r\nversion.\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 4 of 13\n\nFigure 7. main routine (arm7)\r\nFigure 8. main routine (x86)\r\nConclusion and Mitigation\r\nUpdating the firmware is highly recommended to keep the attackers at bay. The latest version of the firmware is available\r\nfor download. Complex login passwords are also advised to prevent brute forcing.\r\nPalo Alto Networks customers are protected from the vulnerability by the following products and services:\r\nNext-Generation Firewalls with threat prevention license can block the attacks with best practice via threat\r\nprevention signature 57806.\r\nWildFire can stop the malware with static signature detections.\r\nIoCs\r\nFile (Sha256)\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 5 of 13\n\n8c0c4d8d727bff5e03f6b2aae125d3e3607948d9dff578b18be0add2fff3411c (arm.bot)\r\n5f918c2b5316c52cbb564269b116ce63935691ee6debe06ce1693ad29dbb5740 (arm5.bot)\r\n8fa54788885679e4677296fca4fe4e949ca85783a057750c658543645fb8682f (arm6.bot)\r\n90392af3fdc7af968cc6d054fc1a99c5156de5b1834d6432076c40d548283c22 (arm7.bot)\r\n675f4af00520905e31ff96ecef2d4dc77166481f584da89a39a798ea18ae2144 (mips.bot)\r\n46228151b547c905de9772211ce559592498e0c8894379f14adb1ef6c44f8933 (mpsl.bot)\r\n753914aa3549e52af2627992731ca18e702f652391c161483f532173daeb0bbd (sh4.bot)\r\nce793ddec5410c5104d0ea23809a40dd222473e3d984a1e531e735aebf46c9dc (x86.bot)\r\na059e47b4c76b6bbd70ca4db6b454fd9aa19e5a0487c8032fe54fa707b0f926d (zi)\r\nNetwork\r\n45[.]84[.]196[.]75:34834 (Report Successful Login Attempt)\r\n45[.]84[.]196[.]75:4864 (Command and Control)\r\n0[.]0[.]0[.]0:23448 (Singleton)\r\nPrevious activity\r\nThe table below includes hashes for samples of the same variant, hosted at the same IP, however we are missing evidence of\r\nwhether they were distributed by exploitation of CVE-2020-9054 or not.\r\nFirst\r\nSeen\r\nURL SHA256\r\n2020-\r\n03-04\r\n45.84.196[.]75/bins/arc.corona 3e8af889a10a7c8efe6a0951a78f3dbadae1f0aa28140552efa0477914afd4fd\r\n2020-\r\n03-04\r\n45.84.196[.]75/bins/arm5.corona 213cdcf6fd5ca833d03d6f5fa0ec5c7e5af25be8c140b3f2166dccccf1232c3e\r\n2020-\r\n03-04\r\n45.84.196[.]75/bins/m68k.corona 4f1fe9dc48661efe2c21b42bd5779f89db402b5caa614939867508fa6ba22cd6\r\n2020-\r\n03-04\r\n45.84.196[.]75/bins/arm6.corona 0f7fb7fb27ce859b8780502c12d16611b3a7ae72086142a4ea22d5e7eaa229bc\r\n2020-\r\n03-04\r\n45.84.196[.]75/bins/mips.corona 9a983a4cee09e77100804f6dae7f678283e2d2ff32d8dbcf356ef40dcdff8070\r\n2020-\r\n03-04\r\n45.84.196[.]75/bins/arm.corona 060547ee0be2d5e588e38d1ad11e1827ba6ce7b443b67e78308571e9d455d79b\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 6 of 13\n\n2020-\r\n03-04\r\n45.84.196[.]75/bins/ppc.corona dcb52fbd54fd38b6111670554a20a810b9caccc0afce7669ba34fc729afe2049\r\n2020-\r\n03-04\r\n45.84.196[.]75/bins/mpsl.corona 60be483526d1ae9576617907b80a781296404220affcf01d47e9e2bfa2cdc55f\r\n2020-\r\n03-04\r\n45.84.196[.]75/bins/x86.corona 12d3d391462f7b66985f216dbca330ac13a75263d0f9439692fd53065eeb5657\r\n2020-\r\n03-04\r\n45.84.196[.]75/bins/arm7.corona 0c016ce7576b5c041ea1e36e8561214dee85d7ce87a50bb092def026881183f4\r\n2020-\r\n03-04\r\n45.84.196[.]75/bins/spc.corona 4e21b2547a8fc15b1435441fa6567b4626dfa3049c2dd6911b333449dd6756fd\r\n2020-\r\n03-04\r\n45.84.196[.]75/bins/sh4.corona 049a1570e76c025d431997fb7a9963d465959a6c470eeeab4ac8420f6e3829a6\r\n2020-\r\n03-09\r\n45.84.196[.]75/bins/arc.bot 3df226be94f99ece7875032e41b025b5a19152e1d63bd0cda2af204f667cd140\r\n2020-\r\n03-09\r\n45.84.196[.]75/bins/arm5.bot 768430ee908a6fc5fa6d5785b2ec15cd334fbc302d98ee3045aa44c2137a7a35\r\n2020-\r\n03-09\r\n45.84.196[.]75/bins/arm6.bot 228eac174dcf166c97a7baa854ab3803ade9934915ef701dd0634f033ca252fe\r\n2020-\r\n03-09\r\n45.84.196[.]75/bins/arm7.bot eac71fd11ebb70ab256afa417e6621de0b66ec4830eb229b04192f9f866037ca\r\n2020-\r\n03-09\r\n45.84.196[.]75/bins/arm.bot 1734610c5d09be7a0e4459f8bd2a9373ae3da8812165f08733b3a5efdd38ff29\r\n2020-\r\n03-09\r\n45.84.196[.]75/bins/m68k.bot b6e859812efecce70041ad5fda2b4881b1b1a89e6ae982cb43af67b301640620\r\n2020-\r\n03-09\r\n45.84.196[.]75/bins/mips.bot 8f047170fceb05164429968ae24839f1419e58e30fd10057ab14291bfe0945c1\r\n2020-\r\n03-09\r\n45.84.196[.]75/bins/mpsl.bot 7dbd6923a425d3464318e22c3bd88ea1e8f2d0ae914ac29664f95cef5cb4d748\r\n2020-\r\n03-09\r\n45.84.196[.]75/bins/ppc.bot 635d7bb69b758cb7df9b9fcab9de7671139fdbe3f03f79299476706cfe54553d\r\n2020-\r\n03-09\r\n45.84.196[.]75/bins/sh4.bot d400cb7c2bb69011c8b21d8f24da08ac31cc55ee88b45f21cf4e4a1683548e38\r\n2020-\r\n03-09\r\n45.84.196[.]75/bins/spc.bot 83022c991d5da2725b8e39128862e5ae987d53846e0539655ab66f7ed3355a6b\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 7 of 13\n\n2020-\r\n03-09\r\n45.84.196[.]75/bins/x86.bot bca0cffe842196be283d28572d7c43a53c1e5e5a231ad3d7969aa40965e2406b\r\n2020-\r\n03-10\r\n45.84.196[.]75/bins/arc.bot a3a674b3481e3b9e5e12b332f4508134db6405f59d3c8dc74aaa4943c84fafb6\r\n2020-\r\n03-10\r\n45.84.196[.]75/bins/arm5.bot c9c546967620830745796b87993e9b89d3405e0a8cc083f09bfbf08675ef87ba\r\n2020-\r\n03-10\r\n45.84.196[.]75/bins/arm6.bot 72d44204ad26a974b1bdbed2970955670ce2697bfe99e697eb7df255cccea0be\r\n2020-\r\n03-10\r\n45.84.196[.]75/bins/arm7.bot 62ad931aa37a227211ccb1d89050630c9122e2d24eecef824416e913f578f969\r\n2020-\r\n03-10\r\n45.84.196[.]75/bins/arm.bot be1d0f53d7647a46047102ffdc063d06be511ffc9832a72cca1420ac2811f807\r\n2020-\r\n03-10\r\n45.84.196[.]75/bins/m68k.bot 46d868913a330e5b36673c229240dc971b535f95f091fc9bd9c9fa315c7cf838\r\n2020-\r\n03-10\r\n45.84.196[.]75/bins/mips.bot 7b0176099dd032a5c2d6834e8840af78f91332a0b7cee000746bcaec5fbb3e9b\r\n2020-\r\n03-10\r\n45.84.196[.]75/bins/mpsl.bot 940fa7d9ef770a3e70c5f227a0ad1aaac88071f3c4879a2c92e7c155d9626d73\r\n2020-\r\n03-10\r\n45.84.196[.]75/bins/ppc.bot 514e5ca58df6ba22708046cd034af05e3a88f80da893e4d7e2124137086468b0\r\n2020-\r\n03-10\r\n45.84.196[.]75/bins/sh4.bot af6a51c012062078d6fcf112b3e4239eb029fc895f5f74fb5e40eb0b71fe67ce\r\n2020-\r\n03-10\r\n45.84.196[.]75/bins/spc.bot 3ae3b155c274edb389fe9d06bf9349bfd829c0e55db34238c3a8f53da16b4d98\r\n2020-\r\n03-10\r\n45.84.196[.]75/bins/x86.bot 5060a00c235566726cdf0e0a07f022cdbf2f59cff636f37b19576bf98ea70027\r\n2020-\r\n03-12\r\n45.84.196[.]75/bins/arc.bot 906d945b00465b1b7f6a828eb47edc0e875e745b7638258afbe8032d4c2d6ac6\r\n2020-\r\n03-12\r\n45.84.196[.]75/bins/arm5.bot 27f26c710b4d461396749acfbe8fadc57ba19dcb70b1e1890599ca938c0d6aec\r\n2020-\r\n03-12\r\n45.84.196[.]75/bins/arm6.bot 162add056aef065ff0e19242ca8674698586b295b2f75c03f9f22a14f6e16ff3\r\n2020-\r\n03-12\r\n45.84.196[.]75/bins/arm7.bot 948776a3c50a8e6a2f58f27f29095b63f7bbc0f8b5aeb08c6a4ba27558b13a0d\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 8 of 13\n\n2020-\r\n03-12\r\n45.84.196[.]75/bins/arm.bot 3061fd4a4a57e8c1948c30728f82a82213a1907ee8fccb7037dd1649e1c51e0e\r\n2020-\r\n03-12\r\n45.84.196[.]75/bins/m68k.bot 941e2833d313d33e53db5416718ba4c68609ac0537d3f16bf600c0bee2f562d0\r\n2020-\r\n03-12\r\n45.84.196[.]75/bins/mips.bot 8473645820c828758a7655730ab6bd6967c97872687f4b6d5eff769387f59059\r\n2020-\r\n03-12\r\n45.84.196[.]75/bins/mpsl.bot 1a4efe25a8f660e44abdb82d84912cf24db7eabfe9ad3c4c12080ca05636d73b\r\n2020-\r\n03-12\r\n45.84.196[.]75/bins/ppc.bot dbcd46dabd2fbddb40e17c2f7790950086b0108370d2448ff5fe407a9cd83103\r\n2020-\r\n03-12\r\n45.84.196[.]75/bins/sh4.bot 751b0fe6616034a72235c7d3021e3f54f0634b9b5b29fed56cd44843389da0e9\r\n2020-\r\n03-12\r\n45.84.196[.]75/bins/spc.bot 5a69a7c079555b53263a64dc0757f2168e255b29bc17ab846aceb2f8d08f3830\r\n2020-\r\n03-12\r\n45.84.196[.]75/bins/x86.bot 47f9e2e65b17b937bc32fc6bb5bfbbb0efd2b86305b9d29a976512cbcc049d28\r\nAppendix\r\nIDApython 6.x-7.3 Script\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\nimport ida_kernwin\r\nfrom idc import *\r\nfrom idautils import *\r\nfrom idaapi import *\r\ndef decode_str(encoded_str):\r\n    if len(encoded_str) == 0:\r\n        return \"\"\r\n    buf = list(encoded_str)\r\n    result = \"\"\r\n    buf[0] = chr(ord(buf[0]) - 2)\r\n    slen = len(encoded_str)\r\n    v1 = slen / 2;\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 9 of 13\n\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n    if v1 \u003e 0:\r\n        i = v1\r\n        while True:\r\n            if  i \u003e= slen:\r\n           break;\r\n            buf[i] = chr(ord(buf[i]) - 1);\r\n            i += 1\r\n    v2 = slen / 4;\r\n    if v2 \u003e 0:\r\n        j = v2\r\n        while True:\r\n            if j \u003e= slen:\r\n                break;\r\n            buf[j] = chr(ord(buf[j]) - 1)\r\n            j += 1\r\n    for k in xrange(0, slen):\r\n        buf[k] = chr(ord(buf[k]) - 1)\r\n    v3 = 0\r\n    if slen \u003e 24:\r\n        if slen \u003e 99:\r\n            v3 = slen / 5 - 3;\r\n        else:\r\n            v3 = slen / 5 - 1;\r\n    else:\r\n        v3 = slen / 5;\r\n    l = v3\r\n    while True:\r\n        if l \u003e= slen:\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 10 of 13\n\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n            break\r\n        buf[l]= chr(0);\r\n        l += 1\r\n    result = \"\".join(buf)\r\n    return result\r\ndef main():\r\n    for addr in XrefsTo(0x080482A0, flags=0):\r\n        print(\"[*] addr.frm: {0}\".format(hex(addr.frm)))\r\n        prev_addr = PrevHead(addr.frm)\r\n        encoded_str = \"\"\r\n        if GetMnem(prev_addr) == \"push\":\r\n            str_addr = GetOperandValue(prev_addr, 0)\r\n        elif GetMnem(prev_addr) == \"mov\":\r\n            str_addr = GetOperandValue(prev_addr, 1)\r\n        print(\"\\tstr_addr: {0}\".format(hex(str_addr)))\r\n        encoded_str = GetString(str_addr)\r\n        print(\"\\tencoded_str: {0}\".format(encoded_str))\r\n        decoded_str = decode_str(encoded_str)\r\n        print(\"\\tdecoded_str: {0}\".format(decoded_str))\r\nif __name__ == '__main__':\r\n    main()\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 11 of 13\n\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\nIDApython 7.4 Script\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\ndef decrypt_string(enc_str):\r\n    strlen = len(enc_str)\r\n    str = chr(ord(enc_str[0])-2) + enc_str[1:]\r\n    v1 = strlen/2\r\n    if v1\u003e0:\r\n        str = str[0:v1] + ''.join([chr(ord(x)-1) for x in str[v1:]])\r\n    v2 = strlen/4\r\n    if v2\u003e0:\r\n        str = str[0:v2] + ''.join([chr(ord(x)-1) for x in str[v2:]])\r\n    str = ''.join([chr(ord(x)-1) for x in str])\r\n    if strlen\u003e24:\r\n        if strlen\u003e99:\r\n            v9 = strlen/5 - 3\r\n        else:\r\n            v9 = strlen/5 - 1\r\n    else:\r\n        v9 = strlen/5\r\n    str = str[:v9] + chr(0) + str[v9+1:]\r\n    return str\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 12 of 13\n\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\ndef main():\r\n    strrefs = []\r\n    for addr in XrefsTo(0x080482a0, flags=0):\r\n        prev_ins = prev_head(addr.frm)\r\n        ref = get_operand_value(prev_ins, 1)\r\n        if ref\u003e0:\r\n            strrefs.append(ref)\r\n    for ref in strrefs:\r\n        enc_str = get_strlit_contents(ref)\r\n        print \"Encrypted string: %s\" %enc_str\r\n        dec_str = decrypt_string(enc_str)\r\n        print \"Decrypted string: %s\" %dec_str\r\nif __name__ == '__main__':\r\n    main()\r\nSource: https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/"
	],
	"report_names": [
		"new-mirai-variant-mukashi"
	],
	"threat_actors": [],
	"ts_created_at": 1775434112,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c703ae135c251fe4c121ad90150008c9464e36e.pdf",
		"text": "https://archive.orkl.eu/6c703ae135c251fe4c121ad90150008c9464e36e.txt",
		"img": "https://archive.orkl.eu/6c703ae135c251fe4c121ad90150008c9464e36e.jpg"
	}
}