mirai | ff5ccbd30f6a7cbb2c71a277aef05f6e20bdbf60325a08e3a6761ab2a2e0d4f9

Analysis

max time kernel
153s
max time network
154s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/08/2023, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sora.x86.elf
Size

27KB
MD5

be13acfb700e1898bc5184675626c111
SHA1

4e98639ae98ec464f78b091478194eacca706fcc
SHA256

ff5ccbd30f6a7cbb2c71a277aef05f6e20bdbf60325a08e3a6761ab2a2e0d4f9
SHA512

b5a564e7556ae699216cd2a7fca4840d97ca4186261e792ba89627bd7548278410933448869c16145ea0d2aa71a6e2cd1b1f96de527b9134c05acb3cddc790f9
SSDEEP

384:Ms59WXUx5+bkbRaliVErjrL9VD9jPwrSaf5bwIB5/8x2BYFydHY0sNDZvzbSNHcq:t5+Kcrb9VDJef5Q2PdHuzb8HoEPbMp4N

Score

10^/10

mirai sora botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

SORA

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (172593) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	596	sora.x86.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc
File opened for reading	/proc/net/tcp

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/tcp

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/383/fd
File opened for reading	/proc/597/fd
File opened for reading	/proc/602/fd
File opened for reading	/proc/261/fd
File opened for reading	/proc/350/fd
File opened for reading	/proc/358/fd
File opened for reading	/proc/382/fd
File opened for reading	/proc/591/fd
File opened for reading	/proc/613{1,1T
File opened for reading	/proc/1/fd
File opened for reading	/proc/250/fd
File opened for reading	/proc/333/fd
File opened for reading	/proc/352/fd
File opened for reading	/proc/460/fd
File opened for reading	/proc/366/fd
File opened for reading	/proc/599/fd
File opened for reading	/proc/600/exe
File opened for reading	/proc/424/fd
File opened for reading	/proc/603/fd
File opened for reading	/proc/331/fd
File opened for reading	/proc/357/fd
File opened for reading	/proc/389/fd
File opened for reading	/proc/422/fd
File opened for reading	/proc/600/fd
File opened for reading	/proc/355/fd
File opened for reading	/proc/565/fd
File opened for reading	/proc/597/exe
File opened for reading	/proc/262/fd

/tmp/sora.x86.elf
/tmp/sora.x86.elf
1⤵
- Changes its process name
PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads