Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    debian-12_armhf
  • resource
    debian12-armhf-20240221-en
  • resource tags

    arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
  • submitted
    12-07-2024 13:03

General

  • Target

    sora.arm7.elf

  • Size

    53KB

  • MD5

    59a7319860856987828fbc686b6c9bbb

  • SHA1

    a98e3b3af9f90ce1422f5c07e2eca973f1975e46

  • SHA256

    6f1807bd00b271807e104211ee0a49c3d50f651d186cfca8295dab2d28329d8a

  • SHA512

    d86b7ca0aabb86fd262273e0deca0daddcb2cc5bb020ca73162498e130e41ae7e1736b6caea3291f169f6ddbb969ec986733dbcefa058ed34bb0b18af578b08d

  • SSDEEP

    1536:mHG6YXI/x4pNyrLKo8YEBClgw6wrLPeZDIAiXkfDpC:mHG1m4y79Eob6wLP8Dw

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (19721) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 30 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/sora.arm7.elf
    /tmp/sora.arm7.elf
    1⤵
    • Modifies Watchdog functionality
    • Enumerates active TCP sockets
    • Reads system network configuration
    • Reads runtime system information
    PID:712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/712-1-0x00008000-0x0002bec4-memory.dmp