Analysis
-
max time kernel
125s -
max time network
156s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
-
submitted
23-11-2024 15:12
General
-
Target
sora.mpsl.elf
-
Size
29KB
-
MD5
03b5fa5f1e96c217bed3a9fca8608cf6
-
SHA1
3cbc19ee9b976229d0eeaa407a9713e8d5a90ce2
-
SHA256
18fa959a348c7d2b631e8a60d857cdf52c519e95a18673df361f38574e9d1f7c
-
SHA512
ae3476787fc87acbe12012e48c2411450b4ac4a34c5aa866e6160a4b5f7ba82bda86b52fca0edac9124182260dee87bdaa7f2b0f0142e6383c06c909c6f64741
-
SSDEEP
384:i8pVWtmRsLYEpB6V8S628FuRUuNJG9whQ3Cfbo6w+K95orjOpJOYr8MCRWGVCz0n:HMYHb62x4ahQ3CfdwLjBOs87Ww
Malware Config
Extracted
mirai
SORA
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
Contacts a large (135709) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Changes its process name 1 IoCs
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 26 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/sora.mpsl.elf/tmp/sora.mpsl.elf1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information