Analysis
-
max time kernel
153s -
max time network
154s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20221111-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
07-05-2023 10:15
General
-
Target
sora.x86.elf
-
Size
27KB
-
MD5
b97bad82a026e34f3ad136af64dbac19
-
SHA1
0fe3fff5671d5f7c78051e5c1a4feacb21fec16e
-
SHA256
71e33db6119899d5f54b11f22bae9355559e073ede780c41e46c15dba607607f
-
SHA512
9f21f40967fa31d04cdfe9dded0768d8a9070992c2b3c4be0ec5d7f4daedba7ff60e6c874f85b6f36597b76ec2dff77ad23d2876ab902c9173da8acb921ad922
-
SSDEEP
768:u5+Kcrb9VDJee2KTgdTHOBcK5ZCAy71iC:hlrb9veKTg9QB5V8L
Malware Config
Extracted
mirai
SORA
Signatures
-
Contacts a large (160679) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Changes its process name 1 IoCs
Processes:
sora.x86.elfdescription pid process Changes the process name, possibly in an attempt to hide itself 592 sora.x86.elf -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 38.84.24.12 Destination IP 38.84.24.12 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc File opened for reading /proc/net/tcp -
Reads runtime system information 28 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/595/fd File opened for reading /proc/598/fd File opened for reading /proc/335/fd File opened for reading /proc/333/fd File opened for reading /proc/340/fd File opened for reading /proc/341/fd File opened for reading /proc/357/fd File opened for reading /proc/427/fd File opened for reading /proc/428/fd File opened for reading /proc/596/exe File opened for reading /proc/295/fd File opened for reading /proc/593/exe File opened for reading /proc/253/fd File opened for reading /proc/294/fd File opened for reading /proc/587/fd File opened for reading /proc/593/fd File opened for reading /proc/1/fd File opened for reading /proc/454/fd File opened for reading /proc/596/fd File opened for reading /proc/599/fd File opened for reading /proc/233/fd File opened for reading /proc/607{1,1T File opened for reading /proc/364/fd File opened for reading /proc/371/fd File opened for reading /proc/453/fd File opened for reading /proc/349/fd File opened for reading /proc/348/fd File opened for reading /proc/566/fd
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/592-1-0x0000000008048000-0x0000000008057e80-memory.dmp