Analysis
-
max time kernel
14162s -
max time network
159s -
platform
linux_armhf -
resource
debian9-armhf-en-20211208 -
submitted
21-05-2022 14:51
Static task
static1
Behavioral task
behavioral1
Sample
sora.arm7-20220521-1450
Resource
debian9-armhf-en-20211208
General
-
Target
sora.arm7-20220521-1450
-
Size
54KB
-
MD5
75df391413d0b7402e62f2de2f680ac6
-
SHA1
7b1043277c17f98d886f4c8177a5b619d280672e
-
SHA256
606391046b0214181557b134a557519eefb897052d19f4035ab0c032eaad59a0
-
SHA512
ae2aed3f5d581178f5a537e94cb19f15b9bb1e00a3c6c08534be4e0065694be75cb4ac04acd0758c6df70e4d7f02894cf55f348cd8778da3c45247e31c9eb88d
Malware Config
Signatures
-
Contacts a large (19710) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 25 IoCs
Reads data from /proc virtual filesystem.
Processes:
sora.arm7-20220521-1450description ioc /proc/347/fd /proc/347/fd /proc/352/fd /proc/352/fd /proc/354/fd /proc/354/fd /proc/356/fd /proc/356/fd /proc/164/fd /proc/164/fd /proc/230/fd /proc/230/fd /proc/301/fd /proc/301/fd /proc/304/fd /proc/304/fd /proc/233/fd /proc/233/fd /proc/306/fd /proc/306/fd /proc/349/fd /proc/349/fd /proc/351/fd /proc/351/fd /proc/ /proc/ /proc/131/fd /proc/131/fd /proc/225/fd /proc/225/fd /proc/228/fd /proc/228/fd /proc/276/fd /proc/276/fd /proc/285/fd /proc/285/fd /proc/355/fd /proc/355/fd /proc/275/fd /proc/275/fd /proc/307/fd /proc/307/fd /proc/self/exe /proc/self/exe sora.arm7-20220521-1450 /proc/1/fd /proc/1/fd /proc/207/fd /proc/207/fd /proc/271/fd /proc/271/fd