mirai | 345251267d03985a91e62e48fdb2364d6c00b83ef813311fefd1201a059d4367 | Triage

Submit
Reports

Overview

overview

Static

static

7

sora.x86.elf

ubuntu-18.04-amd64

Sharing

General

Target

sora.x86.elf
Size

24KB
Sample

230429-3vl4ssee5x
MD5

edf426722e9cf1d9b5102115d2aab441
SHA1

34db128b5efb586b4c19c5c009f54f9796c9a949
SHA256

345251267d03985a91e62e48fdb2364d6c00b83ef813311fefd1201a059d4367
SHA512

b51867f3b1108ce71c65756442d70f5aac6f8c53fd7eab72b36bc904173234251d4c26d37a89c1a10f6c322a34019eaf05246017a48fdc4e7ff4659bb0b1a3fd
SSDEEP

384:MCDKKQOcRpmYLdn6RBOFRFt5rUF81uiSSlCo3AnupVFNqnrrd1NEZgO8UXWozPLS:P/QOC0Yhn6ROHWF09cwNPFCnNBxceocR

Score

10^/10

mirai sora botnet discovery linux upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

sora.x86.elf

Resource

ubuntu1804-amd64-en-20211208

mirai sora botnet discovery

ubuntu-18.04-amd64

8 signatures

150 seconds

Malware Config

Extracted

Family

mirai

Botnet

SORA

Targets

- Target
  
  sora.x86.elf
- Size
  
  24KB
- MD5
  
  edf426722e9cf1d9b5102115d2aab441
- SHA1
  
  34db128b5efb586b4c19c5c009f54f9796c9a949
- SHA256
  
  345251267d03985a91e62e48fdb2364d6c00b83ef813311fefd1201a059d4367
- SHA512
  
  b51867f3b1108ce71c65756442d70f5aac6f8c53fd7eab72b36bc904173234251d4c26d37a89c1a10f6c322a34019eaf05246017a48fdc4e7ff4659bb0b1a3fd
- SSDEEP
  
  384:MCDKKQOcRpmYLdn6RBOFRFt5rUF81uiSSlCo3AnupVFNqnrrd1NEZgO8UXWozPLS:P/QOC0Yhn6ROHWF09cwNPFCnNBxceocR
Score

10^/10

mirai sora botnet discovery
- Mirai
  Mirai is a prevalent Linux malware infecting exposed network devices.
  botnet mirai
- Contacts a large (173361) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies the Watchdog daemon
  Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
- Changes its process name
- Enumerates active TCP sockets
  Gets active TCP sockets from /proc virtual filesystem.
- Reads system network configuration
  Uses contents of /proc filesystem to enumerate network settings.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

Credential Access

Discovery

Network Service Scanning

System Network Connections Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

miraisorabotnetdiscovery

© 2018-2024

Terms | Privacy