Analysis
-
max time kernel
149s -
max time network
149s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240418-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
12-07-2024 13:03
General
-
Target
sora.mips.elf
-
Size
30KB
-
MD5
b3c18f1e74d45a65c6b361ee37190ee9
-
SHA1
106796e62e867d8c58229f504f1bc21dfae198fb
-
SHA256
a3ceea3616f2476242e165c5be0065505ed61a1ebcf4f41873a7056f73894d57
-
SHA512
bbd274f0e17665fd5daf60a386ef74dae4e590f2f372a7338d96f6915aa27bd795a4535dd06eb1976673e85ab8a39d6ad6797ae0443f5bada98923c7e64926e4
-
SSDEEP
768:GHiX0hIAjIBfYwftE+k4TG4u6idlBiBjFEqfW1/sDvJgGlzDpbuR1Jh:GWEIBwwftlPCez1DtVJuP
Malware Config
Extracted
mirai
MIRAI
Signatures
-
Contacts a large (20407) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
sora.mips.elfdescription ioc process File opened for modification /dev/misc/watchdog sora.mips.elf File opened for modification /dev/watchdog sora.mips.elf -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
sora.mips.elfdescription ioc process File opened for reading /proc/net/tcp sora.mips.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
sora.mips.elfdescription ioc process File opened for reading /proc/net/tcp sora.mips.elf -
Reads runtime system information 26 IoCs
Reads data from /proc virtual filesystem.
Processes:
sora.mips.elfdescription ioc process File opened for reading /proc/376/fd sora.mips.elf File opened for reading /proc/659/fd sora.mips.elf File opened for reading /proc/317/fd sora.mips.elf File opened for reading /proc/422/fd sora.mips.elf File opened for reading /proc/673/fd sora.mips.elf File opened for reading /proc/708/fd sora.mips.elf File opened for reading /proc/382/fd sora.mips.elf File opened for reading /proc/722/fd sora.mips.elf File opened for reading /proc/170/fd sora.mips.elf File opened for reading /proc/695/fd sora.mips.elf File opened for reading /proc/727/fd sora.mips.elf File opened for reading /proc/148/fd sora.mips.elf File opened for reading /proc/321/fd sora.mips.elf File opened for reading /proc/709/fd sora.mips.elf File opened for reading /proc/719/fd sora.mips.elf File opened for reading /proc/236/fd sora.mips.elf File opened for reading /proc/721/fd sora.mips.elf File opened for reading /proc/724/fd sora.mips.elf File opened for reading /proc/726/fd sora.mips.elf File opened for reading /proc/1/fd sora.mips.elf File opened for reading /proc/351/fd sora.mips.elf File opened for reading /proc/377/fd sora.mips.elf File opened for reading /proc/661/fd sora.mips.elf File opened for reading /proc/664/fd sora.mips.elf File opened for reading /proc/319/fd sora.mips.elf File opened for reading /proc/320/fd sora.mips.elf
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/717-1-0x00400000-0x00458c70-memory.dmp