Malware Analysis Report

2024-11-13 13:12

Sample ID 240802-xhgewswalr
Target sora.arm7.elf
SHA256 ddb07ed1f41dc60aa79794e3840d90403a519f6809062d09996295413f9ab80d
Tags
upx mirai sora botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ddb07ed1f41dc60aa79794e3840d90403a519f6809062d09996295413f9ab80d

Threat Level: Known bad

The file sora.arm7.elf was found to be: Known bad.

Malicious Activity Summary

upx mirai sora botnet

Mirai

UPX packed file

Changes its process name

Reads runtime system information

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-02 18:51

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-02 18:51

Reported

2024-08-02 18:53

Platform

debian12-armhf-20240221-en

Max time kernel

1s

Max time network

138s

Command Line

[/tmp/sora.arm7.elf]

Signatures

Mirai

botnet mirai

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself h2hmc0jnkkpbjn1ofc1 /tmp/sora.arm7.elf N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/sora.arm7.elf N/A

Processes

/tmp/sora.arm7.elf

[/tmp/sora.arm7.elf]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-12 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-12 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-12 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-12 udp

Files

memory/712-1-0x00008000-0x00029794-memory.dmp