Linux Analysis Report sora.arm

Overview

General Information

Sample Name:	sora.arm
Analysis ID:	513630
MD5:	146e69dbf3fa2b51093964f087c9be01
SHA1:	49df0f19985dc9369426d2445560f4346c52e8c3
SHA256:	48d4f466e1ef7e2872a2ad032ca98e8ea161c3fd25f6eda3ef5cf271f23dd557
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: sora.arm	Virustotal: Detection: 40%			Perma Link
Source: sora.arm	ReversingLabs: Detection: 42%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 103.229.83.22:23 -> 192.168.2.23:36304
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.229.83.22:23 -> 192.168.2.23:36380
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.87.66.50:23 -> 192.168.2.23:37402
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43192
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43192
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.229.83.22:23 -> 192.168.2.23:36518
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.87.66.50:23 -> 192.168.2.23:37572
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43284
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43284
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:41976
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:41992
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42006
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33232
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33232
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42010
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42016
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.221.126.46:23 -> 192.168.2.23:33702
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42022
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42026
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42046
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42068
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33292
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33292
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42072
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.229.83.22:23 -> 192.168.2.23:36720
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50820
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.87.66.50:23 -> 192.168.2.23:37778
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33380
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33380
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50844
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50864
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50908
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33460
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33460
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50936
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.183.140.61:23 -> 192.168.2.23:38714
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.183.140.61:23 -> 192.168.2.23:38714
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.221.126.46:23 -> 192.168.2.23:33914
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43592
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43592
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50948
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33500
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33500
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50958
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.229.83.22:23 -> 192.168.2.23:36898
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50968
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50984
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.87.66.50:23 -> 192.168.2.23:37934
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43624
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43624
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33536
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33536
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50998
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33562
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33562
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43660
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43660
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.48.99.181:23 -> 192.168.2.23:33798
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.48.99.181:23 -> 192.168.2.23:33798
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.236.124.23:23 -> 192.168.2.23:46534
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.48.99.181:23 -> 192.168.2.23:33814
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.48.99.181:23 -> 192.168.2.23:33814
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.48.99.181:23 -> 192.168.2.23:33828
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.48.99.181:23 -> 192.168.2.23:33828
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.48.99.181:23 -> 192.168.2.23:33838
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.48.99.181:23 -> 192.168.2.23:33838
Source: Traffic	Snort IDS: 716 INFO TELNET access 135.0.170.111:23 -> 192.168.2.23:40546
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.221.126.46:23 -> 192.168.2.23:34058
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33642
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33642
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.249.82.135:23 -> 192.168.2.23:34214
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.249.82.135:23 -> 192.168.2.23:34214
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43754
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43754
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.183.140.61:23 -> 192.168.2.23:38912
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.183.140.61:23 -> 192.168.2.23:38912
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 1.226.158.34:23 -> 192.168.2.23:35130
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 1.226.158.34:23 -> 192.168.2.23:35130
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59630
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59630
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59654
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59654
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.87.66.50:23 -> 192.168.2.23:38216
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59682
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59682
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33804
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33804
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.92.52.216:23 -> 192.168.2.23:51392
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 2.180.11.191:23 -> 192.168.2.23:56828
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 2.180.11.191:23 -> 192.168.2.23:56828
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.229.83.22:23 -> 192.168.2.23:37104
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.249.82.135:23 -> 192.168.2.23:34404
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.249.82.135:23 -> 192.168.2.23:34404
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59782
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59782
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.24.172.254:23 -> 192.168.2.23:58130
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43976
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43976
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 2.180.11.191:23 -> 192.168.2.23:56914
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 2.180.11.191:23 -> 192.168.2.23:56914
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 1.226.158.34:23 -> 192.168.2.23:35374
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 1.226.158.34:23 -> 192.168.2.23:35374
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33962
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33962
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39096
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39100
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59878
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59878
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59888
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59888
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39108
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59898
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59898
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39116
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.249.82.135:23 -> 192.168.2.23:34544
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.249.82.135:23 -> 192.168.2.23:34544
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39130
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.243.126.183:23 -> 192.168.2.23:59328
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.236.124.23:23 -> 192.168.2.23:46988
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59908
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59908
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39146
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39162
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.135.70.241:23 -> 192.168.2.23:44312

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:34478 -> 163.172.46.83:1312

Sample listens on a socket

Source: /tmp/sora.arm (PID: 5247)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	Socket: 0.0.0.0::0	Jump to behavior
Source: /usr/sbin/sshd (PID: 5288)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5288)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 163.172.46.83
Source: unknown	TCP traffic detected without corresponding DNS query: 169.166.82.178
Source: unknown	TCP traffic detected without corresponding DNS query: 123.8.58.178
Source: unknown	TCP traffic detected without corresponding DNS query: 16.216.150.79
Source: unknown	TCP traffic detected without corresponding DNS query: 252.112.106.176
Source: unknown	TCP traffic detected without corresponding DNS query: 68.226.233.101
Source: unknown	TCP traffic detected without corresponding DNS query: 219.3.77.23
Source: unknown	TCP traffic detected without corresponding DNS query: 193.129.64.255
Source: unknown	TCP traffic detected without corresponding DNS query: 247.44.195.92
Source: unknown	TCP traffic detected without corresponding DNS query: 177.225.86.161
Source: unknown	TCP traffic detected without corresponding DNS query: 68.225.161.186
Source: unknown	TCP traffic detected without corresponding DNS query: 101.232.107.246
Source: unknown	TCP traffic detected without corresponding DNS query: 73.172.53.117
Source: unknown	TCP traffic detected without corresponding DNS query: 9.220.84.188
Source: unknown	TCP traffic detected without corresponding DNS query: 94.18.33.66
Source: unknown	TCP traffic detected without corresponding DNS query: 166.124.195.201
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.66.112
Source: unknown	TCP traffic detected without corresponding DNS query: 194.188.51.58
Source: unknown	TCP traffic detected without corresponding DNS query: 245.87.21.8
Source: unknown	TCP traffic detected without corresponding DNS query: 41.225.47.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.105.65.99
Source: unknown	TCP traffic detected without corresponding DNS query: 114.103.147.183
Source: unknown	TCP traffic detected without corresponding DNS query: 180.99.234.15
Source: unknown	TCP traffic detected without corresponding DNS query: 24.66.18.87
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.156.181
Source: unknown	TCP traffic detected without corresponding DNS query: 27.62.72.1
Source: unknown	TCP traffic detected without corresponding DNS query: 219.158.2.248
Source: unknown	TCP traffic detected without corresponding DNS query: 68.2.185.193
Source: unknown	TCP traffic detected without corresponding DNS query: 172.213.255.232
Source: unknown	TCP traffic detected without corresponding DNS query: 162.216.74.111
Source: unknown	TCP traffic detected without corresponding DNS query: 201.86.109.154
Source: unknown	TCP traffic detected without corresponding DNS query: 168.21.164.132
Source: unknown	TCP traffic detected without corresponding DNS query: 83.42.162.26
Source: unknown	TCP traffic detected without corresponding DNS query: 190.237.90.198
Source: unknown	TCP traffic detected without corresponding DNS query: 78.76.25.56
Source: unknown	TCP traffic detected without corresponding DNS query: 163.212.54.85
Source: unknown	TCP traffic detected without corresponding DNS query: 217.193.37.150
Source: unknown	TCP traffic detected without corresponding DNS query: 174.215.177.48
Source: unknown	TCP traffic detected without corresponding DNS query: 165.194.97.182
Source: unknown	TCP traffic detected without corresponding DNS query: 59.23.115.131
Source: unknown	TCP traffic detected without corresponding DNS query: 101.126.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 1.11.9.43
Source: unknown	TCP traffic detected without corresponding DNS query: 42.136.89.103
Source: unknown	TCP traffic detected without corresponding DNS query: 74.220.217.162
Source: unknown	TCP traffic detected without corresponding DNS query: 165.253.19.253
Source: unknown	TCP traffic detected without corresponding DNS query: 254.98.188.76
Source: unknown	TCP traffic detected without corresponding DNS query: 89.127.246.33
Source: unknown	TCP traffic detected without corresponding DNS query: 91.40.199.85
Source: unknown	TCP traffic detected without corresponding DNS query: 18.254.213.184
Source: unknown	TCP traffic detected without corresponding DNS query: 62.72.8.218

Source: sora.arm

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Sample tries to kill a process (SIGKILL)

Source: /tmp/sora.arm (PID: 5247)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	SIGKILL sent: pid: 936, result: no such process			Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.linARM@0/2@0/0

Source: sora.arm

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/904/fd	Jump to behavior

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/sora.arm (PID: 5245)

Queries kernel information via 'uname':

Jump to behavior

Source: sora.arm, 5245.1.000000009ec5db35.000000003c434230.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/sora.armSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sora.arm
Source: sora.arm, 5245.1.00000000055ddf16.00000000dc5ae8eb.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: sora.arm, 5245.1.000000009ec5db35.000000003c434230.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: sora.arm, 5245.1.00000000055ddf16.00000000dc5ae8eb.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
163.229.182.74	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
246.252.30.75	unknown	Reserved	unknown	unknown	false
179.219.28.171	unknown	Brazil	28573	CLAROSABR	false
83.45.140.219	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
71.64.206.178	unknown	United States	10796	TWC-10796-MIDWESTUS	false
23.210.22.144	unknown	United States	7679	QTNETQTnetIncJP	false
144.48.249.155	unknown	India	55933	CLOUDIE-AS-APCloudieLimitedHK	false
124.21.97.181	unknown	China	7497	CSTNET-AS-APComputerNetworkInformationCenterCN	false
86.239.217.40	unknown	France	3215	FranceTelecom-OrangeFR	false
154.181.108.71	unknown	Egypt	8452	TE-ASTE-ASEG	false
170.72.212.15	unknown	United States	16761	FEDMOG-ASN-01US	false
182.219.30.94	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
2.27.129.117	unknown	United Kingdom	12576	EELtdGB	false
210.33.92.41	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
119.5.222.246	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
124.109.98.255	unknown	China	9797	NEXONASIAPACIFIC-AS-APNexonAsiaPacificPLAU	false
68.65.216.68	unknown	Virgin Islands (BRITISH)	396357	BVI-DIGVG	false
180.187.140.120	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
18.253.84.71	unknown	United States	16509	AMAZON-02US	false
184.100.122.186	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
72.225.180.234	unknown	United States	12271	TWC-12271-NYCUS	false
212.196.181.181	unknown	United Kingdom	49392	ASBAXETNRU	false
182.115.198.192	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
156.159.153.6	unknown	Tanzania United Republic of	37133	airtel-tz-asTZ	false
208.39.209.106	unknown	United States	4997	AFS-WESTUS	false
246.114.129.2	unknown	Reserved	unknown	unknown	false
115.229.163.223	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
172.115.149.230	unknown	United States	20001	TWC-20001-PACWESTUS	false
207.31.98.5	unknown	United States	174	COGENT-174US	false
147.116.44.110	unknown	United States	766	REDIRISRedIRISAutonomousSystemES	false
37.124.245.201	unknown	Saudi Arabia	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	false
247.58.171.139	unknown	Reserved	unknown	unknown	false
245.115.229.68	unknown	Reserved	unknown	unknown	false
119.98.22.192	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
99.88.136.121	unknown	United States	7018	ATT-INTERNET4US	false
150.192.233.18	unknown	United States	1479	DNIC-ASBLK-01478-01479US	false
118.206.43.82	unknown	China	9506	SINGTEL-FIBRESingtelFibreBroadbandSG	false
125.88.53.63	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
76.150.114.42	unknown	United States	7922	COMCAST-7922US	false
37.229.128.76	unknown	Ukraine	15895	KSNET-ASUA	false
77.104.249.197	unknown	Czech Republic	201476	WOLFNETCZ	false
153.213.227.95	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
58.234.32.238	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
80.193.176.131	unknown	United Kingdom	5089	NTLGB	false
162.187.22.173	unknown	United States	21928	T-MOBILE-AS21928US	false
48.192.4.195	unknown	United States	2686	ATGS-MMD-ASUS	false
91.223.243.22	unknown	Estonia	9130	HMS-ASRU	false
77.65.71.9	unknown	Poland	13110	INEA-ASPL	false
108.133.219.246	unknown	United States	16509	AMAZON-02US	false
107.127.53.157	unknown	United States	7018	ATT-INTERNET4US	false
157.228.56.168	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
114.211.192.180	unknown	China	9595	XEPHIONNTT-MECorporationJP	false
19.236.11.170	unknown	United States	3	MIT-GATEWAYSUS	false
189.174.190.60	unknown	Mexico	8151	UninetSAdeCVMX	false
165.76.65.179	unknown	Japan	4725	ODNSoftBankMobileCorpJP	false
20.209.235.125	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
73.22.72.159	unknown	United States	7922	COMCAST-7922US	false
87.199.107.137	unknown	Poland	41201	DOLSATulWojskaPolskiego23CPL	false
116.201.10.48	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
152.75.141.108	unknown	United States	20137	USAGM-LANUS	false
12.127.242.59	unknown	United States	7018	ATT-INTERNET4US	false
255.43.156.57	unknown	Reserved	unknown	unknown	false
95.205.130.30	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
175.107.120.229	unknown	Korea Republic of	9765	VTOPIA-AS-KRVTOPIAKR	false
160.192.235.30	unknown	Japan	7670	CTNETEnergiaCommunicationsIncJP	false
108.116.201.123	unknown	United States	10507	SPCSUS	false
194.136.53.17	unknown	Finland	719	ELISA-ASHelsinkiFinlandEU	false
142.87.202.73	unknown	Canada	7950	HC-ASCA	false
103.38.51.243	unknown	India	131458	WILLIAMSLEA-AS-APWILLIAMSLEAINDIAPRIVATELIMITEDIN	false
149.19.144.212	unknown	United States	10250	DATAFIVEUS	false
106.196.252.131	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
209.168.181.190	unknown	United States	7029	WINDSTREAMUS	false
189.206.1.30	unknown	Mexico	11172	AlestraSdeRLdeCVMX	false
68.96.185.223	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
40.191.64.134	unknown	United States	4249	LILLY-ASUS	false
147.87.57.17	unknown	Switzerland	559	SWITCHPeeringrequestspeeringswitchchEU	false
140.226.54.51	unknown	United States	16519	CUDENVERUS	false
61.145.158.23	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
14.15.210.204	unknown	Japan	131959	YOUTVYOUCommunicationsCorporationJP	false
248.162.216.115	unknown	Reserved	unknown	unknown	false
96.120.35.221	unknown	United States	7922	COMCAST-7922US	false
186.113.231.64	unknown	Colombia	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
243.56.125.139	unknown	Reserved	unknown	unknown	false
93.84.149.187	unknown	Belarus	6697	BELPAK-ASBELPAKBY	false
73.116.116.165	unknown	United States	7922	COMCAST-7922US	false
208.143.213.251	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
197.116.147.77	unknown	Algeria	36947	ALGTEL-ASDZ	false
217.119.67.5	unknown	Poland	16298	INTERBOX-ASLubbersBoxTelematicaBVNL	false
222.185.3.25	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
145.62.19.138	unknown	Netherlands	201204	GFIS-AS-DE	false
82.94.34.56	unknown	Netherlands	3265	XS4ALL-NLAmsterdamNL	false
144.92.74.22	unknown	United States	59	WISC-MADISON-ASUS	false
122.229.132.149	unknown	China	134771	CHINATELECOM-ZHEJIANG-WENZHOU-IDCWENZHOUZHEJIANGProvince	false
53.123.238.100	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
153.135.73.184	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
244.16.241.122	unknown	Reserved	unknown	unknown	false
207.110.103.107	unknown	United States	2828	XO-AS15US	false
244.139.79.29	unknown	Reserved	unknown	unknown	false
247.191.182.142	unknown	Reserved	unknown	unknown	false
18.102.91.87	unknown	United States	3	MIT-GATEWAYSUS	false

AV Detection:

Multi AV Scanner detection for submitted file

Source: sora.arm	Virustotal: Detection: 40%			Perma Link
Source: sora.arm	ReversingLabs: Detection: 42%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 103.229.83.22:23 -> 192.168.2.23:36304
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.229.83.22:23 -> 192.168.2.23:36380
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.87.66.50:23 -> 192.168.2.23:37402
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43192
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43192
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.229.83.22:23 -> 192.168.2.23:36518
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.87.66.50:23 -> 192.168.2.23:37572
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43284
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43284
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:41976
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:41992
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42006
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33232
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33232
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42010
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42016
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.221.126.46:23 -> 192.168.2.23:33702
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42022
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42026
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42046
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42068
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33292
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33292
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.205.72.151:23 -> 192.168.2.23:42072
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.229.83.22:23 -> 192.168.2.23:36720
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50820
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.87.66.50:23 -> 192.168.2.23:37778
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33380
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33380
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50844
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50864
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50908
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33460
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33460
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50936
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.183.140.61:23 -> 192.168.2.23:38714
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.183.140.61:23 -> 192.168.2.23:38714
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.221.126.46:23 -> 192.168.2.23:33914
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43592
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43592
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50948
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33500
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33500
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50958
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.229.83.22:23 -> 192.168.2.23:36898
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50968
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50984
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.87.66.50:23 -> 192.168.2.23:37934
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43624
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43624
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33536
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33536
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.111.28:23 -> 192.168.2.23:50998
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33562
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33562
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43660
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43660
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.48.99.181:23 -> 192.168.2.23:33798
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.48.99.181:23 -> 192.168.2.23:33798
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.236.124.23:23 -> 192.168.2.23:46534
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.48.99.181:23 -> 192.168.2.23:33814
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.48.99.181:23 -> 192.168.2.23:33814
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.48.99.181:23 -> 192.168.2.23:33828
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.48.99.181:23 -> 192.168.2.23:33828
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.48.99.181:23 -> 192.168.2.23:33838
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.48.99.181:23 -> 192.168.2.23:33838
Source: Traffic	Snort IDS: 716 INFO TELNET access 135.0.170.111:23 -> 192.168.2.23:40546
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.221.126.46:23 -> 192.168.2.23:34058
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33642
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33642
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.249.82.135:23 -> 192.168.2.23:34214
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.249.82.135:23 -> 192.168.2.23:34214
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43754
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43754
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.183.140.61:23 -> 192.168.2.23:38912
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.183.140.61:23 -> 192.168.2.23:38912
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 1.226.158.34:23 -> 192.168.2.23:35130
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 1.226.158.34:23 -> 192.168.2.23:35130
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59630
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59630
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59654
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59654
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.87.66.50:23 -> 192.168.2.23:38216
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59682
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59682
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33804
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33804
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.92.52.216:23 -> 192.168.2.23:51392
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 2.180.11.191:23 -> 192.168.2.23:56828
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 2.180.11.191:23 -> 192.168.2.23:56828
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.229.83.22:23 -> 192.168.2.23:37104
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.249.82.135:23 -> 192.168.2.23:34404
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.249.82.135:23 -> 192.168.2.23:34404
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59782
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59782
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.24.172.254:23 -> 192.168.2.23:58130
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.197.138.112:23 -> 192.168.2.23:43976
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.197.138.112:23 -> 192.168.2.23:43976
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 2.180.11.191:23 -> 192.168.2.23:56914
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 2.180.11.191:23 -> 192.168.2.23:56914
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 1.226.158.34:23 -> 192.168.2.23:35374
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 1.226.158.34:23 -> 192.168.2.23:35374
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 86.57.176.57:23 -> 192.168.2.23:33962
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 86.57.176.57:23 -> 192.168.2.23:33962
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39096
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39100
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59878
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59878
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59888
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59888
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39108
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59898
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59898
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39116
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.249.82.135:23 -> 192.168.2.23:34544
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.249.82.135:23 -> 192.168.2.23:34544
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39130
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.243.126.183:23 -> 192.168.2.23:59328
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.236.124.23:23 -> 192.168.2.23:46988
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 150.116.19.140:23 -> 192.168.2.23:59908
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 150.116.19.140:23 -> 192.168.2.23:59908
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39146
Source: Traffic	Snort IDS: 716 INFO TELNET access 199.119.96.111:23 -> 192.168.2.23:39162
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.135.70.241:23 -> 192.168.2.23:44312

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:34478 -> 163.172.46.83:1312

Sample listens on a socket

Source: /tmp/sora.arm (PID: 5247)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	Socket: 0.0.0.0::0	Jump to behavior
Source: /usr/sbin/sshd (PID: 5288)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5288)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 163.172.46.83
Source: unknown	TCP traffic detected without corresponding DNS query: 169.166.82.178
Source: unknown	TCP traffic detected without corresponding DNS query: 123.8.58.178
Source: unknown	TCP traffic detected without corresponding DNS query: 16.216.150.79
Source: unknown	TCP traffic detected without corresponding DNS query: 252.112.106.176
Source: unknown	TCP traffic detected without corresponding DNS query: 68.226.233.101
Source: unknown	TCP traffic detected without corresponding DNS query: 219.3.77.23
Source: unknown	TCP traffic detected without corresponding DNS query: 193.129.64.255
Source: unknown	TCP traffic detected without corresponding DNS query: 247.44.195.92
Source: unknown	TCP traffic detected without corresponding DNS query: 177.225.86.161
Source: unknown	TCP traffic detected without corresponding DNS query: 68.225.161.186
Source: unknown	TCP traffic detected without corresponding DNS query: 101.232.107.246
Source: unknown	TCP traffic detected without corresponding DNS query: 73.172.53.117
Source: unknown	TCP traffic detected without corresponding DNS query: 9.220.84.188
Source: unknown	TCP traffic detected without corresponding DNS query: 94.18.33.66
Source: unknown	TCP traffic detected without corresponding DNS query: 166.124.195.201
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.66.112
Source: unknown	TCP traffic detected without corresponding DNS query: 194.188.51.58
Source: unknown	TCP traffic detected without corresponding DNS query: 245.87.21.8
Source: unknown	TCP traffic detected without corresponding DNS query: 41.225.47.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.105.65.99
Source: unknown	TCP traffic detected without corresponding DNS query: 114.103.147.183
Source: unknown	TCP traffic detected without corresponding DNS query: 180.99.234.15
Source: unknown	TCP traffic detected without corresponding DNS query: 24.66.18.87
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.156.181
Source: unknown	TCP traffic detected without corresponding DNS query: 27.62.72.1
Source: unknown	TCP traffic detected without corresponding DNS query: 219.158.2.248
Source: unknown	TCP traffic detected without corresponding DNS query: 68.2.185.193
Source: unknown	TCP traffic detected without corresponding DNS query: 172.213.255.232
Source: unknown	TCP traffic detected without corresponding DNS query: 162.216.74.111
Source: unknown	TCP traffic detected without corresponding DNS query: 201.86.109.154
Source: unknown	TCP traffic detected without corresponding DNS query: 168.21.164.132
Source: unknown	TCP traffic detected without corresponding DNS query: 83.42.162.26
Source: unknown	TCP traffic detected without corresponding DNS query: 190.237.90.198
Source: unknown	TCP traffic detected without corresponding DNS query: 78.76.25.56
Source: unknown	TCP traffic detected without corresponding DNS query: 163.212.54.85
Source: unknown	TCP traffic detected without corresponding DNS query: 217.193.37.150
Source: unknown	TCP traffic detected without corresponding DNS query: 174.215.177.48
Source: unknown	TCP traffic detected without corresponding DNS query: 165.194.97.182
Source: unknown	TCP traffic detected without corresponding DNS query: 59.23.115.131
Source: unknown	TCP traffic detected without corresponding DNS query: 101.126.1.117
Source: unknown	TCP traffic detected without corresponding DNS query: 1.11.9.43
Source: unknown	TCP traffic detected without corresponding DNS query: 42.136.89.103
Source: unknown	TCP traffic detected without corresponding DNS query: 74.220.217.162
Source: unknown	TCP traffic detected without corresponding DNS query: 165.253.19.253
Source: unknown	TCP traffic detected without corresponding DNS query: 254.98.188.76
Source: unknown	TCP traffic detected without corresponding DNS query: 89.127.246.33
Source: unknown	TCP traffic detected without corresponding DNS query: 91.40.199.85
Source: unknown	TCP traffic detected without corresponding DNS query: 18.254.213.184
Source: unknown	TCP traffic detected without corresponding DNS query: 62.72.8.218

Source: sora.arm

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Sample tries to kill a process (SIGKILL)

Source: /tmp/sora.arm (PID: 5247)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	SIGKILL sent: pid: 936, result: no such process			Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.linARM@0/2@0/0

Source: sora.arm

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5253)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/sora.arm (PID: 5247)	File opened: /proc/904/fd	Jump to behavior

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/sora.arm (PID: 5245)

Queries kernel information via 'uname':

Jump to behavior

Source: sora.arm, 5245.1.000000009ec5db35.000000003c434230.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/sora.armSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sora.arm
Source: sora.arm, 5245.1.00000000055ddf16.00000000dc5ae8eb.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: sora.arm, 5245.1.000000009ec5db35.000000003c434230.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: sora.arm, 5245.1.00000000055ddf16.00000000dc5ae8eb.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

ID:	513630
Product:	CloudBasic
Start time:	11:58:06
Start date:	02.11.2021
Sample:	sora.arm
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	146e69dbf3fa2b51093964f087c9be01
SHA1:	49df0f19985dc9369426d2445560f4346c52e8c3
SHA256:	48d4f466e1ef7e2872a2ad032ca98e8ea161c3fd25f6eda3ef5cf271f23dd557
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/proc/5288/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/run/sshd.pid	ASCII text	646DBD75E4679C90C338B332DCE60B73	7DAAB161D12D83004F8ECDAB11F8F3967D4D1589	08A99E3191F4A6D2244473F5549F3EA3DDFE3CBD59937583C620D7CC11C9F6FF

Linux Analysis Report sora.arm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs