Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
12-07-2024 13:03
General
-
Target
sora.mpsl.elf
-
Size
31KB
-
MD5
69ce5afe072fa6b0b437c33a51758a57
-
SHA1
c36fb2f11179a0b5f9ee9621eb33febd36cc5832
-
SHA256
478834fc5e5ed423c54c2533011f6892e678b25b74843f541543aeeac5460836
-
SHA512
9def25466f07d8a78a073c87795317b5486cb5debbda02e4291599f60852f445354773cf6893dabbf427c91ca720e52b778dd8409bd520b18afad66e18834888
-
SSDEEP
768:ZmieP10RD2EnAJ2kgKNnyALwALPsq2sRH3DJKW4:kpPgVnaD2ALkbWzJA
Malware Config
Extracted
mirai
MIRAI
Signatures
-
Contacts a large (20399) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
sora.mpsl.elfdescription ioc process File opened for modification /dev/misc/watchdog sora.mpsl.elf File opened for modification /dev/watchdog sora.mpsl.elf -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
sora.mpsl.elfdescription ioc process File opened for reading /proc/net/tcp sora.mpsl.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
sora.mpsl.elfdescription ioc process File opened for reading /proc/net/tcp sora.mpsl.elf -
Reads runtime system information 26 IoCs
Reads data from /proc virtual filesystem.
Processes:
sora.mpsl.elfdescription ioc process File opened for reading /proc/707/fd sora.mpsl.elf File opened for reading /proc/713/fd sora.mpsl.elf File opened for reading /proc/243/fd sora.mpsl.elf File opened for reading /proc/356/fd sora.mpsl.elf File opened for reading /proc/716/fd sora.mpsl.elf File opened for reading /proc/151/fd sora.mpsl.elf File opened for reading /proc/383/fd sora.mpsl.elf File opened for reading /proc/677/fd sora.mpsl.elf File opened for reading /proc/326/fd sora.mpsl.elf File opened for reading /proc/387/fd sora.mpsl.elf File opened for reading /proc/1/fd sora.mpsl.elf File opened for reading /proc/174/fd sora.mpsl.elf File opened for reading /proc/328/fd sora.mpsl.elf File opened for reading /proc/358/fd sora.mpsl.elf File opened for reading /proc/687/fd sora.mpsl.elf File opened for reading /proc/718/fd sora.mpsl.elf File opened for reading /proc/363/fd sora.mpsl.elf File opened for reading /proc/384/fd sora.mpsl.elf File opened for reading /proc/681/fd sora.mpsl.elf File opened for reading /proc/705/fd sora.mpsl.elf File opened for reading /proc/715/fd sora.mpsl.elf File opened for reading /proc/679/fd sora.mpsl.elf File opened for reading /proc/686/fd sora.mpsl.elf File opened for reading /proc/434/fd sora.mpsl.elf File opened for reading /proc/704/fd sora.mpsl.elf File opened for reading /proc/719/fd sora.mpsl.elf
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/712-1-0x00400000-0x00459a30-memory.dmp