mirai | 71e33db6119899d5f54b11f22bae9355559e073ede780c41e46c15dba607607f | Triage

Submit
Reports

Overview

overview

Static

static

7

sora.x86.elf

ubuntu-18.04-amd64

Sharing

General

Target

sora.x86.elf
Size

27KB
Sample

230507-l9765sec68
MD5

b97bad82a026e34f3ad136af64dbac19
SHA1

0fe3fff5671d5f7c78051e5c1a4feacb21fec16e
SHA256

71e33db6119899d5f54b11f22bae9355559e073ede780c41e46c15dba607607f
SHA512

9f21f40967fa31d04cdfe9dded0768d8a9070992c2b3c4be0ec5d7f4daedba7ff60e6c874f85b6f36597b76ec2dff77ad23d2876ab902c9173da8acb921ad922
SSDEEP

768:u5+Kcrb9VDJee2KTgdTHOBcK5ZCAy71iC:hlrb9veKTg9QB5V8L

Score

10^/10

mirai sora botnet discovery linux upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

sora.x86.elf

Resource

ubuntu1804-amd64-20221111-en

mirai sora botnet discovery

ubuntu-18.04-amd64

9 signatures

150 seconds

Malware Config

Extracted

Family

mirai

Botnet

SORA

Targets

- Target
  
  sora.x86.elf
- Size
  
  27KB
- MD5
  
  b97bad82a026e34f3ad136af64dbac19
- SHA1
  
  0fe3fff5671d5f7c78051e5c1a4feacb21fec16e
- SHA256
  
  71e33db6119899d5f54b11f22bae9355559e073ede780c41e46c15dba607607f
- SHA512
  
  9f21f40967fa31d04cdfe9dded0768d8a9070992c2b3c4be0ec5d7f4daedba7ff60e6c874f85b6f36597b76ec2dff77ad23d2876ab902c9173da8acb921ad922
- SSDEEP
  
  768:u5+Kcrb9VDJee2KTgdTHOBcK5ZCAy71iC:hlrb9veKTg9QB5V8L
Score

10^/10

mirai sora botnet discovery
- Mirai
  Mirai is a prevalent Linux malware infecting exposed network devices.
  botnet mirai
- Contacts a large (160679) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies the Watchdog daemon
  Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
- Changes its process name
- Enumerates active TCP sockets
  Gets active TCP sockets from /proc virtual filesystem.
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Reads system network configuration
  Uses contents of /proc filesystem to enumerate network settings.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

Credential Access

Discovery

Network Service Scanning

System Network Connections Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

miraisorabotnetdiscovery

© 2018-2024

Terms | Privacy