Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240221-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    23-04-2024 10:51

General

  • Target

    sora.x86.elf

  • Size

    39KB

  • MD5

    be5a798817330425494809c2f5304d1c

  • SHA1

    0edb3f4395ec9a4c7c3f589e330eadf1b0457425

  • SHA256

    e46e14349d506e50bd7b0c760f86edfadbeb442f293ba6b5f41ddff0cb490caa

  • SHA512

    36f5cd0a076f0df9af7d2349dc8d3bb9269672f77f6e2ce7ca9031236294481a4537aceaf6f8f01c303aa2532a0063abc0fa671e5b54d3cc7d94b8862c3ce220

  • SSDEEP

    768:sgWRsr0BsMXlZu60wyvvt8SFl8Gkfe45ZjMqxLuEjqYHvlJ1dY1:sgWugBs6Qayvv/l8GmrZjMqxL1qYPlpK

Malware Config

Extracted

Family

mirai

Botnet

SORA

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (86119) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 1 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/sora.x86.elf
    /tmp/sora.x86.elf
    1⤵
    • Modifies Watchdog functionality
    • Enumerates active TCP sockets
    • Changes its process name
    • Reads system network configuration
    • Reads runtime system information
    PID:1476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1476-1-0x0000000008048000-0x000000000805cf48-memory.dmp