mirai | e09c90f23193be2a7916a2f11a428c6a0aceab1c3722fca2404320456e97498c

Analysis

max time kernel
150s
max time network
153s
platform
debian-12_mipsel
resource
debian12-mipsel-20240221-en
resource tags

arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
30-04-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sora.mpsl.elf
Size

29KB
MD5

725d881fd8101182d02cbf02c5ffc855
SHA1

aa512662f69dbe1204e02ff02c91a84d5f16b7c1
SHA256

e09c90f23193be2a7916a2f11a428c6a0aceab1c3722fca2404320456e97498c
SHA512

92d12582ace75378c59dc450119dda5d6d6f066c230328617c39950f9d0fe82a825ef9f75b1ff7a982b918c0262c8b4d063f2754f3d7f7a1be64426a3daac6c0
SSDEEP

384:Q8pVWtmRsLYEpB6V8S628FuRUuNJG9whQ3Cfbo6w+K95orjpF1RWGVCz0Nv8:FMYHb62x4ahQ3CfdwLjYdWl

Score

10^/10

mirai sora botnet discovery

Malware Config

Extracted

Family

mirai

Botnet

SORA

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (172292) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

sora.mpsl.elf

description ioc process

File opened for modification /dev/misc/watchdog sora.mpsl.elf
File opened for modification /dev/watchdog sora.mpsl.elf
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 80.82.64.98
Destination IP 80.82.64.98
Destination IP 80.82.64.98
Destination IP 80.82.64.98
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

sora.mpsl.elf

description ioc process

File opened for reading /proc/net/tcp sora.mpsl.elf
Changes its process name 1 IoCs

Processes:

sora.mpsl.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself 4cg5e01g1jnh452pkop 726 sora.mpsl.elf
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

sora.mpsl.elf

description ioc process

File opened for reading /proc/net/tcp sora.mpsl.elf

description	ioc	process
File opened for modification	/dev/misc/watchdog	sora.mpsl.elf
File opened for modification	/dev/watchdog	sora.mpsl.elf

description	ioc
Destination IP	80.82.64.98
Destination IP	80.82.64.98
Destination IP	80.82.64.98
Destination IP	80.82.64.98

description	ioc	process
File opened for reading	/proc/net/tcp	sora.mpsl.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	4cg5e01g1jnh452pkop	726	sora.mpsl.elf

description	ioc	process
File opened for reading	/proc/net/tcp	sora.mpsl.elf

Reads runtime system information 26 IoCs

Reads data from /proc virtual filesystem.

Processes:

sora.mpsl.elf

description	ioc	process
File opened for reading	/proc/734/fd	sora.mpsl.elf
File opened for reading	/proc/796{1,1T	sora.mpsl.elf
File opened for reading	/proc/728/exe	sora.mpsl.elf
File opened for reading	/proc/180/fd	sora.mpsl.elf
File opened for reading	/proc/333/fd	sora.mpsl.elf
File opened for reading	/proc/728/fd	sora.mpsl.elf
File opened for reading	/proc/392/fd	sora.mpsl.elf
File opened for reading	/proc/436/fd	sora.mpsl.elf
File opened for reading	/proc/730/fd	sora.mpsl.elf
File opened for reading	/proc/737/fd	sora.mpsl.elf
File opened for reading	/proc/1/fd	sora.mpsl.elf
File opened for reading	/proc/355/fd	sora.mpsl.elf
File opened for reading	/proc/732/fd	sora.mpsl.elf
File opened for reading	/proc/203/fd	sora.mpsl.elf
File opened for reading	/proc/379/fd	sora.mpsl.elf
File opened for reading	/proc/388/fd	sora.mpsl.elf
File opened for reading	/proc/700/fd	sora.mpsl.elf
File opened for reading	/proc/680/fd	sora.mpsl.elf
File opened for reading	/proc/732/exe	sora.mpsl.elf
File opened for reading	/proc/681/fd	sora.mpsl.elf
File opened for reading	/proc/697/fd	sora.mpsl.elf
File opened for reading	/proc/711/fd	sora.mpsl.elf
File opened for reading	/proc/380/fd	sora.mpsl.elf
File opened for reading	/proc/403/fd	sora.mpsl.elf
File opened for reading	/proc/404/fd	sora.mpsl.elf
File opened for reading	/proc/668/fd	sora.mpsl.elf

/tmp/sora.mpsl.elf
/tmp/sora.mpsl.elf
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:726

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/726-1-0x00400000-0x00455d70-memory.dmp

Download