Linux Analysis Report sora.mips

ID:	513591
Product:	CloudBasic
Start time:	11:17:27
Start date:	02.11.2021
Sample:	sora.mips
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	f541ee6ca94d92d5c8da35fce228bb46
SHA1:	46100ebb28ef32d9895277b26db0705cdb4a5729
SHA256:	119853ec87c7bc15674fa8beaf375979d963c5fd763d08a32ef555041e053d04
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/proc/5276/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/proc/5387/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/proc/5391/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/run/sshd.pid	ASCII text	EBC3FCE3183D08458EA683E4EA2AE38B	34674DDE2892AB7D2354F95DAB7D442B44E42431	60015F8BF398A9443CACC8139E72C56EF7B5DCCA1518B134617D7EC546BFF5F2

AV Detection:

Multi AV Scanner detection for submitted file

Source: sora.mips	Virustotal: Detection: 52%			Perma Link
Source: sora.mips	ReversingLabs: Detection: 55%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 492 INFO TELNET login failed 177.0.18.97:23 -> 192.168.2.23:38638
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.156.14.197:23 -> 192.168.2.23:36356
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.156.14.197:23 -> 192.168.2.23:36356
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 177.0.18.97:23 -> 192.168.2.23:38670
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 78.109.52.50:23 -> 192.168.2.23:57802
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 78.109.52.50:23 -> 192.168.2.23:57804
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 78.109.52.50:23 -> 192.168.2.23:57808
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 78.109.52.50:23 -> 192.168.2.23:57810
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 78.109.52.50:23 -> 192.168.2.23:57814
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 177.0.18.97:23 -> 192.168.2.23:38692
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 78.109.52.50:23 -> 192.168.2.23:57820
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 78.109.52.50:23 -> 192.168.2.23:57822
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 78.109.52.50:23 -> 192.168.2.23:57826
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 78.109.52.50:23 -> 192.168.2.23:57830
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 78.109.52.50:23 -> 192.168.2.23:57840
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 177.0.18.97:23 -> 192.168.2.23:38716
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 177.0.18.97:23 -> 192.168.2.23:38724
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.156.14.197:23 -> 192.168.2.23:36442
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.156.14.197:23 -> 192.168.2.23:36442
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.253.26.49:23 -> 192.168.2.23:45454
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 177.0.18.97:23 -> 192.168.2.23:38754
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 66.83.255.25:23 -> 192.168.2.23:34618
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 177.0.18.97:23 -> 192.168.2.23:38764
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 78.108.27.246:23 -> 192.168.2.23:34832
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 177.0.18.97:23 -> 192.168.2.23:38820
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 177.0.18.97:23 -> 192.168.2.23:38838
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.156.14.197:23 -> 192.168.2.23:36554
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.156.14.197:23 -> 192.168.2.23:36554
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 177.0.18.97:23 -> 192.168.2.23:38870
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 208.69.187.191:23 -> 192.168.2.23:36352
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 208.69.187.191:23 -> 192.168.2.23:36352
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.247.70.50:23 -> 192.168.2.23:44494
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 66.83.255.25:23 -> 192.168.2.23:34752
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.193.255.54:23 -> 192.168.2.23:35734
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.33.70.89:23 -> 192.168.2.23:52610
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.193.255.54:23 -> 192.168.2.23:35734
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.193.255.54:23 -> 192.168.2.23:35734
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:44354 -> 186.7.99.184:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.193.255.54:23 -> 192.168.2.23:35800
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.193.255.54:23 -> 192.168.2.23:35800
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.193.255.54:23 -> 192.168.2.23:35800

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:39692 -> 20.151.141.34:1312

Sample listens on a socket

Source: /tmp/sora.mips (PID: 5237)	Socket: 0.0.0.0::0			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	Socket: 0.0.0.0::23			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	Socket: 0.0.0.0::53413			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	Socket: 0.0.0.0::80			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	Socket: 0.0.0.0::52869			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	Socket: 0.0.0.0::37215			Jump to behavior
Source: /tmp/sora.mips (PID: 5243)	Socket: 0.0.0.0::22			Jump to behavior
Source: /tmp/sora.mips (PID: 5243)	Socket: 0.0.0.0::23			Jump to behavior
Source: /tmp/sora.mips (PID: 5243)	Socket: 0.0.0.0::53413			Jump to behavior
Source: /tmp/sora.mips (PID: 5243)	Socket: 0.0.0.0::80			Jump to behavior
Source: /tmp/sora.mips (PID: 5243)	Socket: 0.0.0.0::52869			Jump to behavior
Source: /tmp/sora.mips (PID: 5243)	Socket: 0.0.0.0::37215			Jump to behavior
Source: /usr/sbin/sshd (PID: 5276)	Socket: [::]::22			Jump to behavior
Source: /usr/sbin/sshd (PID: 5387)	Socket: 0.0.0.0::22			Jump to behavior
Source: /usr/sbin/sshd (PID: 5387)	Socket: [::]::22			Jump to behavior
Source: /usr/sbin/sshd (PID: 5391)	Socket: 0.0.0.0::22			Jump to behavior
Source: /usr/sbin/sshd (PID: 5391)	Socket: [::]::22			Jump to behavior

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 20.151.141.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.125.81.222
Source: unknown	TCP traffic detected without corresponding DNS query: 206.23.56.222
Source: unknown	TCP traffic detected without corresponding DNS query: 81.250.245.60
Source: unknown	TCP traffic detected without corresponding DNS query: 178.224.11.107
Source: unknown	TCP traffic detected without corresponding DNS query: 152.177.176.172
Source: unknown	TCP traffic detected without corresponding DNS query: 107.158.11.21
Source: unknown	TCP traffic detected without corresponding DNS query: 218.56.128.93
Source: unknown	TCP traffic detected without corresponding DNS query: 36.16.231.114
Source: unknown	TCP traffic detected without corresponding DNS query: 252.125.147.157
Source: unknown	TCP traffic detected without corresponding DNS query: 177.173.219.179
Source: unknown	TCP traffic detected without corresponding DNS query: 113.230.45.131
Source: unknown	TCP traffic detected without corresponding DNS query: 27.212.249.70
Source: unknown	TCP traffic detected without corresponding DNS query: 23.26.195.206
Source: unknown	TCP traffic detected without corresponding DNS query: 167.60.218.239
Source: unknown	TCP traffic detected without corresponding DNS query: 170.103.202.249
Source: unknown	TCP traffic detected without corresponding DNS query: 42.33.237.121
Source: unknown	TCP traffic detected without corresponding DNS query: 125.216.198.116
Source: unknown	TCP traffic detected without corresponding DNS query: 106.132.143.186
Source: unknown	TCP traffic detected without corresponding DNS query: 46.66.157.206
Source: unknown	TCP traffic detected without corresponding DNS query: 241.158.158.122
Source: unknown	TCP traffic detected without corresponding DNS query: 88.230.66.254
Source: unknown	TCP traffic detected without corresponding DNS query: 20.89.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 168.255.195.10
Source: unknown	TCP traffic detected without corresponding DNS query: 135.141.217.112
Source: unknown	TCP traffic detected without corresponding DNS query: 124.86.186.137
Source: unknown	TCP traffic detected without corresponding DNS query: 92.147.222.83
Source: unknown	TCP traffic detected without corresponding DNS query: 122.238.207.126
Source: unknown	TCP traffic detected without corresponding DNS query: 200.26.216.73
Source: unknown	TCP traffic detected without corresponding DNS query: 41.20.159.169
Source: unknown	TCP traffic detected without corresponding DNS query: 144.73.8.159
Source: unknown	TCP traffic detected without corresponding DNS query: 223.54.253.28
Source: unknown	TCP traffic detected without corresponding DNS query: 243.230.107.3
Source: unknown	TCP traffic detected without corresponding DNS query: 250.44.241.30
Source: unknown	TCP traffic detected without corresponding DNS query: 150.198.177.166
Source: unknown	TCP traffic detected without corresponding DNS query: 119.123.69.154
Source: unknown	TCP traffic detected without corresponding DNS query: 121.241.205.167
Source: unknown	TCP traffic detected without corresponding DNS query: 249.135.121.55
Source: unknown	TCP traffic detected without corresponding DNS query: 44.219.36.33
Source: unknown	TCP traffic detected without corresponding DNS query: 139.22.168.95
Source: unknown	TCP traffic detected without corresponding DNS query: 166.149.131.138
Source: unknown	TCP traffic detected without corresponding DNS query: 62.195.100.65
Source: unknown	TCP traffic detected without corresponding DNS query: 133.221.246.82
Source: unknown	TCP traffic detected without corresponding DNS query: 199.11.56.87
Source: unknown	TCP traffic detected without corresponding DNS query: 95.250.78.5
Source: unknown	TCP traffic detected without corresponding DNS query: 217.139.56.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.195.178.190
Source: unknown	TCP traffic detected without corresponding DNS query: 151.88.121.184
Source: unknown	TCP traffic detected without corresponding DNS query: 95.178.152.69
Source: unknown	TCP traffic detected without corresponding DNS query: 172.186.225.86

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 5243, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 720, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 759, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 788, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 800, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 847, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 884, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 1334, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 1335, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 1872, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2096, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2097, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2102, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2180, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2191, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2208, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2275, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2281, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2285, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2289, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2294, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 5239, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 5247, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 5276, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 5387, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 5237, result: unknown			Jump to behavior

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 5243, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 720, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 759, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 788, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 800, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 847, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 884, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 1334, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 1335, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 1872, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2096, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2097, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2102, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2180, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2191, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2208, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2275, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2281, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2285, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2289, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 2294, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 5239, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 5247, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 5276, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 5387, result: successful			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	SIGKILL sent: pid: 5237, result: unknown			Jump to behavior

Classification label

Source: classification engine

Classification label: mal68.spre.troj.linMIPS@0/6@0/0

Found detection on Joe Sandbox Cloud Basic with higher score

Source: sora.mips

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/5387/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2033/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2033/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2033/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2033/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1582/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1582/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1582/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1582/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2275/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2275/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/3088/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1612/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1612/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1612/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1612/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1579/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1579/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1579/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1579/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1699/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1699/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1699/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1699/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1335/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1335/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1698/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1698/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1698/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1698/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2028/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2028/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2028/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2028/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1334/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1334/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1334/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1334/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1576/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1576/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1576/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1576/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2302/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2302/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2302/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2302/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/3236/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/3236/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/3236/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/3236/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2025/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2025/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2025/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2025/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2146/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2146/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2146/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2146/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/910/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/912/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/912/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/912/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/912/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/912/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/5139/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/759/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/759/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/759/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/759/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/759/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/517/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2307/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2307/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2307/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2307/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/918/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/918/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/918/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/918/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/918/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/5033/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/5276/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/4465/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1594/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1594/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1594/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1594/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2285/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2285/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2281/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/2281/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1349/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1349/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1349/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1349/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1623/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1623/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1623/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/1623/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/761/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/761/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/761/exe			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/761/fd			Jump to behavior
Source: /tmp/sora.mips (PID: 5237)	File opened: /proc/761/fd			Jump to behavior

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/sora.mips (PID: 5235)

Queries kernel information via 'uname':

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: sora.mips, 5237.1.00000000395f2dd2.000000003aa705ab.rw-.sdmp	Binary or memory string: U1/usr/bin/vmtoolsdips/r10!/proc/2123/fd/70!/proc/1582/fd/103
Source: sora.mips, 5235.1.00000000351202ca.00000000395f2dd2.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: sora.mips, 5235.1.00000000351202ca.00000000395f2dd2.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: sora.mips, 5237.1.00000000395f2dd2.000000003aa705ab.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: sora.mips, 5237.1.00000000395f2dd2.000000003aa705ab.rw-.sdmp	Binary or memory string: Uu-binfmt/mips/0!/proc/1642/fd/2!/proc/1900/fd/7/mips/pr1/proc/2079/fd/5/mips/0!/proc/1642/fd/3!/proc/1900/fd/6/mips/pr1/usr/bin/qemu-mipsps/0!/proc/1642/fd/4!/proc/1900/fd/5/mips/pr1/proc/2079/fd/6/mips/0!/proc/1642/fd/5!/proc/1900/fd/4/mips/pr1p
Source: sora.mips, 5235.1.0000000066980c05.000000007dcdc10d.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: sora.mips, 5235.1.0000000066980c05.000000007dcdc10d.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/sora.mipsSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sora.mips

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP