Edit tour

Linux Analysis Report
sora.sh4.elf

Overview

General Information

Sample name:	sora.sh4.elf
Analysis ID:	1564805
MD5:	ddd7c47a4422d6bd5d4e8c0f7b5176c2
SHA1:	4a4d85fe96503e2471ef85dde9ede9fa1b7936d9
SHA256:	591d03ac5bade653f673e1aaaea02bf4bbdce88734618db775251d53c6e2272f
Tags:	elfMiraiuser-abuse_ch
Infos:

Detection

Mirai

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564805
Start date and time:	2024-11-28 19:57:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 24s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	sora.sh4.elf
Detection:	MAL
Classification:	mal80.troj.linELF@0/0@2/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100
VT rate limit hit for: sora.sh4.elf

Runtime Messages

Command:	/tmp/sora.sh4.elf
PID:	5534
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Process Tree

system is lnxubuntu20

sora.sh4.elf (PID: 5534, Parent: 5452, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/sora.sh4.elf

sora.sh4.elf New Fork (PID: 5537, Parent: 5534)

sora.sh4.elf New Fork (PID: 5539, Parent: 5534)

sora.sh4.elf New Fork (PID: 5540, Parent: 5534)

sora.sh4.elf New Fork (PID: 5543, Parent: 5540)

sora.sh4.elf New Fork (PID: 5544, Parent: 5540)

sora.sh4.elf New Fork (PID: 5546, Parent: 5540)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sora.sh4.elf	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
sora.sh4.elf	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
sora.sh4.elf	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xe4e4:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A

Memory Dumps

Source	Rule	Description	Author	Strings
5539.1.00007f952c37f000.00007f952c38f000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5539.1.00007f952c37f000.00007f952c38f000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5539.1.00007f952c37f000.00007f952c38f000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xe4e4:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5534.1.00007f952c37f000.00007f952c38f000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5534.1.00007f952c37f000.00007f952c38f000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5534.1.00007f952c37f000.00007f952c38f000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xe4e4:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5544.1.00007f952c37f000.00007f952c38f000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5544.1.00007f952c37f000.00007f952c38f000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5544.1.00007f952c37f000.00007f952c38f000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xe4e4:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
Process Memory Space: sora.sh4.elf PID: 5539	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Click to see the 5 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: sora.sh4.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: sora.sh4.elf

ReversingLabs: Detection: 71%

Source: global traffic

TCP traffic: 192.168.2.14:39218 -> 154.216.17.153:1312

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.153
Source: unknown	TCP traffic detected without corresponding DNS query: 68.0.30.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.161.60.31
Source: unknown	TCP traffic detected without corresponding DNS query: 96.216.112.205
Source: unknown	TCP traffic detected without corresponding DNS query: 90.108.163.28
Source: unknown	TCP traffic detected without corresponding DNS query: 65.193.231.106
Source: unknown	TCP traffic detected without corresponding DNS query: 104.169.44.241
Source: unknown	TCP traffic detected without corresponding DNS query: 81.241.203.77
Source: unknown	TCP traffic detected without corresponding DNS query: 156.164.230.208
Source: unknown	TCP traffic detected without corresponding DNS query: 223.92.176.216
Source: unknown	TCP traffic detected without corresponding DNS query: 16.222.84.60
Source: unknown	TCP traffic detected without corresponding DNS query: 222.29.135.183
Source: unknown	TCP traffic detected without corresponding DNS query: 96.240.150.110
Source: unknown	TCP traffic detected without corresponding DNS query: 64.43.217.83
Source: unknown	TCP traffic detected without corresponding DNS query: 48.25.172.62
Source: unknown	TCP traffic detected without corresponding DNS query: 67.148.101.127
Source: unknown	TCP traffic detected without corresponding DNS query: 165.72.180.5
Source: unknown	TCP traffic detected without corresponding DNS query: 17.28.216.21
Source: unknown	TCP traffic detected without corresponding DNS query: 207.214.59.109
Source: unknown	TCP traffic detected without corresponding DNS query: 165.6.151.125
Source: unknown	TCP traffic detected without corresponding DNS query: 48.3.131.136
Source: unknown	TCP traffic detected without corresponding DNS query: 91.106.254.6
Source: unknown	TCP traffic detected without corresponding DNS query: 216.94.88.120
Source: unknown	TCP traffic detected without corresponding DNS query: 93.180.224.141
Source: unknown	TCP traffic detected without corresponding DNS query: 190.51.67.181
Source: unknown	TCP traffic detected without corresponding DNS query: 106.109.226.150
Source: unknown	TCP traffic detected without corresponding DNS query: 169.156.171.126
Source: unknown	TCP traffic detected without corresponding DNS query: 221.155.201.216
Source: unknown	TCP traffic detected without corresponding DNS query: 78.144.220.53
Source: unknown	TCP traffic detected without corresponding DNS query: 45.185.197.21
Source: unknown	TCP traffic detected without corresponding DNS query: 196.115.98.91
Source: unknown	TCP traffic detected without corresponding DNS query: 106.199.20.87
Source: unknown	TCP traffic detected without corresponding DNS query: 199.66.60.33
Source: unknown	TCP traffic detected without corresponding DNS query: 167.24.26.171
Source: unknown	TCP traffic detected without corresponding DNS query: 73.113.158.151
Source: unknown	TCP traffic detected without corresponding DNS query: 4.243.166.48
Source: unknown	TCP traffic detected without corresponding DNS query: 197.77.60.166
Source: unknown	TCP traffic detected without corresponding DNS query: 168.151.89.91
Source: unknown	TCP traffic detected without corresponding DNS query: 255.36.228.177
Source: unknown	TCP traffic detected without corresponding DNS query: 80.63.94.64
Source: unknown	TCP traffic detected without corresponding DNS query: 106.90.74.188
Source: unknown	TCP traffic detected without corresponding DNS query: 254.245.202.180
Source: unknown	TCP traffic detected without corresponding DNS query: 117.22.20.173
Source: unknown	TCP traffic detected without corresponding DNS query: 101.137.132.149
Source: unknown	TCP traffic detected without corresponding DNS query: 120.214.121.199
Source: unknown	TCP traffic detected without corresponding DNS query: 222.155.94.23
Source: unknown	TCP traffic detected without corresponding DNS query: 65.183.173.74
Source: unknown	TCP traffic detected without corresponding DNS query: 205.222.53.31
Source: unknown	TCP traffic detected without corresponding DNS query: 152.106.28.227
Source: unknown	TCP traffic detected without corresponding DNS query: 74.120.241.65

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

Malicious sample detected (through community Yara rule)

Source: sora.sh4.elf, type: SAMPLE	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5539.1.00007f952c37f000.00007f952c38f000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5534.1.00007f952c37f000.00007f952c38f000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5544.1.00007f952c37f000.00007f952c38f000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Source: ELF static info symbol of initial sample

.symtab present: no

Source: sora.sh4.elf, type: SAMPLE	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5539.1.00007f952c37f000.00007f952c38f000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5534.1.00007f952c37f000.00007f952c38f000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5544.1.00007f952c37f000.00007f952c38f000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Source: classification engine

Classification label: mal80.troj.linELF@0/0@2/0

Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/5661/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3760/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3761/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/2672/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1583/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3244/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3120/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3361/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3759/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3239/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1577/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1610/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/512/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1299/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3235/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/514/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/5537/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/519/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/2946/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/917/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3758/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3134/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1593/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3011/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3094/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/2955/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3406/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1589/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3129/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1588/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3402/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3125/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3246/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3245/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/767/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/800/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/888/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/801/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/769/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/5546/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/803/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/806/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/807/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/928/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/2956/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3662/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3420/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/490/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3142/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1635/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1633/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1599/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3139/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1873/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1630/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3412/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/657/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/658/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/659/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/418/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/419/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1639/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1638/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3398/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1371/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3392/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/780/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/660/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/661/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/782/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1369/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3304/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3425/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/785/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1642/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/940/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/941/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1640/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3147/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3268/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1364/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/548/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1647/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/2991/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1383/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1382/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1381/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/791/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/671/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/794/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1655/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/795/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/674/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1653/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/797/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/2983/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3159/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/678/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1650/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3157/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/679/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/1659/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3319/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/5475/exe
Source: /tmp/sora.sh4.elf (PID: 5543)	File opened: /proc/3178/exe

Source: /tmp/sora.sh4.elf (PID: 5534)

Queries kernel information via 'uname':

Source: sora.sh4.elf, 5534.1.00007ffde66a7000.00007ffde66c8000.rw-.sdmp, sora.sh4.elf, 5539.1.00007ffde66a7000.00007ffde66c8000.rw-.sdmp, sora.sh4.elf, 5544.1.00007ffde66a7000.00007ffde66c8000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: sora.sh4.elf, 5534.1.000055e5fda47000.000055e5fdaaa000.rw-.sdmp, sora.sh4.elf, 5539.1.000055e5fda47000.000055e5fdaaa000.rw-.sdmp, sora.sh4.elf, 5544.1.000055e5fda47000.000055e5fdaaa000.rw-.sdmp	Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: sora.sh4.elf, 5534.1.000055e5fda47000.000055e5fdaaa000.rw-.sdmp, sora.sh4.elf, 5539.1.000055e5fda47000.000055e5fdaaa000.rw-.sdmp, sora.sh4.elf, 5544.1.000055e5fda47000.000055e5fdaaa000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: sora.sh4.elf, 5534.1.00007ffde66a7000.00007ffde66c8000.rw-.sdmp, sora.sh4.elf, 5539.1.00007ffde66a7000.00007ffde66c8000.rw-.sdmp, sora.sh4.elf, 5544.1.00007ffde66a7000.00007ffde66c8000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/sora.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sora.sh4.elf

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: sora.sh4.elf, type: SAMPLE
Source: Yara match	File source: 5539.1.00007f952c37f000.00007f952c38f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5534.1.00007f952c37f000.00007f952c38f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5544.1.00007f952c37f000.00007f952c38f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sora.sh4.elf PID: 5539, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: sora.sh4.elf, type: SAMPLE
Source: Yara match	File source: 5539.1.00007f952c37f000.00007f952c38f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5534.1.00007f952c37f000.00007f952c38f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5544.1.00007f952c37f000.00007f952c38f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sora.sh4.elf PID: 5539, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sora.sh4.elf	71%	ReversingLabs	Linux.Trojan.Mirai
sora.sh4.elf	100%	Avira	LINUX/Mirai.bonb

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.24	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
58.202.177.142	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
159.64.241.190	unknown	United States	32982	DOE-HQUS	false
212.52.175.99	unknown	Hungary	28924	INTEGRITY-HU-ASHU	false
63.39.143.10	unknown	United States	3356	LEVEL3US	false
249.14.196.103	unknown	Reserved	unknown	unknown	false
42.192.16.243	unknown	China	4249	LILLY-ASUS	false
5.12.90.139	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	false
98.232.70.184	unknown	United States	7922	COMCAST-7922US	false
105.140.212.239	unknown	Morocco	6713	IAM-ASMA	false
192.207.58.154	unknown	United States	32082	BSC-20041102US	false
31.185.231.183	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	false
146.220.114.141	unknown	Luxembourg	204590	SWISS-ASCH	false
80.107.96.109	unknown	Greece	6799	OTENET-GRAthens-GreeceGR	false
110.39.166.129	unknown	Pakistan	38264	WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK	false
218.220.155.239	unknown	Japan	9617	ZAQJupiterTelecommunicationsCoLtdJP	false
102.222.82.226	unknown	unknown	36926	CKL1-ASNKE	false
150.1.78.94	unknown	Japan	6400	CompaniaDominicanadeTelefonosSADO	false
67.58.124.128	unknown	United States	14615	ROCK-HILL-TELEPHONEUS	false
88.134.156.126	unknown	Germany	31334	KABELDEUTSCHLAND-ASDE	false
79.218.100.138	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
85.128.200.52	unknown	Poland	15967	NAZWAPL	false
190.23.45.125	unknown	Paraguay	27866	COPACOPY	false
91.130.14.11	unknown	Austria	1257	TELE2EU	false
164.0.143.52	unknown	Kazakhstan	29355	KCELL-ASKZ	false
223.216.154.47	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
145.31.212.219	unknown	Netherlands	42894	MINVENW-RWSMinVenW-RijkswaterstaatBackboneNL	false
4.254.167.35	unknown	United States	3356	LEVEL3US	false
84.143.2.211	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
168.75.155.164	unknown	United States	14135	NAVISITE-EAST-2US	false
197.12.199.97	unknown	Tunisia	37703	ATLAXTN	false
141.44.15.196	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
149.106.157.56	unknown	United States	19999	UNIONASNUS	false
35.219.213.175	unknown	United States	19527	GOOGLE-2US	false
117.255.236.149	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
142.64.238.6	unknown	Canada	5769	VIDEOTRONCA	false
206.222.200.40	unknown	United States	15108	ALLO-COMMUS	false
145.242.154.40	unknown	France	1101	IP-EEND-ASIP-EENDBVNL	false
68.250.134.115	unknown	United States	7018	ATT-INTERNET4US	false
116.162.104.215	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
58.170.22.167	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
241.50.76.188	unknown	Reserved	unknown	unknown	false
172.57.85.118	unknown	United States	21928	T-MOBILE-AS21928US	false
165.237.183.16	unknown	United States	3456	TWC-3456-ITUS	false
251.234.67.51	unknown	Reserved	unknown	unknown	false
243.126.76.164	unknown	Reserved	unknown	unknown	false
35.184.93.84	unknown	United States	15169	GOOGLEUS	false
175.227.77.64	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
91.174.79.10	unknown	France	12322	PROXADFR	false
100.17.25.113	unknown	United States	701	UUNETUS	false
101.14.115.233	unknown	Taiwan; Republic of China (ROC)	24158	TAIWANMOBILE-ASTaiwanMobileCoLtdTW	false
76.241.14.39	unknown	United States	7018	ATT-INTERNET4US	false
118.144.228.44	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
2.187.183.239	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
203.117.119.34	unknown	Singapore	4657	STARHUB-INTERNETStarHubLtdSG	false
104.44.147.151	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
19.167.223.34	unknown	United States	3	MIT-GATEWAYSUS	false
66.29.186.182	unknown	United States	32808	UTAHBROADBAND-AS1US	false
14.4.246.118	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
151.109.8.118	unknown	United States	1218	NCUBE-BELMONT-ASUS	false
220.162.96.250	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
17.111.180.131	unknown	United States	714	APPLE-ENGINEERINGUS	false
218.9.165.51	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
77.92.31.121	unknown	Cyprus	43356	COMTECH-ASTR	false
77.47.59.205	unknown	Germany	35244	KMS-DE_ASDE	false
44.168.122.170	unknown	United States	20473	AS-CHOOPAUS	false
250.136.198.230	unknown	Reserved	unknown	unknown	false
200.9.212.10	unknown	Argentina	263249	MasterBaseSACL	false
171.234.17.145	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
220.182.67.5	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
146.227.250.160	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
148.200.235.46	unknown	Netherlands	33915	TNF-ASNL	false
158.205.145.129	unknown	Japan	4694	IDCFIDCFrontierIncJP	false
46.84.168.31	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
169.192.200.41	unknown	United States	37611	AfrihostZA	false
46.132.103.37	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
249.162.127.113	unknown	Reserved	unknown	unknown	false
43.160.156.32	unknown	Japan	4249	LILLY-ASUS	false
196.74.72.240	unknown	Morocco	36903	MT-MPLSMA	false
206.50.62.34	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
63.90.62.225	unknown	United States	701	UUNETUS	false
76.50.164.153	unknown	United States	18494	CENTURYLINK-LEGACY-EMBARQ-WRBGUS	false
181.157.10.239	unknown	Colombia	26611	COMCELSACO	false
9.108.199.206	unknown	United States	3356	LEVEL3US	false
123.217.96.216	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
45.62.135.63	unknown	United States	31882	ABS-AS1US	false
145.202.2.222	unknown	Netherlands	1101	IP-EEND-ASIP-EENDBVNL	false
119.2.4.202	unknown	China	23724	CHINANET-IDC-BJ-APIDCChinaTelecommunicationsCorporation	false
141.224.226.177	unknown	United States	18454	AUGSBURGUS	false
186.85.150.225	unknown	Colombia	10620	TelmexColombiaSACO	false
154.114.47.243	unknown	South Africa	2018	TENET-1ZA	false
36.144.68.134	unknown	China	56044	CMNET-AS-LIAONINGChinaMobilecommunicationscorporationC	false
111.36.229.194	unknown	China	24444	CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany	false
93.48.179.248	unknown	Italy	12874	FASTWEBIT	false
91.229.112.4	unknown	Russian Federation	56957	IX-2-ASRU	false
203.23.142.162	unknown	Australia	9749	GPKNET-AS-AUGPKComputersPtyLtdInternetServiceProvide	false
173.164.129.216	unknown	United States	7922	COMCAST-7922US	false
154.136.21.106	unknown	Egypt	37069	MOBINILEG	false
128.12.130.141	unknown	United States	32	STANFORDUS	false
64.236.200.12	unknown	United States	7029	WINDSTREAMUS	false
70.57.201.106	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.785090824309155
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	sora.sh4.elf
File size:	63'772 bytes
MD5:	ddd7c47a4422d6bd5d4e8c0f7b5176c2
SHA1:	4a4d85fe96503e2471ef85dde9ede9fa1b7936d9
SHA256:	591d03ac5bade653f673e1aaaea02bf4bbdce88734618db775251d53c6e2272f
SHA512:	0c1d639f69b008eafd2625ed818db7dcb6ce341331ae1188821bef4c36a034aa42a7449c17951a9d8c5d6edf68bff88326c9c188d533cf056e6dbacdb03f85ab
SSDEEP:	1536:PaAtVnz1/mUUNztiYmW6ihiYLTofs3wfpWIDNEJ7JC7:P/tVz1eUUfwN0T0f+whWONEJ7J
TLSH:	41539FA5C5ACAE58C71441B8B654CD398723F408A5A76EFBD646C796800BEFCF0187F2
File Content Preview:	.ELF.....................@.4...........4. ...(...............@...@.$...$...............(...(.A.(.A.$...............Q.td............................././"O.n........#.@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	63372
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0xe3e0	0x0	0x6	AX	32
.fini	PROGBITS	0x40e4c0	0xe4c0	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x40e4e4	0xe4e4	0x1040	0x0	0x2	A	4
.ctors	PROGBITS	0x41f528	0xf528	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x41f530	0xf530	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x41f53c	0xf53c	0x210	0x0	0x3	WA	4
.bss	NOBITS	0x41f74c	0xf74c	0x280	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xf74c	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xf524	0xf524	6.8204	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xf528	0x41f528	0x41f528	0x224	0x4a4	2.9997	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 19:58:08.241862059 CET	39218	1312	192.168.2.14	154.216.17.153
Nov 28, 2024 19:58:08.292613983 CET	29924	23	192.168.2.14	68.0.30.31
Nov 28, 2024 19:58:08.292721987 CET	29924	23	192.168.2.14	87.161.60.31
Nov 28, 2024 19:58:08.292742968 CET	29924	23	192.168.2.14	96.216.112.205
Nov 28, 2024 19:58:08.292761087 CET	29924	23	192.168.2.14	90.108.163.28
Nov 28, 2024 19:58:08.292776108 CET	29924	23	192.168.2.14	65.193.231.106
Nov 28, 2024 19:58:08.292808056 CET	29924	23	192.168.2.14	104.169.44.241
Nov 28, 2024 19:58:08.292819977 CET	29924	23	192.168.2.14	210.129.32.121
Nov 28, 2024 19:58:08.292855024 CET	29924	23	192.168.2.14	81.241.203.77
Nov 28, 2024 19:58:08.292876959 CET	29924	23	192.168.2.14	156.164.230.208
Nov 28, 2024 19:58:08.292891026 CET	29924	23	192.168.2.14	223.92.176.216
Nov 28, 2024 19:58:08.292903900 CET	29924	23	192.168.2.14	16.222.84.60
Nov 28, 2024 19:58:08.292917013 CET	29924	23	192.168.2.14	222.29.135.183
Nov 28, 2024 19:58:08.292922020 CET	29924	23	192.168.2.14	96.240.150.110
Nov 28, 2024 19:58:08.292953968 CET	29924	23	192.168.2.14	64.43.217.83
Nov 28, 2024 19:58:08.292968035 CET	29924	23	192.168.2.14	48.25.172.62
Nov 28, 2024 19:58:08.293322086 CET	29924	23	192.168.2.14	67.148.101.127
Nov 28, 2024 19:58:08.293322086 CET	29924	23	192.168.2.14	165.72.180.5
Nov 28, 2024 19:58:08.293323040 CET	29924	23	192.168.2.14	17.28.216.21
Nov 28, 2024 19:58:08.293323040 CET	29924	23	192.168.2.14	207.214.59.109
Nov 28, 2024 19:58:08.293323994 CET	29924	23	192.168.2.14	165.6.151.125
Nov 28, 2024 19:58:08.293323040 CET	29924	23	192.168.2.14	96.165.210.25
Nov 28, 2024 19:58:08.293324947 CET	29924	23	192.168.2.14	48.3.131.136
Nov 28, 2024 19:58:08.293325901 CET	29924	23	192.168.2.14	91.106.254.6
Nov 28, 2024 19:58:08.293324947 CET	29924	23	192.168.2.14	216.94.88.120
Nov 28, 2024 19:58:08.293325901 CET	29924	23	192.168.2.14	93.180.224.141
Nov 28, 2024 19:58:08.293325901 CET	29924	23	192.168.2.14	190.51.67.181
Nov 28, 2024 19:58:08.293329954 CET	29924	23	192.168.2.14	106.109.226.150
Nov 28, 2024 19:58:08.293345928 CET	29924	23	192.168.2.14	169.156.171.126
Nov 28, 2024 19:58:08.293349028 CET	29924	23	192.168.2.14	221.155.201.216
Nov 28, 2024 19:58:08.293349028 CET	29924	23	192.168.2.14	78.144.220.53
Nov 28, 2024 19:58:08.293350935 CET	29924	23	192.168.2.14	45.185.197.21
Nov 28, 2024 19:58:08.293358088 CET	29924	23	192.168.2.14	196.115.98.91
Nov 28, 2024 19:58:08.293361902 CET	29924	23	192.168.2.14	106.199.20.87
Nov 28, 2024 19:58:08.293363094 CET	29924	23	192.168.2.14	199.66.60.33
Nov 28, 2024 19:58:08.293363094 CET	29924	23	192.168.2.14	167.24.26.171
Nov 28, 2024 19:58:08.293380976 CET	29924	23	192.168.2.14	73.113.158.151
Nov 28, 2024 19:58:08.293387890 CET	29924	23	192.168.2.14	4.243.166.48
Nov 28, 2024 19:58:08.293405056 CET	29924	23	192.168.2.14	197.77.60.166
Nov 28, 2024 19:58:08.293450117 CET	29924	23	192.168.2.14	168.151.89.91
Nov 28, 2024 19:58:08.293462992 CET	29924	23	192.168.2.14	255.36.228.177
Nov 28, 2024 19:58:08.293483019 CET	29924	23	192.168.2.14	80.63.94.64
Nov 28, 2024 19:58:08.293514013 CET	29924	23	192.168.2.14	106.90.74.188
Nov 28, 2024 19:58:08.293534040 CET	29924	23	192.168.2.14	254.245.202.180
Nov 28, 2024 19:58:08.293548107 CET	29924	23	192.168.2.14	117.22.20.173
Nov 28, 2024 19:58:08.293559074 CET	29924	23	192.168.2.14	101.137.132.149
Nov 28, 2024 19:58:08.293597937 CET	29924	23	192.168.2.14	120.214.121.199
Nov 28, 2024 19:58:08.293602943 CET	29924	23	192.168.2.14	222.155.94.23
Nov 28, 2024 19:58:08.293613911 CET	29924	23	192.168.2.14	65.183.173.74
Nov 28, 2024 19:58:08.293652058 CET	29924	23	192.168.2.14	205.222.53.31
Nov 28, 2024 19:58:08.293709040 CET	29924	23	192.168.2.14	152.106.28.227
Nov 28, 2024 19:58:08.293730021 CET	29924	23	192.168.2.14	74.120.241.65
Nov 28, 2024 19:58:08.293756008 CET	29924	23	192.168.2.14	159.195.207.148
Nov 28, 2024 19:58:08.293773890 CET	29924	23	192.168.2.14	217.196.196.182
Nov 28, 2024 19:58:08.293781042 CET	29924	23	192.168.2.14	45.252.78.241
Nov 28, 2024 19:58:08.293796062 CET	29924	23	192.168.2.14	177.140.18.243
Nov 28, 2024 19:58:08.293817997 CET	29924	23	192.168.2.14	173.68.80.214
Nov 28, 2024 19:58:08.293828964 CET	29924	23	192.168.2.14	48.5.48.209
Nov 28, 2024 19:58:08.293839931 CET	29924	23	192.168.2.14	110.51.91.30
Nov 28, 2024 19:58:08.293859959 CET	29924	23	192.168.2.14	64.243.132.250
Nov 28, 2024 19:58:08.293868065 CET	29924	23	192.168.2.14	145.103.125.164
Nov 28, 2024 19:58:08.293896914 CET	29924	23	192.168.2.14	174.145.110.177
Nov 28, 2024 19:58:08.293929100 CET	29924	23	192.168.2.14	240.119.232.136
Nov 28, 2024 19:58:08.293953896 CET	29924	23	192.168.2.14	253.183.170.178
Nov 28, 2024 19:58:08.293968916 CET	29924	23	192.168.2.14	114.114.38.71
Nov 28, 2024 19:58:08.293993950 CET	29924	23	192.168.2.14	153.253.187.59
Nov 28, 2024 19:58:08.294003010 CET	29924	23	192.168.2.14	103.215.133.21
Nov 28, 2024 19:58:08.294017076 CET	29924	23	192.168.2.14	114.183.139.96
Nov 28, 2024 19:58:08.294028044 CET	29924	23	192.168.2.14	253.56.233.30
Nov 28, 2024 19:58:08.294040918 CET	29924	23	192.168.2.14	182.56.180.97
Nov 28, 2024 19:58:08.294053078 CET	29924	23	192.168.2.14	166.225.13.116
Nov 28, 2024 19:58:08.294059038 CET	29924	23	192.168.2.14	201.20.179.33
Nov 28, 2024 19:58:08.294090033 CET	29924	23	192.168.2.14	13.77.128.185
Nov 28, 2024 19:58:08.294101954 CET	29924	23	192.168.2.14	201.223.86.246
Nov 28, 2024 19:58:08.294111013 CET	29924	23	192.168.2.14	220.7.161.51
Nov 28, 2024 19:58:08.294123888 CET	29924	23	192.168.2.14	213.171.213.232
Nov 28, 2024 19:58:08.294137001 CET	29924	23	192.168.2.14	73.118.66.205
Nov 28, 2024 19:58:08.294151068 CET	29924	23	192.168.2.14	124.38.249.204
Nov 28, 2024 19:58:08.294158936 CET	29924	23	192.168.2.14	17.243.114.212
Nov 28, 2024 19:58:08.294197083 CET	29924	23	192.168.2.14	103.237.66.229
Nov 28, 2024 19:58:08.294205904 CET	29924	23	192.168.2.14	248.127.81.194
Nov 28, 2024 19:58:08.294249058 CET	29924	23	192.168.2.14	183.114.169.63
Nov 28, 2024 19:58:08.294261932 CET	29924	23	192.168.2.14	87.163.120.18
Nov 28, 2024 19:58:08.294271946 CET	29924	23	192.168.2.14	133.26.212.87
Nov 28, 2024 19:58:08.294284105 CET	29924	23	192.168.2.14	45.65.10.133
Nov 28, 2024 19:58:08.294327974 CET	29924	23	192.168.2.14	34.3.225.182
Nov 28, 2024 19:58:08.294358015 CET	29924	23	192.168.2.14	216.104.75.188
Nov 28, 2024 19:58:08.294401884 CET	29924	23	192.168.2.14	223.151.99.248
Nov 28, 2024 19:58:08.294420004 CET	29924	23	192.168.2.14	54.4.193.237
Nov 28, 2024 19:58:08.294430971 CET	29924	23	192.168.2.14	173.203.140.48
Nov 28, 2024 19:58:08.294457912 CET	29924	23	192.168.2.14	20.51.107.88
Nov 28, 2024 19:58:08.294471979 CET	29924	23	192.168.2.14	80.220.58.113
Nov 28, 2024 19:58:08.294537067 CET	29924	23	192.168.2.14	164.110.99.176
Nov 28, 2024 19:58:08.294550896 CET	29924	23	192.168.2.14	190.19.119.106
Nov 28, 2024 19:58:08.294560909 CET	29924	23	192.168.2.14	183.48.162.177
Nov 28, 2024 19:58:08.294572115 CET	29924	23	192.168.2.14	90.88.241.89
Nov 28, 2024 19:58:08.294589043 CET	29924	23	192.168.2.14	212.55.208.24
Nov 28, 2024 19:58:08.294610977 CET	29924	23	192.168.2.14	73.184.224.151
Nov 28, 2024 19:58:08.294624090 CET	29924	23	192.168.2.14	61.183.209.65
Nov 28, 2024 19:58:08.294641018 CET	29924	23	192.168.2.14	216.98.196.103

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 28, 2024 20:00:54.252039909 CET	192.168.2.14	8.8.8.8	0xc987	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 20:00:54.252087116 CET	192.168.2.14	8.8.8.8	0x4ebd	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 28, 2024 20:00:55.337229013 CET	8.8.8.8	192.168.2.14	0xc987	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false
Nov 28, 2024 20:00:55.337229013 CET	8.8.8.8	192.168.2.14	0xc987	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: sora.sh4.elf PID: 5534, Parent PID: 5452

General

Start time (UTC):	18:58:06
Start date (UTC):	28/11/2024
Path:	/tmp/sora.sh4.elf
Arguments:	/tmp/sora.sh4.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: sora.sh4.elf PID: 5537, Parent PID: 5534

General

Start time (UTC):	18:58:07
Start date (UTC):	28/11/2024
Path:	/tmp/sora.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: sora.sh4.elf PID: 5539, Parent PID: 5534

General

Start time (UTC):	18:58:07
Start date (UTC):	28/11/2024
Path:	/tmp/sora.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: sora.sh4.elf PID: 5540, Parent PID: 5534

General

Start time (UTC):	18:58:07
Start date (UTC):	28/11/2024
Path:	/tmp/sora.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: sora.sh4.elf PID: 5543, Parent PID: 5540

General

Start time (UTC):	18:58:07
Start date (UTC):	28/11/2024
Path:	/tmp/sora.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: sora.sh4.elf PID: 5544, Parent PID: 5540

General

Start time (UTC):	18:58:07
Start date (UTC):	28/11/2024
Path:	/tmp/sora.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: sora.sh4.elf PID: 5546, Parent PID: 5540

General

Start time (UTC):	18:58:07
Start date (UTC):	28/11/2024
Path:	/tmp/sora.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report sora.sh4.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: sora.sh4.elf PID: 5534, Parent PID: 5452

General

Analysis Process: sora.sh4.elf PID: 5537, Parent PID: 5534

General

Analysis Process: sora.sh4.elf PID: 5539, Parent PID: 5534

General

Analysis Process: sora.sh4.elf PID: 5540, Parent PID: 5534

General

Analysis Process: sora.sh4.elf PID: 5543, Parent PID: 5540

General

Analysis Process: sora.sh4.elf PID: 5544, Parent PID: 5540

General

Analysis Process: sora.sh4.elf PID: 5546, Parent PID: 5540

General

Linux Analysis Report
sora.sh4.elf