8a656b7b345137960d2f778951588d8c4f98d0756c951368cd9eaf80525f1638

Analysis

max time kernel
6s
max time network
8s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
24-04-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sora(1).x86
Size

89KB
MD5

1b8e211fd4ca86563894bfd01a675f8c
SHA1

bf757c67129bda9bb3e47e2d3dccdc543feada97
SHA256

8a656b7b345137960d2f778951588d8c4f98d0756c951368cd9eaf80525f1638
SHA512

3b22a60ef3a9b3c2f1c072bc63a2ea838667e0fbbfc3b8a9c18d2e949172c7485f8c8092b3902ab2b698106df0ec7fdfde1ec7b5c1f8cb8adb032fbdb20aac73
SSDEEP

1536:xiojfDpCp8gCn5o9pnFKP91HKCmrxHYy3SvIvlZ2J+rniSrJAQrE3LF:0ojfDpC8gCnKLFKP91HK7rxnpltr9eQe

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (2318) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

sora(1).x86

description ioc process

File opened for modification /dev/watchdog sora(1).x86
File opened for modification /dev/misc/watchdog sora(1).x86
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

sora(1).x86

description ioc process

File opened for reading /proc/net/tcp sora(1).x86
Changes its process name 1 IoCs

Processes:

sora(1).x86

description pid process

Changes the process name, possibly in an attempt to hide itself 1553 sora(1).x86
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

sora(1).x86

description ioc process

File opened for reading /proc/net/tcp sora(1).x86

description	ioc	process
File opened for modification	/dev/watchdog	sora(1).x86
File opened for modification	/dev/misc/watchdog	sora(1).x86

description	ioc	process
File opened for reading	/proc/net/tcp	sora(1).x86

description	pid	process
Changes the process name, possibly in an attempt to hide itself	1553	sora(1).x86

description	ioc	process
File opened for reading	/proc/net/tcp	sora(1).x86

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

Processes:

sora(1).x86

description	ioc	process
File opened for reading	/proc/484/fd	sora(1).x86
File opened for reading	/proc/489/fd	sora(1).x86
File opened for reading	/proc/491/fd	sora(1).x86
File opened for reading	/proc/509/fd	sora(1).x86
File opened for reading	/proc/461/fd	sora(1).x86
File opened for reading	/proc/467/fd	sora(1).x86
File opened for reading	/proc/474/fd	sora(1).x86
File opened for reading	/proc/421/fd	sora(1).x86
File opened for reading	/proc/503/fd	sora(1).x86
File opened for reading	/proc/562/fd	sora(1).x86
File opened for reading	/proc/1557/exe	sora(1).x86
File opened for reading	/proc/313/fd	sora(1).x86
File opened for reading	/proc/425/fd	sora(1).x86
File opened for reading	/proc/508/fd	sora(1).x86
File opened for reading	/proc/541/fd	sora(1).x86
File opened for reading	/proc/421/exe	sora(1).x86
File opened for reading	/proc/1554/exe	sora(1).x86
File opened for reading	/proc/271/fd	sora(1).x86
File opened for reading	/proc/308/fd	sora(1).x86
File opened for reading	/proc/542/fd	sora(1).x86
File opened for reading	/proc/506/fd	sora(1).x86
File opened for reading	/proc/425/exe	sora(1).x86
File opened for reading	/proc/561/fd	sora(1).x86
File opened for reading	/proc/482/fd	sora(1).x86
File opened for reading	/proc/510/fd	sora(1).x86
File opened for reading	/proc/1/fd	sora(1).x86
File opened for reading	/proc/247/fd	sora(1).x86
File opened for reading	/proc/471/fd	sora(1).x86

/tmp/sora(1).x86
"/tmp/sora(1).x86"
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1553

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads