Overview

overview

10

Static

static

7

sora.x86.elf

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    153s
  • max time network
    154s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20221111-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    07-05-2023 10:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sora.x86.elf

  • Size

    27KB

  • MD5

    b97bad82a026e34f3ad136af64dbac19

  • SHA1

    0fe3fff5671d5f7c78051e5c1a4feacb21fec16e

  • SHA256

    71e33db6119899d5f54b11f22bae9355559e073ede780c41e46c15dba607607f

  • SHA512

    9f21f40967fa31d04cdfe9dded0768d8a9070992c2b3c4be0ec5d7f4daedba7ff60e6c874f85b6f36597b76ec2dff77ad23d2876ab902c9173da8acb921ad922

  • SSDEEP

    768:u5+Kcrb9VDJee2KTgdTHOBcK5ZCAy71iC:hlrb9veKTg9QB5V8L

Score
10/10
miraisorabotnetdiscovery

Malware Config

Extracted

Family

mirai

Botnet

SORA

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Contacts a large (160679) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies the Watchdog daemon 1 TTPs

    Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

  • Changes its process name 1 IoCs
  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 28 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/sora.x86.elf
    /tmp/sora.x86.elf
    1⤵
    • Changes its process name
    PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Discovery

Network Service Scanning

2
T1046

System Network Connections Discovery

1
T1049

System Network Configuration Discovery

1
T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/592-1-0x0000000008048000-0x0000000008057e80-memory.dmp
    Download