Analysis
-
max time kernel
149s -
max time network
150s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
12-07-2024 16:33
General
-
Target
sora.arm7
-
Size
53KB
-
MD5
59a7319860856987828fbc686b6c9bbb
-
SHA1
a98e3b3af9f90ce1422f5c07e2eca973f1975e46
-
SHA256
6f1807bd00b271807e104211ee0a49c3d50f651d186cfca8295dab2d28329d8a
-
SHA512
d86b7ca0aabb86fd262273e0deca0daddcb2cc5bb020ca73162498e130e41ae7e1736b6caea3291f169f6ddbb969ec986733dbcefa058ed34bb0b18af578b08d
-
SSDEEP
1536:mHG6YXI/x4pNyrLKo8YEBClgw6wrLPeZDIAiXkfDpC:mHG1m4y79Eob6wLP8Dw
Malware Config
Extracted
mirai
MIRAI
Signatures
-
Contacts a large (20527) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
sora.arm7description ioc process File opened for modification /dev/watchdog sora.arm7 File opened for modification /dev/misc/watchdog sora.arm7 -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
sora.arm7description ioc process File opened for reading /proc/net/tcp sora.arm7 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
sora.arm7description ioc process File opened for reading /proc/net/tcp sora.arm7 -
Reads runtime system information 29 IoCs
Reads data from /proc virtual filesystem.
Processes:
sora.arm7description ioc process File opened for reading /proc/297/fd sora.arm7 File opened for reading /proc/299/fd sora.arm7 File opened for reading /proc/649/fd sora.arm7 File opened for reading /proc/261/fd sora.arm7 File opened for reading /proc/264/fd sora.arm7 File opened for reading /proc/580/fd sora.arm7 File opened for reading /proc/653/fd sora.arm7 File opened for reading /proc/self/exe sora.arm7 File opened for reading /proc/146/fd sora.arm7 File opened for reading /proc/647/fd sora.arm7 File opened for reading /proc/641/fd sora.arm7 File opened for reading /proc/654/fd sora.arm7 File opened for reading /proc/165/fd sora.arm7 File opened for reading /proc/310/fd sora.arm7 File opened for reading /proc/600/fd sora.arm7 File opened for reading /proc/650/fd sora.arm7 File opened for reading /proc/1/fd sora.arm7 File opened for reading /proc/267/fd sora.arm7 File opened for reading /proc/596/fd sora.arm7 File opened for reading /proc/336/fd sora.arm7 File opened for reading /proc/632/fd sora.arm7 File opened for reading /proc/639/fd sora.arm7 File opened for reading /proc/265/fd sora.arm7 File opened for reading /proc/269/fd sora.arm7 File opened for reading /proc/601/fd sora.arm7 File opened for reading /proc/652/fd sora.arm7 File opened for reading /proc/215/fd sora.arm7 File opened for reading /proc/598/fd sora.arm7 File opened for reading /proc/638/fd sora.arm7
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/646-1-0x00008000-0x0002bec4-memory.dmp