Analysis
-
max time kernel
150s -
max time network
159s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
12-07-2024 13:03
General
-
Target
sora.arm7.elf
-
Size
53KB
-
MD5
59a7319860856987828fbc686b6c9bbb
-
SHA1
a98e3b3af9f90ce1422f5c07e2eca973f1975e46
-
SHA256
6f1807bd00b271807e104211ee0a49c3d50f651d186cfca8295dab2d28329d8a
-
SHA512
d86b7ca0aabb86fd262273e0deca0daddcb2cc5bb020ca73162498e130e41ae7e1736b6caea3291f169f6ddbb969ec986733dbcefa058ed34bb0b18af578b08d
-
SSDEEP
1536:mHG6YXI/x4pNyrLKo8YEBClgw6wrLPeZDIAiXkfDpC:mHG1m4y79Eob6wLP8Dw
Malware Config
Extracted
mirai
MIRAI
Signatures
-
Contacts a large (19721) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
sora.arm7.elfdescription ioc process File opened for modification /dev/watchdog sora.arm7.elf File opened for modification /dev/misc/watchdog sora.arm7.elf -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
sora.arm7.elfdescription ioc process File opened for reading /proc/net/tcp sora.arm7.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
sora.arm7.elfdescription ioc process File opened for reading /proc/net/tcp sora.arm7.elf -
Reads runtime system information 30 IoCs
Reads data from /proc virtual filesystem.
Processes:
sora.arm7.elfdescription ioc process File opened for reading /proc/222/fd sora.arm7.elf File opened for reading /proc/573/fd sora.arm7.elf File opened for reading /proc/721/fd sora.arm7.elf File opened for reading /proc/187/fd sora.arm7.elf File opened for reading /proc/318/fd sora.arm7.elf File opened for reading /proc/355/fd sora.arm7.elf File opened for reading /proc/714/fd sora.arm7.elf File opened for reading /proc/716/fd sora.arm7.elf File opened for reading /proc/720/fd sora.arm7.elf File opened for reading /proc/666/fd sora.arm7.elf File opened for reading /proc/341/fd sora.arm7.elf File opened for reading /proc/1/fd sora.arm7.elf File opened for reading /proc/317/fd sora.arm7.elf File opened for reading /proc/324/fd sora.arm7.elf File opened for reading /proc/440/fd sora.arm7.elf File opened for reading /proc/688/fd sora.arm7.elf File opened for reading /proc/690/fd sora.arm7.elf File opened for reading /proc/250/fd sora.arm7.elf File opened for reading /proc/309/fd sora.arm7.elf File opened for reading /proc/339/fd sora.arm7.elf File opened for reading /proc/344/fd sora.arm7.elf File opened for reading /proc/441/fd sora.arm7.elf File opened for reading /proc/686/fd sora.arm7.elf File opened for reading /proc/718/fd sora.arm7.elf File opened for reading /proc/self/exe sora.arm7.elf File opened for reading /proc/326/fd sora.arm7.elf File opened for reading /proc/560/fd sora.arm7.elf File opened for reading /proc/685/fd sora.arm7.elf File opened for reading /proc/713/fd sora.arm7.elf File opened for reading /proc/717/fd sora.arm7.elf
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/712-1-0x00008000-0x0002bec4-memory.dmp