9c704a6c70fadaa3c4ffab229ba33ad7972d768b1921b8e56f9822e37ab7290c

Analysis

max time kernel
148s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11-11-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sora.arm.elf
Size

93KB
MD5

e47573062e489340397c18805d309bcf
SHA1

c2890e1bd462a1d84b0037fab56b0e292829039f
SHA256

9c704a6c70fadaa3c4ffab229ba33ad7972d768b1921b8e56f9822e37ab7290c
SHA512

2f5c24af915ab8ce043417c856542042b53448729941869a5d4961817bee464b52dadfd39e999fe60aa9c4b936b98cf3f8dad1b4421aecaa4647535e4068bb28
SSDEEP

1536:RRjV0dCycygvZeRT2qeurZY0Mki7rwEhWH56oKdm10k9zgXYw0v6D56:zjVyKuru07i7rPC5LH0w6S656

Score

9^/10

defense_evasion discovery

Malware Config

Signatures

Contacts a large (49056) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
defense_evasion

Impair Defenses
T1562

Processes:

sora.arm.elf

description ioc process

File opened for modification /dev/watchdog sora.arm.elf
File opened for modification /dev/misc/watchdog sora.arm.elf
Enumerates running processes
Discovers information about currently running processes on the system
Changes its process name 1 IoCs

Processes:

sora.arm.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself 35k2pndbk005jbg5k5o 646 sora.arm.elf

description	ioc	process
File opened for modification	/dev/watchdog	sora.arm.elf
File opened for modification	/dev/misc/watchdog	sora.arm.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	35k2pndbk005jbg5k5o	646	sora.arm.elf

Reads runtime system information 29 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

sora.arm.elf

description	ioc	process
File opened for reading	/proc/647/exe	sora.arm.elf
File opened for reading	/proc/650/exe	sora.arm.elf
File opened for reading	/proc/601/exe	sora.arm.elf
File opened for reading	/proc/781/exe	sora.arm.elf
File opened for reading	/proc/785/exe	sora.arm.elf
File opened for reading	/proc/752/exe	sora.arm.elf
File opened for reading	/proc/758/exe	sora.arm.elf
File opened for reading	/proc/779/exe	sora.arm.elf
File opened for reading	/proc/580/exe	sora.arm.elf
File opened for reading	/proc/654/exe	sora.arm.elf
File opened for reading	/proc/775/exe	sora.arm.elf
File opened for reading	/proc/769/exe	sora.arm.elf
File opened for reading	/proc/777/exe	sora.arm.elf
File opened for reading	/proc/638/exe	sora.arm.elf
File opened for reading	/proc/644/exe	sora.arm.elf
File opened for reading	/proc/645/exe	sora.arm.elf
File opened for reading	/proc/712/exe	sora.arm.elf
File opened for reading	/proc/598/exe	sora.arm.elf
File opened for reading	/proc/643/exe	sora.arm.elf
File opened for reading	/proc/760/exe	sora.arm.elf
File opened for reading	/proc/767/exe	sora.arm.elf
File opened for reading	/proc/783/exe	sora.arm.elf
File opened for reading	/proc/595/exe	sora.arm.elf
File opened for reading	/proc/765/exe	sora.arm.elf
File opened for reading	/proc/771/exe	sora.arm.elf
File opened for reading	/proc/600/exe	sora.arm.elf
File opened for reading	/proc/680/exe	sora.arm.elf
File opened for reading	/proc/716/exe	sora.arm.elf
File opened for reading	/proc/773/exe	sora.arm.elf

/tmp/sora.arm.elf
/tmp/sora.arm.elf
1⤵
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:646

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads