Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    debian-12_mipsel
  • resource
    debian12-mipsel-20240221-en
  • resource tags

    arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
  • submitted
    30-04-2024 07:48

General

  • Target

    sora.mpsl.elf

  • Size

    29KB

  • MD5

    725d881fd8101182d02cbf02c5ffc855

  • SHA1

    aa512662f69dbe1204e02ff02c91a84d5f16b7c1

  • SHA256

    e09c90f23193be2a7916a2f11a428c6a0aceab1c3722fca2404320456e97498c

  • SHA512

    92d12582ace75378c59dc450119dda5d6d6f066c230328617c39950f9d0fe82a825ef9f75b1ff7a982b918c0262c8b4d063f2754f3d7f7a1be64426a3daac6c0

  • SSDEEP

    384:Q8pVWtmRsLYEpB6V8S628FuRUuNJG9whQ3Cfbo6w+K95orjpF1RWGVCz0Nv8:FMYHb62x4ahQ3CfdwLjYdWl

Malware Config

Extracted

Family

mirai

Botnet

SORA

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (172292) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Changes its process name 1 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 26 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/sora.mpsl.elf
    /tmp/sora.mpsl.elf
    1⤵
    • Modifies Watchdog functionality
    • Enumerates active TCP sockets
    • Changes its process name
    • Reads system network configuration
    • Reads runtime system information
    PID:726

Network

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Impair Defenses

1
T1562

Discovery

Network Service Discovery

2
T1046

System Network Connections Discovery

1
T1049

System Network Configuration Discovery

1
T1016

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/726-1-0x00400000-0x00455d70-memory.dmp