53fd73f8df2d6d452f79544e0e77b657c8a5986f3492cbfdec58d6a4e2f47185

Analysis

max time kernel
3650s
max time network
160s
platform
linux_armhf
resource
debian9-armhf-en-20211025
submitted
06-12-2021 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sora.arm7
Size

125KB
MD5

615efd8ebfe11f962016505691fa532f
SHA1

f598b05398e90890a67341ef02b804042505c13b
SHA256

53fd73f8df2d6d452f79544e0e77b657c8a5986f3492cbfdec58d6a4e2f47185
SHA512

d826eae3dbf983a0b3cff6681f0d51b5e2e43d87855b9e0d9218c607d88c1c5759fad798fb4ca5c5d85610ddb5d660767ae4c2a0759cb03d1b69b5057159af85

Score

9^/10

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

/proc/net/tcp /proc/net/tcp
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

description ioc

/proc/net/tcp /proc/net/tcp

description	ioc
/proc/net/tcp	/proc/net/tcp

description	ioc
/proc/net/tcp	/proc/net/tcp

Reads runtime system information 27 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
/proc/359/fd	/proc/359/fd
/proc/356/exe	/proc/356/exe
/proc/	/proc/
/proc/237/fd	/proc/237/fd
/proc/308/fd	/proc/308/fd
/proc/358/fd	/proc/358/fd
/proc/311/fd	/proc/311/fd
/proc/139/fd	/proc/139/fd
/proc/282/fd	/proc/282/fd
/proc/361/fd	/proc/361/fd
/proc/356/fd	/proc/356/fd
/proc/368/fd	/proc/368/fd
/proc/375{1,1T	/proc/375{1,1T
/proc/359/exe	/proc/359/exe
/proc/216/fd	/proc/216/fd
/proc/234/fd	/proc/234/fd
/proc/235/fd	/proc/235/fd
/proc/238/fd	/proc/238/fd
/proc/280/fd	/proc/280/fd
/proc/314/fd	/proc/314/fd
/proc/362/fd	/proc/362/fd
/proc/367/fd	/proc/367/fd
/proc/164/fd	/proc/164/fd
/proc/1/fd	/proc/1/fd
/proc/284/fd	/proc/284/fd
/proc/289/fd	/proc/289/fd
/proc/313/fd	/proc/313/fd

./sora.arm7
./sora.arm7
1⤵
PID:354

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads