Analysis
-
max time kernel
3s -
max time network
8s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240418-en -
resource tags
arch:mipselimage:debian12-mipsel-20240418-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem -
submitted
12-07-2024 16:36
General
-
Target
sora.mpsl
-
Size
31KB
-
MD5
69ce5afe072fa6b0b437c33a51758a57
-
SHA1
c36fb2f11179a0b5f9ee9621eb33febd36cc5832
-
SHA256
478834fc5e5ed423c54c2533011f6892e678b25b74843f541543aeeac5460836
-
SHA512
9def25466f07d8a78a073c87795317b5486cb5debbda02e4291599f60852f445354773cf6893dabbf427c91ca720e52b778dd8409bd520b18afad66e18834888
-
SSDEEP
768:ZmieP10RD2EnAJ2kgKNnyALwALPsq2sRH3DJKW4:kpPgVnaD2ALkbWzJA
Malware Config
Extracted
Family
mirai
Botnet
MIRAI
Signatures
-
Contacts a large (533) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
sora.mpsldescription ioc process File opened for modification /dev/watchdog sora.mpsl File opened for modification /dev/misc/watchdog sora.mpsl -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
sora.mpsldescription ioc process File opened for reading /proc/net/tcp sora.mpsl -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
sora.mpsldescription ioc process File opened for reading /proc/net/tcp sora.mpsl -
Reads runtime system information 26 IoCs
Reads data from /proc virtual filesystem.
Processes:
sora.mpsldescription ioc process File opened for reading /proc/337/fd sora.mpsl File opened for reading /proc/443/fd sora.mpsl File opened for reading /proc/713/fd sora.mpsl File opened for reading /proc/745/fd sora.mpsl File opened for reading /proc/391/fd sora.mpsl File opened for reading /proc/744/fd sora.mpsl File opened for reading /proc/308/fd sora.mpsl File opened for reading /proc/449/fd sora.mpsl File opened for reading /proc/679/fd sora.mpsl File opened for reading /proc/734/fd sora.mpsl File opened for reading /proc/742/fd sora.mpsl File opened for reading /proc/747/fd sora.mpsl File opened for reading /proc/711/fd sora.mpsl File opened for reading /proc/1/fd sora.mpsl File opened for reading /proc/379/fd sora.mpsl File opened for reading /proc/444/fd sora.mpsl File opened for reading /proc/710/fd sora.mpsl File opened for reading /proc/202/fd sora.mpsl File opened for reading /proc/667/fd sora.mpsl File opened for reading /proc/697/fd sora.mpsl File opened for reading /proc/680/fd sora.mpsl File opened for reading /proc/698/fd sora.mpsl File opened for reading /proc/180/fd sora.mpsl File opened for reading /proc/377/fd sora.mpsl File opened for reading /proc/380/fd sora.mpsl File opened for reading /proc/394/fd sora.mpsl
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/740-1-0x00400000-0x00459a30-memory.dmp