Analysis

  • max time kernel
    153s
  • max time network
    167s
  • platform
    debian-12_mipsel
  • resource
    debian12-mipsel-20240221-en
  • resource tags

    arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
  • submitted
    01-08-2024 09:28

General

  • Target

    sora.mpsl

  • Size

    29KB

  • MD5

    670b2a83b4d5148a1dccca584290e2f8

  • SHA1

    2a35bd305327adbafa5d005d153722c2622e17fd

  • SHA256

    a45730037d82fb70f3885f4e1e5908a47957a43c58ac5bc5d1552c7c4173f18b

  • SHA512

    cf0f01f2a9c7905ee32207ac7dae23f8c209f41ab054d46e49041c5a6a9aba4294bfc5644e1ae33a00737343dfd30b92532327cc1946405a73c54821391d9882

  • SSDEEP

    384:n8pVWtmRsLYEpB6V8S628FuRUuNJG9whQ3Cfbo6w+K95orjmFWVDbRWGVCz0Nvz:8MYHb62x4ahQ3CfdwLj1FqBW2

Malware Config

Extracted

Family

mirai

Botnet

SORA

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (159078) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Changes its process name 1 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 30 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/sora.mpsl
    /tmp/sora.mpsl
    1⤵
    • Modifies Watchdog functionality
    • Enumerates active TCP sockets
    • Changes its process name
    • Reads system network configuration
    • Reads runtime system information
    PID:742

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/742-1-0x00400000-0x00455d70-memory.dmp