Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240418-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    12-07-2024 13:03

General

  • Target

    sora.mips.elf

  • Size

    30KB

  • MD5

    b3c18f1e74d45a65c6b361ee37190ee9

  • SHA1

    106796e62e867d8c58229f504f1bc21dfae198fb

  • SHA256

    a3ceea3616f2476242e165c5be0065505ed61a1ebcf4f41873a7056f73894d57

  • SHA512

    bbd274f0e17665fd5daf60a386ef74dae4e590f2f372a7338d96f6915aa27bd795a4535dd06eb1976673e85ab8a39d6ad6797ae0443f5bada98923c7e64926e4

  • SSDEEP

    768:GHiX0hIAjIBfYwftE+k4TG4u6idlBiBjFEqfW1/sDvJgGlzDpbuR1Jh:GWEIBwwftlPCez1DtVJuP

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (20407) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 26 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/sora.mips.elf
    /tmp/sora.mips.elf
    1⤵
    • Modifies Watchdog functionality
    • Enumerates active TCP sockets
    • Reads system network configuration
    • Reads runtime system information
    PID:717

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/717-1-0x00400000-0x00458c70-memory.dmp