Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240418-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    12-07-2024 13:03

General

  • Target

    sora.mpsl.elf

  • Size

    31KB

  • MD5

    69ce5afe072fa6b0b437c33a51758a57

  • SHA1

    c36fb2f11179a0b5f9ee9621eb33febd36cc5832

  • SHA256

    478834fc5e5ed423c54c2533011f6892e678b25b74843f541543aeeac5460836

  • SHA512

    9def25466f07d8a78a073c87795317b5486cb5debbda02e4291599f60852f445354773cf6893dabbf427c91ca720e52b778dd8409bd520b18afad66e18834888

  • SSDEEP

    768:ZmieP10RD2EnAJ2kgKNnyALwALPsq2sRH3DJKW4:kpPgVnaD2ALkbWzJA

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (20399) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 26 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/sora.mpsl.elf
    /tmp/sora.mpsl.elf
    1⤵
    • Modifies Watchdog functionality
    • Enumerates active TCP sockets
    • Reads system network configuration
    • Reads runtime system information
    PID:712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/712-1-0x00400000-0x00459a30-memory.dmp