Play interactive tour

Edit tour

Linux Analysis Report sora.x86

Overview

General Information

Sample Name:	sora.x86
Analysis ID:	513641
MD5:	ec0785f99de2a1ea900d48a9bb26bf1c
SHA1:	bdabfc4ef8c6e050ba2a88927ac9429bd71813c9
SHA256:	30ad105f506c59e85005c99f64fcfc577c2a51caf131bc9f57e5172a404654d3
Tags:	Mirai
Infos:
Most interesting Screenshot:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample tries to kill many processes (SIGKILL)

Sample contains only a LOAD segment without any section mappings

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	513641
Start date:	02.11.2021
Start time:	12:12:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	sora.x86
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal76.spre.troj.evad.linX86@0/6@0/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100

Process Tree

system is lnxubuntu20

sora.x86 (PID: 5233, Parent: 5111, MD5: ec0785f99de2a1ea900d48a9bb26bf1c) Arguments: /tmp/sora.x86

sora.x86 New Fork (PID: 5234, Parent: 5233)

sora.x86 New Fork (PID: 5389, Parent: 5234)

sora.x86 New Fork (PID: 5390, Parent: 5234)

sora.x86 New Fork (PID: 5391, Parent: 5390)

sora.x86 New Fork (PID: 5401, Parent: 5391)

sora.x86 New Fork (PID: 5402, Parent: 5391)

sora.x86 New Fork (PID: 5392, Parent: 5390)

sora.x86 New Fork (PID: 5393, Parent: 5390)

sora.x86 New Fork (PID: 5235, Parent: 5233)

sora.x86 New Fork (PID: 5236, Parent: 5233)

sora.x86 New Fork (PID: 5237, Parent: 5236)

sora.x86 New Fork (PID: 5381, Parent: 5237)

sora.x86 New Fork (PID: 5382, Parent: 5237)

sora.x86 New Fork (PID: 5238, Parent: 5236)

sora.x86 New Fork (PID: 5239, Parent: 5236)

systemd New Fork (PID: 5266, Parent: 1)

sshd (PID: 5266, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5267, Parent: 1)

sshd (PID: 5267, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

systemd New Fork (PID: 5375, Parent: 1)

sshd (PID: 5375, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5376, Parent: 1)

sshd (PID: 5376, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

systemd New Fork (PID: 5379, Parent: 1)

sshd (PID: 5379, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5380, Parent: 1)

sshd (PID: 5380, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

cleanup

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: sora.x86	Virustotal: Detection: 37%			Perma Link
Source: sora.x86	ReversingLabs: Detection: 46%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.125.30.65:23 -> 192.168.2.23:44938
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.125.30.65:23 -> 192.168.2.23:44938
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.6.202.2:23 -> 192.168.2.23:44300
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.188.97.1:23 -> 192.168.2.23:51970
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.125.30.65:23 -> 192.168.2.23:44962
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.125.30.65:23 -> 192.168.2.23:44962
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 61.6.202.2:23 -> 192.168.2.23:44300
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 61.6.202.2:23 -> 192.168.2.23:44300
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.6.202.2:23 -> 192.168.2.23:44324
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.48.115.182:23 -> 192.168.2.23:44878
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 61.6.202.2:23 -> 192.168.2.23:44324
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 61.6.202.2:23 -> 192.168.2.23:44324
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.125.30.65:23 -> 192.168.2.23:45014
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.125.30.65:23 -> 192.168.2.23:45014
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.48.115.182:23 -> 192.168.2.23:44900
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.6.202.2:23 -> 192.168.2.23:44388
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.125.30.65:23 -> 192.168.2.23:45066
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.125.30.65:23 -> 192.168.2.23:45066
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 61.6.202.2:23 -> 192.168.2.23:44388
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 61.6.202.2:23 -> 192.168.2.23:44388
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.48.115.182:23 -> 192.168.2.23:44962
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.48.115.182:23 -> 192.168.2.23:44972
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.6.202.2:23 -> 192.168.2.23:44436
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.125.30.65:23 -> 192.168.2.23:45110
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.125.30.65:23 -> 192.168.2.23:45110
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 61.6.202.2:23 -> 192.168.2.23:44436
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 61.6.202.2:23 -> 192.168.2.23:44436
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.48.115.182:23 -> 192.168.2.23:45012
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 203.69.198.65:23 -> 192.168.2.23:40434
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 203.69.198.65:23 -> 192.168.2.23:40434
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.125.30.65:23 -> 192.168.2.23:45154
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.125.30.65:23 -> 192.168.2.23:45154
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.6.202.2:23 -> 192.168.2.23:44504
Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.23:56484 -> 115.79.214.35:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 61.6.202.2:23 -> 192.168.2.23:44504
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 61.6.202.2:23 -> 192.168.2.23:44504
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.48.115.182:23 -> 192.168.2.23:45076
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.125.30.65:23 -> 192.168.2.23:45214
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.125.30.65:23 -> 192.168.2.23:45214
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.6.202.2:23 -> 192.168.2.23:44552
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 61.6.202.2:23 -> 192.168.2.23:44552
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 61.6.202.2:23 -> 192.168.2.23:44552
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.125.30.65:23 -> 192.168.2.23:45236
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.125.30.65:23 -> 192.168.2.23:45236
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.48.115.182:23 -> 192.168.2.23:45098
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.6.202.2:23 -> 192.168.2.23:44570
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.125.30.65:23 -> 192.168.2.23:45248
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.125.30.65:23 -> 192.168.2.23:45248
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 61.6.202.2:23 -> 192.168.2.23:44570
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 61.6.202.2:23 -> 192.168.2.23:44570
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.48.115.182:23 -> 192.168.2.23:45140
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 203.69.198.65:23 -> 192.168.2.23:40576
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 203.69.198.65:23 -> 192.168.2.23:40576
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.125.30.65:23 -> 192.168.2.23:45314
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.125.30.65:23 -> 192.168.2.23:45314
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.6.202.2:23 -> 192.168.2.23:44644
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.48.115.182:23 -> 192.168.2.23:45194
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 61.6.202.2:23 -> 192.168.2.23:44644
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 61.6.202.2:23 -> 192.168.2.23:44644
Source: Traffic	Snort IDS: 716 INFO TELNET access 96.72.253.42:23 -> 192.168.2.23:60738
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 188.149.129.13: -> 192.168.2.23:
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.15.104.241:23 -> 192.168.2.23:41706
Source: Traffic	Snort IDS: 716 INFO TELNET access 96.72.253.42:23 -> 192.168.2.23:60754
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.6.202.2:23 -> 192.168.2.23:44702
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:44702 -> 61.6.202.2:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.48.115.182:23 -> 192.168.2.23:45246
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 61.6.202.2:23 -> 192.168.2.23:44702
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 61.6.202.2:23 -> 192.168.2.23:44702
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.6.202.2:23 -> 192.168.2.23:44736
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 61.6.202.2:23 -> 192.168.2.23:44736
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 61.6.202.2:23 -> 192.168.2.23:44736
Source: Traffic	Snort IDS: 716 INFO TELNET access 45.90.2.90:23 -> 192.168.2.23:41522
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 203.69.198.65:23 -> 192.168.2.23:40732
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 203.69.198.65:23 -> 192.168.2.23:40732
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.12.104:23 -> 192.168.2.23:37576
Source: Traffic	Snort IDS: 716 INFO TELNET access 96.72.253.42:23 -> 192.168.2.23:60826
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.12.104:23 -> 192.168.2.23:37590
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.15.104.241:23 -> 192.168.2.23:41842
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.12.104:23 -> 192.168.2.23:37632
Source: Traffic	Snort IDS: 716 INFO TELNET access 96.72.253.42:23 -> 192.168.2.23:60882
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.12.104:23 -> 192.168.2.23:37644
Source: Traffic	Snort IDS: 716 INFO TELNET access 210.179.251.177:23 -> 192.168.2.23:48122
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.12.104:23 -> 192.168.2.23:37682
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 210.179.251.177:23 -> 192.168.2.23:48122
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 210.179.251.177:23 -> 192.168.2.23:48122
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.12.104:23 -> 192.168.2.23:37754
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.12.104:23 -> 192.168.2.23:37778
Source: Traffic	Snort IDS: 716 INFO TELNET access 210.179.251.177:23 -> 192.168.2.23:48238
Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.23:54254 -> 115.75.98.226:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 45.90.2.90:23 -> 192.168.2.23:41762
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.12.104:23 -> 192.168.2.23:37796
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 210.179.251.177:23 -> 192.168.2.23:48238
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 210.179.251.177:23 -> 192.168.2.23:48238
Source: Traffic	Snort IDS: 716 INFO TELNET access 96.72.253.42:23 -> 192.168.2.23:32864
Source: Traffic	Snort IDS: 2023443 ET TROJAN Possible Linux.Mirai Login Attempt (klv123) 192.168.2.23:54296 -> 115.75.98.226:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.12.104:23 -> 192.168.2.23:37828
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.12.104:23 -> 192.168.2.23:37868
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.173.6.15:23 -> 192.168.2.23:38582
Source: Traffic	Snort IDS: 716 INFO TELNET access 210.179.251.177:23 -> 192.168.2.23:48360
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 203.69.198.65:23 -> 192.168.2.23:41052
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 203.69.198.65:23 -> 192.168.2.23:41052
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.15.104.241:23 -> 192.168.2.23:42132
Source: Traffic	Snort IDS: 716 INFO TELNET access 96.72.253.42:23 -> 192.168.2.23:32926
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 103.173.6.15:23 -> 192.168.2.23:38582
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 210.179.251.177:23 -> 192.168.2.23:48360
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 210.179.251.177:23 -> 192.168.2.23:48360
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.173.6.15:23 -> 192.168.2.23:38676
Source: Traffic	Snort IDS: 716 INFO TELNET access 185.135.198.105:23 -> 192.168.2.23:34132
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 103.173.6.15:23 -> 192.168.2.23:38676
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 77.45.127.194:23 -> 192.168.2.23:40282
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 209.204.38.131:23 -> 192.168.2.23:55792
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 209.204.38.131:23 -> 192.168.2.23:55792
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.163.149.204:23 -> 192.168.2.23:40580
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.163.149.204:23 -> 192.168.2.23:40580
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 187.111.16.218:23 -> 192.168.2.23:34532
Source: Traffic	Snort IDS: 716 INFO TELNET access 210.179.251.177:23 -> 192.168.2.23:48548
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.173.6.15:23 -> 192.168.2.23:38778
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 209.204.38.131:23 -> 192.168.2.23:55856
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 209.204.38.131:23 -> 192.168.2.23:55856

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45482
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45488
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45494
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45498
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45504
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45508
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45518
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45526
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45530
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45536
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43404
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43406
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43408
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43410
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43412
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43414
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43418
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43422
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43424
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43426
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55094
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55102
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55106
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55114
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55118
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55122
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55146
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55148
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55150
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55156
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41668
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41672
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41678
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41680
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41696
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41698
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41702
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41706

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: global traffic

TCP traffic: 192.168.2.23:34478 -> 163.172.46.83:1312

Source: /usr/sbin/sshd (PID: 5267)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 5267)	Socket: [::]::22
Source: /usr/sbin/sshd (PID: 5376)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 5376)	Socket: [::]::22
Source: /usr/sbin/sshd (PID: 5380)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 5380)	Socket: [::]::22

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 123.20.222.138
Source: unknown	TCP traffic detected without corresponding DNS query: 123.20.222.138
Source: unknown	TCP traffic detected without corresponding DNS query: 163.172.46.83
Source: unknown	TCP traffic detected without corresponding DNS query: 70.49.139.233
Source: unknown	TCP traffic detected without corresponding DNS query: 196.166.26.104
Source: unknown	TCP traffic detected without corresponding DNS query: 122.65.3.23
Source: unknown	TCP traffic detected without corresponding DNS query: 77.120.124.218
Source: unknown	TCP traffic detected without corresponding DNS query: 109.18.116.104
Source: unknown	TCP traffic detected without corresponding DNS query: 178.90.74.234
Source: unknown	TCP traffic detected without corresponding DNS query: 255.211.112.251
Source: unknown	TCP traffic detected without corresponding DNS query: 196.108.178.104
Source: unknown	TCP traffic detected without corresponding DNS query: 70.27.86.7
Source: unknown	TCP traffic detected without corresponding DNS query: 166.200.189.165
Source: unknown	TCP traffic detected without corresponding DNS query: 34.45.213.74
Source: unknown	TCP traffic detected without corresponding DNS query: 190.104.213.78
Source: unknown	TCP traffic detected without corresponding DNS query: 186.192.119.191
Source: unknown	TCP traffic detected without corresponding DNS query: 216.65.150.238
Source: unknown	TCP traffic detected without corresponding DNS query: 66.20.55.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.54.23.112
Source: unknown	TCP traffic detected without corresponding DNS query: 217.183.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 109.237.181.38
Source: unknown	TCP traffic detected without corresponding DNS query: 120.45.89.132
Source: unknown	TCP traffic detected without corresponding DNS query: 74.89.62.223
Source: unknown	TCP traffic detected without corresponding DNS query: 42.85.124.163
Source: unknown	TCP traffic detected without corresponding DNS query: 61.178.239.116
Source: unknown	TCP traffic detected without corresponding DNS query: 119.138.78.19
Source: unknown	TCP traffic detected without corresponding DNS query: 188.251.191.78
Source: unknown	TCP traffic detected without corresponding DNS query: 90.181.154.80
Source: unknown	TCP traffic detected without corresponding DNS query: 85.248.240.253
Source: unknown	TCP traffic detected without corresponding DNS query: 47.64.65.248
Source: unknown	TCP traffic detected without corresponding DNS query: 186.203.134.244
Source: unknown	TCP traffic detected without corresponding DNS query: 18.71.145.7
Source: unknown	TCP traffic detected without corresponding DNS query: 198.90.101.205
Source: unknown	TCP traffic detected without corresponding DNS query: 39.13.189.102
Source: unknown	TCP traffic detected without corresponding DNS query: 81.156.104.106
Source: unknown	TCP traffic detected without corresponding DNS query: 72.251.170.133
Source: unknown	TCP traffic detected without corresponding DNS query: 97.220.49.43
Source: unknown	TCP traffic detected without corresponding DNS query: 97.30.4.220
Source: unknown	TCP traffic detected without corresponding DNS query: 139.165.213.203
Source: unknown	TCP traffic detected without corresponding DNS query: 143.254.233.95
Source: unknown	TCP traffic detected without corresponding DNS query: 43.63.71.126
Source: unknown	TCP traffic detected without corresponding DNS query: 118.48.121.185
Source: unknown	TCP traffic detected without corresponding DNS query: 19.246.213.214
Source: unknown	TCP traffic detected without corresponding DNS query: 252.164.253.193
Source: unknown	TCP traffic detected without corresponding DNS query: 196.180.24.33
Source: unknown	TCP traffic detected without corresponding DNS query: 196.127.24.93
Source: unknown	TCP traffic detected without corresponding DNS query: 242.78.232.15
Source: unknown	TCP traffic detected without corresponding DNS query: 241.30.175.224
Source: unknown	TCP traffic detected without corresponding DNS query: 9.13.238.161
Source: unknown	TCP traffic detected without corresponding DNS query: 88.230.124.172

Source: sora.x86

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Show sources

Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2191, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2208, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2275, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2281, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2285, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2289, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2294, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 5267, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 5376, result: successful
Source: /tmp/sora.x86 (PID: 5237)	SIGKILL sent: pid: 936, result: successful

Source: LOAD without section mappings

Program segment: 0xc01000

Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2191, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2208, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2275, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2281, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2285, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2289, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 2294, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 5267, result: successful
Source: /tmp/sora.x86 (PID: 5234)	SIGKILL sent: pid: 5376, result: successful
Source: /tmp/sora.x86 (PID: 5237)	SIGKILL sent: pid: 936, result: successful

Source: classification engine

Classification label: mal76.spre.troj.evad.linX86@0/6@0/0

Source: sora.x86

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Data Obfuscation:

Sample is packed with UPX

Show sources

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/5267/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1582/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1582/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2033/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2033/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2275/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/3088/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1612/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1612/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1579/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1579/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1699/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1699/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1335/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1698/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1698/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2028/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2028/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1334/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1334/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1576/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1576/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2302/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2302/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/3236/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/3236/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2025/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2025/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2146/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2146/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/910/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/912/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/912/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/5139/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/517/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/759/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/759/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2307/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2307/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/918/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/918/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/5032/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/5153/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/4461/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1594/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1594/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2285/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2281/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1349/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1349/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1623/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1623/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/761/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/761/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1622/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1622/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/884/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1983/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1983/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2038/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2038/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1344/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1344/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1465/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1465/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1586/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1586/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1860/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1463/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1463/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2156/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2156/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/800/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/800/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/4455/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/5148/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/801/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/801/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/4456/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/4457/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1629/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1629/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/4458/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1627/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1627/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1900/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1900/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/5200/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/5200/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/3021/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/491/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/491/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2294/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2050/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/2050/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1877/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1877/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/772/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/772/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1633/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1633/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1599/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1599/fd
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1632/exe
Source: /tmp/sora.x86 (PID: 5234)	File opened: /proc/1632/fd

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45482
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45488
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45494
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45498
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45504
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45508
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45518
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45526
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45530
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45536
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43404
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43406
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43408
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43410
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43412
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43414
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43418
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43422
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43424
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43426
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55094
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55102
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55106
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55114
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55118
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55122
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55146
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55148
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55150
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55156
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41668
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41672
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41678
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41680
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41696
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41698
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41702
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41706

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Obfuscated Files or Information1	OS Credential Dumping1	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sora.x86	38%	Virustotal		Browse
sora.x86	47%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	sora.x86	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
165.14.150.75	unknown	Japan	18271	EVONETSojitzSystemsCorporationJP	false
2.98.202.30	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
1.241.64.41	unknown	Korea Republic of	38408	GOEAY-AS-KRGYEONGGIPROVINCIALANYANGOFFICEOFEDUCATION	false
126.27.223.237	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
167.244.146.157	unknown	United States	13325	STOMIUS	false
148.49.170.205	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
37.177.86.214	unknown	Italy	30722	VODAFONE-IT-ASNIT	false
59.166.102.220	unknown	Japan	9824	JTCL-JP-ASJupiterTelecommunicationCoLtdJP	false
44.7.130.188	unknown	United States	7377	UCSDUS	false
113.54.159.201	unknown	China	24355	CNGI-CD-IX-AS-APCERNET2IXatUniversityofElectronicScie	false
146.15.235.153	unknown	United States	1467	DNIC-ASBLK-01467-01468US	false
166.203.133.216	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
251.188.124.239	unknown	Reserved	unknown	unknown	false
210.85.191.211	unknown	Taiwan; Republic of China (ROC)	7482	APOL-ASAsiaPacificOn-lineServiceIncTW	false
204.62.73.110	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
114.239.158.155	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
41.14.214.51	unknown	South Africa	29975	VODACOM-ZA	false
113.124.222.249	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
210.110.95.218	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
162.30.206.148	unknown	United States	46483	RGHSUS	false
177.70.141.190	unknown	Brazil	266555	ISPNETTELECOMUNICACOESLTDA-EPPBR	false
219.240.106.33	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
172.215.195.50	unknown	United States	18747	IFX18747US	false
201.240.238.10	unknown	Peru	6147	TelefonicadelPeruSAAPE	false
31.67.116.133	unknown	United Kingdom	12576	EELtdGB	false
71.111.121.46	unknown	United States	701	UUNETUS	false
88.248.29.110	unknown	Turkey	9121	TTNETTR	false
38.93.85.255	unknown	United States	174	COGENT-174US	false
41.115.200.72	unknown	South Africa	16637	MTNNS-ASZA	false
4.54.18.94	unknown	United States	3356	LEVEL3US	false
16.85.71.175	unknown	United States	unknown	unknown	false
74.33.14.3	unknown	United States	7011	FRONTIER-AND-CITIZENSUS	false
218.21.160.20	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
147.175.253.12	unknown	Slovakia (SLOVAK Republic)	2607	SANETSlovakAcademicNetworkSK	false
159.114.114.114	unknown	United Kingdom	32982	DOE-HQUS	false
18.68.25.132	unknown	United States	3	MIT-GATEWAYSUS	false
133.80.8.221	unknown	Japan	55904	KOGAKUIN-ASKOGAKUINUniversityJP	false
118.14.181.61	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
119.59.136.138	unknown	China	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
24.150.2.237	unknown	Canada	7992	COGECOWAVECA	false
103.190.121.18	unknown	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
126.109.127.55	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
66.210.247.106	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
152.113.180.158	unknown	United States	4193	WA-STATE-GOVUS	false
121.81.167.8	unknown	Japan	17511	OPTAGEOPTAGEIncJP	false
12.10.152.124	unknown	United States	7018	ATT-INTERNET4US	false
217.4.22.110	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
44.100.131.207	unknown	United States	7377	UCSDUS	false
14.98.128.139	unknown	India	45820	TTSL-MEISISPTataTeleservicesISPASIN	false
20.95.97.146	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
1.109.50.131	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
68.15.246.54	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
59.121.20.32	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
34.26.63.252	unknown	United States	2686	ATGS-MMD-ASUS	false
92.203.254.252	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
97.110.251.226	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
203.175.188.145	unknown	Korea Republic of	9693	KFTCCA-ASKFTCKR	false
65.29.134.160	unknown	United States	10796	TWC-10796-MIDWESTUS	false
1.253.209.220	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
72.187.61.178	unknown	United States	33363	BHN-33363US	false
221.232.6.12	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
200.103.220.0	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
86.14.157.185	unknown	United Kingdom	5089	NTLGB	false
248.243.251.91	unknown	Reserved	unknown	unknown	false
213.29.127.118	unknown	Czech Republic	5588	GTSCEGTSCentralEuropeAntelGermanyCZ	false
247.120.54.225	unknown	Reserved	unknown	unknown	false
101.163.182.162	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
191.234.39.21	unknown	Brazil	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
152.160.245.116	unknown	United States	54163	AHOSTINGUS	false
220.158.204.12	unknown	Bangladesh	134712	PIPEXNETWORK-BDPipexNetworkBD	false
192.198.234.232	unknown	United States	53468	FWLUS	false
73.94.134.111	unknown	United States	7922	COMCAST-7922US	false
251.234.221.195	unknown	Reserved	unknown	unknown	false
102.174.105.188	unknown	Tunisia	37693	TUNISIANATN	false
252.43.179.218	unknown	Reserved	unknown	unknown	false
13.233.103.202	unknown	United States	16509	AMAZON-02US	false
46.142.137.7	unknown	Germany	8881	VERSATELDE	false
90.134.166.190	unknown	Sweden	1257	TELE2EU	false
110.167.231.74	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
92.26.2.148	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
179.227.126.169	unknown	Brazil	26599	TELEFONICABRASILSABR	false
103.57.64.14	unknown	unknown	134179	RWN-AS-APRealWorldNetworksPtyLtdAU	false
94.16.9.82	unknown	Germany	42360	SSP-EUROPEpoweredbyANXDE	false
27.160.78.186	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
200.226.149.233	unknown	Brazil	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
16.97.163.5	unknown	United States	unknown	unknown	false
42.198.166.181	unknown	China	7497	CSTNET-AS-APComputerNetworkInformationCenterCN	false
71.112.18.152	unknown	United States	701	UUNETUS	false
112.219.5.116	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
59.28.140.225	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
158.198.246.29	unknown	Japan	17511	OPTAGEOPTAGEIncJP	false
254.122.33.192	unknown	Reserved	unknown	unknown	false
87.180.143.9	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
45.49.77.34	unknown	United States	20001	TWC-20001-PACWESTUS	false
153.49.4.136	unknown	United States	1226	CTA-42-AS1226US	false
98.39.201.51	unknown	United States	7922	COMCAST-7922US	false
110.203.9.8	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
146.20.63.85	unknown	United States	27357	RACKSPACEUS	false
96.59.177.46	unknown	United States	33363	BHN-33363US	false
70.84.162.139	unknown	United States	36351	SOFTLAYERUS	false

Runtime Messages

Command:	/tmp/sora.x86
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
EVONETSojitzSystemsCorporationJP	sora.arm7	Get hash	malicious	Browse	165.14.149.81
	4syAQhYxm8	Get hash	malicious	Browse	165.14.198.42
	sora.arm7	Get hash	malicious	Browse	165.14.73.241
	sora.arm7	Get hash	malicious	Browse	165.14.198.31
	qJvDfzBXbs	Get hash	malicious	Browse	165.14.137.77
	wnwO8B1Wuy	Get hash	malicious	Browse	165.14.198.25
	AJK7j832D2	Get hash	malicious	Browse	165.14.150.39
	GMgREghUds	Get hash	malicious	Browse	165.14.160.111
	tMA66IeqHu	Get hash	malicious	Browse	165.14.168.212
	Vs7Vm7J1TR	Get hash	malicious	Browse	165.14.198.59
	ppc_unpacked	Get hash	malicious	Browse	165.14.174.79
OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	wt5i2fAcF0	Get hash	malicious	Browse	78.145.16.154
	8PRjJeUifB	Get hash	malicious	Browse	92.18.133.105
	Ko84iLip1u	Get hash	malicious	Browse	92.3.236.146
	S8G5z3pdHw	Get hash	malicious	Browse	92.24.64.128
	mP1pg0ryFA	Get hash	malicious	Browse	2.100.134.151
	032k4JmR0U	Get hash	malicious	Browse	92.13.106.251
	x86	Get hash	malicious	Browse	2.97.101.112
	T0uznhDXKw	Get hash	malicious	Browse	92.29.90.175
	ev1JsPbdMA	Get hash	malicious	Browse	92.24.16.217
	apep.arm	Get hash	malicious	Browse	92.7.19.93
	apep.x86	Get hash	malicious	Browse	92.16.44.106
	Ceji2MdFHD	Get hash	malicious	Browse	2.98.204.126
	Z7QqCH0bak	Get hash	malicious	Browse	92.14.197.224
	zouBbQwUTb	Get hash	malicious	Browse	92.24.15.58
	jJ6GK5qbZt	Get hash	malicious	Browse	92.26.100.228
	LCgNoeCOl6	Get hash	malicious	Browse	92.18.133.136
	x86_64	Get hash	malicious	Browse	2.98.162.217
	apep.x86	Get hash	malicious	Browse	92.24.40.60
	yOtRXukeq9	Get hash	malicious	Browse	92.21.79.215
	b3astmode.x86	Get hash	malicious	Browse	78.146.187.95
GOEAY-AS-KRGYEONGGIPROVINCIALANYANGOFFICEOFEDUCATION	ivImhRZqGa	Get hash	malicious	Browse	1.241.39.53
	dAhGa49Lql	Get hash	malicious	Browse	1.241.41.126
	qINZ8rxy9S	Get hash	malicious	Browse	61.77.19.135
	22kfSzInJi	Get hash	malicious	Browse	1.241.39.66
	O1qCIp2iQS	Get hash	malicious	Browse	1.241.64.50
	l6zn4I2gR0	Get hash	malicious	Browse	1.241.64.38
	WdyAWwF87e	Get hash	malicious	Browse	1.241.64.43

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/proc/5267/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	high, very likely benign file
Preview:	-1000.

/proc/5376/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	high, very likely benign file
Preview:	-1000.

/proc/5380/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	high, very likely benign file
Preview:	-1000.

/run/sshd.pid Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:DdVv:BVv
MD5:	2522E7CF829C2CEFC020B7B06A1C99C7
SHA1:	980DD56DC2FBFF129C6F3055C60599D46546A0B0
SHA-256:	E6CFA4E1AB3F5790C61A85FC6494DE44BB8D493753E3E3C31771A9C9AA7D1FB4
SHA-512:	DA266D5D96070400172644D2650ACF3EC3F52F48C1558C519E0A218A93B457B569B11917DD92C8B05144A79080BC53E1040576B0DC4E8D47B0AE4E0508CEA3E3
Malicious:	false
Reputation:	low
Preview:	5380.

Static File Info

General
File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
Entropy (8bit):	7.8717761813776965
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	sora.x86
File size:	24728
MD5:	ec0785f99de2a1ea900d48a9bb26bf1c
SHA1:	bdabfc4ef8c6e050ba2a88927ac9429bd71813c9
SHA256:	30ad105f506c59e85005c99f64fcfc577c2a51caf131bc9f57e5172a404654d3
SHA512:	4a3d6fba5292e86f1471b2d411954e950688522b891e6d827fd89aa621a087e953b544dd268aaacc9913807e036154568fb06115741ca71c85f8acb9d8e68cb1
SSDEEP:	384:M8DKKQOcRpmYLdn6RBOFRFt5rUFX1DiSIlCo3AnupCFNqnrrd1NEZgO8UXWozPLu:R/QOC0Yhn6ROHWFlAcwNEFCnNBxcsce
File Content Preview:	.ELF.....................g..4...........4. ...(......................_..._...................W...W..................Q.td...............................tUPX!....................Z........?d..ELF.......d.......4.,..4. (.......k.-.#.`...........?..P......d..l

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0xc067a0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0xc01000	0xc01000	0x5f9b	0x5f9b	4.5556	0x5	R E	0x1000
LOAD	0x700	0x8055700	0x8055700	0x0	0x0	0.0000	0x6	RW	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2021 12:13:38.527992010 CET	23	46374	123.20.222.138	192.168.2.23
Nov 2, 2021 12:13:38.528105021 CET	46374	23	192.168.2.23	123.20.222.138
Nov 2, 2021 12:13:38.528399944 CET	23	46374	123.20.222.138	192.168.2.23
Nov 2, 2021 12:13:38.528467894 CET	46374	23	192.168.2.23	123.20.222.138
Nov 2, 2021 12:13:38.743113041 CET	34478	1312	192.168.2.23	163.172.46.83
Nov 2, 2021 12:13:38.743393898 CET	51809	23	192.168.2.23	70.49.139.233
Nov 2, 2021 12:13:38.743393898 CET	51809	23	192.168.2.23	196.166.26.104
Nov 2, 2021 12:13:38.743428946 CET	51809	23	192.168.2.23	122.65.3.23
Nov 2, 2021 12:13:38.743431091 CET	51809	23	192.168.2.23	77.120.124.218
Nov 2, 2021 12:13:38.743433952 CET	51809	23	192.168.2.23	109.18.116.104
Nov 2, 2021 12:13:38.743441105 CET	51809	23	192.168.2.23	178.90.74.234
Nov 2, 2021 12:13:38.743442059 CET	51809	23	192.168.2.23	255.211.112.251
Nov 2, 2021 12:13:38.743446112 CET	51809	23	192.168.2.23	196.108.178.104
Nov 2, 2021 12:13:38.743462086 CET	51809	23	192.168.2.23	70.27.86.7
Nov 2, 2021 12:13:38.743467093 CET	51809	23	192.168.2.23	166.200.189.165
Nov 2, 2021 12:13:38.743474007 CET	51809	23	192.168.2.23	34.45.213.74
Nov 2, 2021 12:13:38.743474960 CET	51809	23	192.168.2.23	190.104.213.78
Nov 2, 2021 12:13:38.743490934 CET	51809	23	192.168.2.23	186.192.119.191
Nov 2, 2021 12:13:38.743493080 CET	51809	23	192.168.2.23	216.65.150.238
Nov 2, 2021 12:13:38.743499041 CET	51809	23	192.168.2.23	66.20.55.108
Nov 2, 2021 12:13:38.743498087 CET	51809	23	192.168.2.23	173.54.23.112
Nov 2, 2021 12:13:38.743503094 CET	51809	23	192.168.2.23	217.183.53.18
Nov 2, 2021 12:13:38.743519068 CET	51809	23	192.168.2.23	109.237.181.38
Nov 2, 2021 12:13:38.743519068 CET	51809	23	192.168.2.23	120.45.89.132
Nov 2, 2021 12:13:38.743529081 CET	51809	23	192.168.2.23	74.89.62.223
Nov 2, 2021 12:13:38.743532896 CET	51809	23	192.168.2.23	42.85.124.163
Nov 2, 2021 12:13:38.743532896 CET	51809	23	192.168.2.23	61.178.239.116
Nov 2, 2021 12:13:38.743550062 CET	51809	23	192.168.2.23	119.138.78.19
Nov 2, 2021 12:13:38.743567944 CET	51809	23	192.168.2.23	188.251.191.78
Nov 2, 2021 12:13:38.743575096 CET	51809	23	192.168.2.23	90.181.154.80
Nov 2, 2021 12:13:38.743607998 CET	51809	23	192.168.2.23	12.44.110.127
Nov 2, 2021 12:13:38.743618011 CET	51809	23	192.168.2.23	85.248.240.253
Nov 2, 2021 12:13:38.743623972 CET	51809	23	192.168.2.23	47.64.65.248
Nov 2, 2021 12:13:38.743633986 CET	51809	23	192.168.2.23	186.203.134.244
Nov 2, 2021 12:13:38.743647099 CET	51809	23	192.168.2.23	90.204.10.215
Nov 2, 2021 12:13:38.743650913 CET	51809	23	192.168.2.23	18.71.145.7
Nov 2, 2021 12:13:38.743660927 CET	51809	23	192.168.2.23	198.90.101.205
Nov 2, 2021 12:13:38.743664026 CET	51809	23	192.168.2.23	39.13.189.102
Nov 2, 2021 12:13:38.743670940 CET	51809	23	192.168.2.23	81.156.104.106
Nov 2, 2021 12:13:38.743678093 CET	51809	23	192.168.2.23	72.251.170.133
Nov 2, 2021 12:13:38.743680000 CET	51809	23	192.168.2.23	97.220.49.43
Nov 2, 2021 12:13:38.743691921 CET	51809	23	192.168.2.23	97.30.4.220
Nov 2, 2021 12:13:38.743732929 CET	51809	23	192.168.2.23	139.165.213.203
Nov 2, 2021 12:13:38.743741035 CET	51809	23	192.168.2.23	143.254.233.95
Nov 2, 2021 12:13:38.743745089 CET	51809	23	192.168.2.23	43.63.71.126
Nov 2, 2021 12:13:38.743757010 CET	51809	23	192.168.2.23	118.48.121.185
Nov 2, 2021 12:13:38.743757963 CET	51809	23	192.168.2.23	19.246.213.214
Nov 2, 2021 12:13:38.743762970 CET	51809	23	192.168.2.23	252.164.253.193
Nov 2, 2021 12:13:38.743769884 CET	51809	23	192.168.2.23	196.180.24.33
Nov 2, 2021 12:13:38.743772984 CET	51809	23	192.168.2.23	196.127.24.93
Nov 2, 2021 12:13:38.743813038 CET	51809	23	192.168.2.23	242.78.232.15
Nov 2, 2021 12:13:38.743817091 CET	51809	23	192.168.2.23	241.30.175.224
Nov 2, 2021 12:13:38.743818998 CET	51809	23	192.168.2.23	9.13.238.161
Nov 2, 2021 12:13:38.743824959 CET	51809	23	192.168.2.23	88.230.124.172
Nov 2, 2021 12:13:38.743833065 CET	51809	23	192.168.2.23	149.240.70.137
Nov 2, 2021 12:13:38.743845940 CET	51809	23	192.168.2.23	84.191.205.231
Nov 2, 2021 12:13:38.743855953 CET	51809	23	192.168.2.23	173.175.96.1
Nov 2, 2021 12:13:38.743856907 CET	51809	23	192.168.2.23	97.164.130.117
Nov 2, 2021 12:13:38.743858099 CET	51809	23	192.168.2.23	253.122.119.128
Nov 2, 2021 12:13:38.743868113 CET	51809	23	192.168.2.23	195.249.208.210
Nov 2, 2021 12:13:38.743875027 CET	51809	23	192.168.2.23	5.115.180.43
Nov 2, 2021 12:13:38.743877888 CET	51809	23	192.168.2.23	83.220.127.91
Nov 2, 2021 12:13:38.743880987 CET	51809	23	192.168.2.23	27.93.135.105
Nov 2, 2021 12:13:38.743884087 CET	51809	23	192.168.2.23	4.0.182.242
Nov 2, 2021 12:13:38.743887901 CET	51809	23	192.168.2.23	117.45.24.185
Nov 2, 2021 12:13:38.743891001 CET	51809	23	192.168.2.23	193.75.198.21
Nov 2, 2021 12:13:38.743892908 CET	51809	23	192.168.2.23	184.235.239.121
Nov 2, 2021 12:13:38.743896008 CET	51809	23	192.168.2.23	213.223.255.10
Nov 2, 2021 12:13:38.743899107 CET	51809	23	192.168.2.23	217.95.163.61
Nov 2, 2021 12:13:38.743904114 CET	51809	23	192.168.2.23	179.221.11.23
Nov 2, 2021 12:13:38.743910074 CET	51809	23	192.168.2.23	60.71.247.235
Nov 2, 2021 12:13:38.743911982 CET	51809	23	192.168.2.23	166.136.190.228
Nov 2, 2021 12:13:38.743920088 CET	51809	23	192.168.2.23	177.210.216.239
Nov 2, 2021 12:13:38.743920088 CET	51809	23	192.168.2.23	175.67.105.84
Nov 2, 2021 12:13:38.743921995 CET	51809	23	192.168.2.23	133.95.126.247
Nov 2, 2021 12:13:38.743925095 CET	51809	23	192.168.2.23	124.119.197.37
Nov 2, 2021 12:13:38.743932009 CET	51809	23	192.168.2.23	205.238.144.135
Nov 2, 2021 12:13:38.743932962 CET	51809	23	192.168.2.23	203.178.98.79
Nov 2, 2021 12:13:38.743935108 CET	51809	23	192.168.2.23	98.231.204.159
Nov 2, 2021 12:13:38.743947029 CET	51809	23	192.168.2.23	253.48.227.3
Nov 2, 2021 12:13:38.743949890 CET	51809	23	192.168.2.23	178.31.84.75
Nov 2, 2021 12:13:38.743958950 CET	51809	23	192.168.2.23	185.235.224.66
Nov 2, 2021 12:13:38.743972063 CET	51809	23	192.168.2.23	190.97.239.14
Nov 2, 2021 12:13:38.743988037 CET	51809	23	192.168.2.23	57.118.130.36
Nov 2, 2021 12:13:38.744004965 CET	51809	23	192.168.2.23	191.158.116.59
Nov 2, 2021 12:13:38.744014978 CET	51809	23	192.168.2.23	64.4.98.203
Nov 2, 2021 12:13:38.744019985 CET	51809	23	192.168.2.23	38.65.100.29
Nov 2, 2021 12:13:38.744052887 CET	51809	23	192.168.2.23	200.195.171.119
Nov 2, 2021 12:13:38.744056940 CET	51809	23	192.168.2.23	122.56.215.118
Nov 2, 2021 12:13:38.744066954 CET	51809	23	192.168.2.23	107.44.177.76
Nov 2, 2021 12:13:38.744067907 CET	51809	23	192.168.2.23	190.133.128.217
Nov 2, 2021 12:13:38.744100094 CET	51809	23	192.168.2.23	187.42.11.148
Nov 2, 2021 12:13:38.744107962 CET	51809	23	192.168.2.23	191.174.177.183
Nov 2, 2021 12:13:38.744123936 CET	51809	23	192.168.2.23	124.130.191.207
Nov 2, 2021 12:13:38.744124889 CET	51809	23	192.168.2.23	146.252.6.205
Nov 2, 2021 12:13:38.744133949 CET	51809	23	192.168.2.23	169.209.185.153
Nov 2, 2021 12:13:38.744138002 CET	51809	23	192.168.2.23	166.42.102.233
Nov 2, 2021 12:13:38.744138002 CET	51809	23	192.168.2.23	43.156.98.201
Nov 2, 2021 12:13:38.744148970 CET	51809	23	192.168.2.23	246.32.186.79
Nov 2, 2021 12:13:38.744155884 CET	51809	23	192.168.2.23	2.98.196.39

System Behavior

Analysis Process: sora.x86 PID: 5233 Parent PID: 5111

General

Start time:	12:13:38
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	/tmp/sora.x86
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5234 Parent PID: 5233

General

Start time:	12:13:38
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5389 Parent PID: 5234

General

Start time:	12:16:46
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5390 Parent PID: 5234

General

Start time:	12:16:46
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5391 Parent PID: 5390

General

Start time:	12:16:46
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5401 Parent PID: 5391

General

Start time:	12:16:51
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5402 Parent PID: 5391

General

Start time:	12:16:51
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5392 Parent PID: 5390

General

Start time:	12:16:46
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5393 Parent PID: 5390

General

Start time:	12:16:46
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5235 Parent PID: 5233

General

Start time:	12:13:38
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5236 Parent PID: 5233

General

Start time:	12:13:38
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5237 Parent PID: 5236

General

Start time:	12:13:38
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5381 Parent PID: 5237

General

Start time:	12:16:33
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5382 Parent PID: 5237

General

Start time:	12:16:33
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5238 Parent PID: 5236

General

Start time:	12:13:38
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: sora.x86 PID: 5239 Parent PID: 5236

General

Start time:	12:13:38
Start date:	02/11/2021
Path:	/tmp/sora.x86
Arguments:	n/a
File size:	24728 bytes
MD5 hash:	ec0785f99de2a1ea900d48a9bb26bf1c

Analysis Process: systemd PID: 5266 Parent PID: 1

General

Start time:	12:13:49
Start date:	02/11/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5266 Parent PID: 1

General

Start time:	12:13:49
Start date:	02/11/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5267 Parent PID: 1

General

Start time:	12:13:50
Start date:	02/11/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5267 Parent PID: 1

General

Start time:	12:13:50
Start date:	02/11/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5375 Parent PID: 1

General

Start time:	12:16:26
Start date:	02/11/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5375 Parent PID: 1

General

Start time:	12:16:26
Start date:	02/11/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5376 Parent PID: 1

General

Start time:	12:16:27
Start date:	02/11/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5376 Parent PID: 1

General

Start time:	12:16:27
Start date:	02/11/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5379 Parent PID: 1

General

Start time:	12:16:29
Start date:	02/11/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5379 Parent PID: 1

General

Start time:	12:16:29
Start date:	02/11/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5380 Parent PID: 1

General

Start time:	12:16:29
Start date:	02/11/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5380 Parent PID: 1

General

Start time:	12:16:29
Start date:	02/11/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report sora.x86

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

PCAP (Network Traffic)

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: sora.x86 PID: 5233 Parent PID: 5111

General

Analysis Process: sora.x86 PID: 5234 Parent PID: 5233

General

Analysis Process: sora.x86 PID: 5389 Parent PID: 5234

General

Analysis Process: sora.x86 PID: 5390 Parent PID: 5234

General

Analysis Process: sora.x86 PID: 5391 Parent PID: 5390

General

Analysis Process: sora.x86 PID: 5401 Parent PID: 5391

General

Analysis Process: sora.x86 PID: 5402 Parent PID: 5391

General

Analysis Process: sora.x86 PID: 5392 Parent PID: 5390

General

Analysis Process: sora.x86 PID: 5393 Parent PID: 5390

General

Analysis Process: sora.x86 PID: 5235 Parent PID: 5233

General

Analysis Process: sora.x86 PID: 5236 Parent PID: 5233