Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    debian-12_mipsel
  • resource
    debian12-mipsel-20240221-en
  • resource tags

    arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
  • submitted
    03-08-2024 05:18

General

  • Target

    sora.mpsl.elf

  • Size

    29KB

  • MD5

    2619068bef850cc390f66b4275f38cea

  • SHA1

    e6ff6579ada47dc4edb544c9fd752b3a17f5bc93

  • SHA256

    a2cd2d709c2df6336aac1653365b48315577ebb0e2673a29b83b190a107e7375

  • SHA512

    09edd5553244727fd4c3a0db9fd118ff0e7d6e59f77d9879292eb535dfdbff910bf331434dced9daf1e736572e6089a9a962b49831247de0e06e724a17578aa8

  • SSDEEP

    768:C1uUtLrVDsAp6tLkFqok//xDMfRihJb8WUx:CbDs06t4fYpwYhAx

Malware Config

Extracted

Family

mirai

Botnet

SORA

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (49480) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Changes its process name 1 IoCs
  • Reads runtime system information 18 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/sora.mpsl.elf
    /tmp/sora.mpsl.elf
    1⤵
    • Modifies Watchdog functionality
    • Changes its process name
    • Reads runtime system information
    PID:740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/740-1-0x00400000-0x00455b00-memory.dmp