mirai | bed099cdf50214613f89144e00edb807760b44dad3cd3641ff0374c490eeebd3

Analysis

max time kernel
149s
max time network
150s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
23-04-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sora.arm.elf
Size

31KB
MD5

a5cad4481a17e94cc218010857554435
SHA1

9a7a6bd0ca4e5a426cdce046ffce363d5c11ff42
SHA256

bed099cdf50214613f89144e00edb807760b44dad3cd3641ff0374c490eeebd3
SHA512

8bdceec0c7ae3c9a17c9967a5bf9f7ceb944b9cd0afb330715d0b57a5a6c4f2e4e4e387a019d1b4522be325bc14e8ce020023ea52046666c93a39ddc0a83273f
SSDEEP

384:uSBehsL5wFgC4Urp3VvZhUzaAfVGbrc2/pkTNW7CQRkPgosmkyCizUs1Hk8hymdR:Fkh3G0p3VhUHqvKT4Fc9pi8s3UozRK

Score

10^/10

mirai sora botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

SORA

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (171459) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

sora.arm.elf

description ioc process

File opened for modification /dev/misc/watchdog sora.arm.elf
File opened for modification /dev/watchdog sora.arm.elf
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

sora.arm.elf

description ioc process

File opened for reading /proc/net/tcp sora.arm.elf
Changes its process name 1 IoCs

Processes:

sora.arm.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself gg0b1ok1if1en1525b 661 sora.arm.elf
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

sora.arm.elf

description ioc process

File opened for reading /proc/net/tcp sora.arm.elf

description	ioc	process
File opened for modification	/dev/misc/watchdog	sora.arm.elf
File opened for modification	/dev/watchdog	sora.arm.elf

description	ioc	process
File opened for reading	/proc/net/tcp	sora.arm.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	gg0b1ok1if1en1525b	661	sora.arm.elf

description	ioc	process
File opened for reading	/proc/net/tcp	sora.arm.elf

Reads runtime system information 16 IoCs

Reads data from /proc virtual filesystem.

Processes:

sora.arm.elf

description	ioc	process
File opened for reading	/proc/662/exe	sora.arm.elf
File opened for reading	/proc/278/fd	sora.arm.elf
File opened for reading	/proc/282/fd	sora.arm.elf
File opened for reading	/proc/297/fd	sora.arm.elf
File opened for reading	/proc/780{1,1T	sora.arm.elf
File opened for reading	/proc/self/exe	sora.arm.elf
File opened for reading	/proc/275/fd	sora.arm.elf
File opened for reading	/proc/280/fd	sora.arm.elf
File opened for reading	/proc/321/fd	sora.arm.elf
File opened for reading	/proc/172/fd	sora.arm.elf
File opened for reading	/proc/1/fd	sora.arm.elf
File opened for reading	/proc/148/fd	sora.arm.elf
File opened for reading	/proc/312/fd	sora.arm.elf
File opened for reading	/proc/665/exe	sora.arm.elf
File opened for reading	/proc/313/fd	sora.arm.elf
File opened for reading	/proc/221/fd	sora.arm.elf

/tmp/sora.arm.elf
/tmp/sora.arm.elf
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:661

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/661-1-0x00008000-0x000267cc-memory.dmp

Download