Linux Analysis Report sora.arm7

Overview

General Information

Sample Name:	sora.arm7
Analysis ID:	518886
MD5:	c0530dfd3766a324673f37c1644de5bc
SHA1:	a45fb3c938ed307ed0f4a550bc17e460a0e5b661
SHA256:	8a6e72fa60a5be3c99b64bdbbf23839949e051dfaf9b975c040fa00c8edde1c6
Tags:	Mirai
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample contains only a LOAD segment without any section mappings

Yara signature match

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: sora.arm7	Virustotal: Detection: 41%			Perma Link
Source: sora.arm7	ReversingLabs: Detection: 42%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:44004
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.251.57.101:23 -> 192.168.2.23:35992
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35188
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35188
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35198
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35198
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:44116
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35238
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35238
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35270
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35270
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35320
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.251.57.101:23 -> 192.168.2.23:36172
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35320
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35352
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35352
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.39.178.247:23 -> 192.168.2.23:47030
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.39.178.247:23 -> 192.168.2.23:47030
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.23:36114 -> 190.60.19.213:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35386
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:44304
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35386
Source: Traffic	Snort IDS: 716 INFO TELNET access 81.21.249.100:23 -> 192.168.2.23:56860
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35424
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35424
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35446
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35446
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.251.57.101:23 -> 192.168.2.23:36344
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35502
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35502
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.230.203:23 -> 192.168.2.23:36636
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.230.203:23 -> 192.168.2.23:36636
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.230.203:23 -> 192.168.2.23:36662
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.230.203:23 -> 192.168.2.23:36662
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:44482
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:45712
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.230.203:23 -> 192.168.2.23:36678
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.230.203:23 -> 192.168.2.23:36678
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.39.178.247:23 -> 192.168.2.23:47238
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.39.178.247:23 -> 192.168.2.23:47238
Source: Traffic	Snort IDS: 716 INFO TELNET access 81.21.249.100:23 -> 192.168.2.23:57024
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.230.203:23 -> 192.168.2.23:36692
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.230.203:23 -> 192.168.2.23:36692
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:41002 -> 87.75.69.53:23
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:41004 -> 87.75.69.53:23
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.23:41034 -> 87.75.69.53:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:45806
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.251.57.101:23 -> 192.168.2.23:36536
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:40516 -> 31.199.225.231:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 123.175.50.138:23 -> 192.168.2.23:52042
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58340
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.213.32.54:23 -> 192.168.2.23:38002
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58356
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58362
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45312
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45312
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58372
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:45924
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:44690
Source: Traffic	Snort IDS: 716 INFO TELNET access 81.21.249.100:23 -> 192.168.2.23:57234
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58388
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:34818
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:34818
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58396
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.39.178.247:23 -> 192.168.2.23:47468
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.39.178.247:23 -> 192.168.2.23:47468
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58406
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58426
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:36568 -> 190.60.19.213:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58456
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:45996
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45374
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45374
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58478
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:34886
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:34886
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.251.57.101:23 -> 192.168.2.23:36772
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:46076
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:34966
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:34966
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45486
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45486
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.213.32.54:23 -> 192.168.2.23:38210
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:46126
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:44910
Source: Traffic	Snort IDS: 716 INFO TELNET access 81.21.249.100:23 -> 192.168.2.23:57444
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:35036
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:35036
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45564
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45564
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:46168
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.39.178.247:23 -> 192.168.2.23:47722
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.39.178.247:23 -> 192.168.2.23:47722
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:35094
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:35094
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:46222
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.251.57.101:23 -> 192.168.2.23:36944
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45640
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45640
Source: Traffic	Snort IDS: 716 INFO TELNET access 187.8.88.19:23 -> 192.168.2.23:53706
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.132.132:23 -> 192.168.2.23:39756
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:46288
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:35168
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:35168
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:44362 -> 63.78.213.106:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.213.32.54:23 -> 192.168.2.23:38488
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.132.132:23 -> 192.168.2.23:39910
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.190.238.29:23 -> 192.168.2.23:52178
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.190.238.29:23 -> 192.168.2.23:52178
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:46442
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:45226
Source: Traffic	Snort IDS: 716 INFO TELNET access 81.21.249.100:23 -> 192.168.2.23:57786
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45824
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 5.134.192.143:23 -> 192.168.2.23:46000
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 5.134.192.143:23 -> 192.168.2.23:46000
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.228.187.182:23 -> 192.168.2.23:59192
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:44526 -> 63.78.213.106:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:35352
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:35352
Source: Traffic	Snort IDS: 716 INFO TELNET access 91.155.104.45:23 -> 192.168.2.23:44134
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.174.140.208:23 -> 192.168.2.23:56482
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.174.140.208:23 -> 192.168.2.23:56482
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.190.238.29:23 -> 192.168.2.23:52270
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.190.238.29:23 -> 192.168.2.23:52270
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 87.60.19.234: -> 192.168.2.23:
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:37136 -> 190.60.19.213:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 103.192.76.26:23 -> 192.168.2.23:52556
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.228.187.182:23 -> 192.168.2.23:59192
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.136.141.5:23 -> 192.168.2.23:49242
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.228.187.182:23 -> 192.168.2.23:59276
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.190.238.29:23 -> 192.168.2.23:52328
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.190.238.29:23 -> 192.168.2.23:52328
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.132.132:23 -> 192.168.2.23:40072
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.124.8.47:23 -> 192.168.2.23:56656
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.228.187.182:23 -> 192.168.2.23:59276
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:35484
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:35484
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45998
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45998
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.136.141.5:23 -> 192.168.2.23:49386
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.190.238.29:23 -> 192.168.2.23:52422
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.190.238.29:23 -> 192.168.2.23:52422
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 188.119.49.10:23 -> 192.168.2.23:52888
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 188.119.49.10:23 -> 192.168.2.23:52888
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.228.187.182:23 -> 192.168.2.23:59428

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34110
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34112
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34118
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34122
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34124
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34126
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34136
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58262
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58264
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58270
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58274
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45946
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45950
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58290
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45954
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58294
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58300
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45966
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45168
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45172
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45174
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45186
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39914
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45196
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45208
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45216
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39936
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39946
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39956
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39990
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46936
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46942
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46950
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46952
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46986
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46994

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:33146 -> 128.199.243.41:1312

Sample listens on a socket

Source: /tmp/sora.arm7 (PID: 5242)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	Socket: 0.0.0.0::0	Jump to behavior
Source: /usr/sbin/sshd (PID: 5274)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5274)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.243.41
Source: unknown	TCP traffic detected without corresponding DNS query: 222.140.219.5
Source: unknown	TCP traffic detected without corresponding DNS query: 252.214.35.97
Source: unknown	TCP traffic detected without corresponding DNS query: 169.8.20.4
Source: unknown	TCP traffic detected without corresponding DNS query: 155.223.51.109
Source: unknown	TCP traffic detected without corresponding DNS query: 42.131.237.138
Source: unknown	TCP traffic detected without corresponding DNS query: 191.127.186.244
Source: unknown	TCP traffic detected without corresponding DNS query: 122.80.228.224
Source: unknown	TCP traffic detected without corresponding DNS query: 222.33.193.194
Source: unknown	TCP traffic detected without corresponding DNS query: 5.57.145.87
Source: unknown	TCP traffic detected without corresponding DNS query: 157.79.58.251
Source: unknown	TCP traffic detected without corresponding DNS query: 74.143.129.21
Source: unknown	TCP traffic detected without corresponding DNS query: 183.24.19.102
Source: unknown	TCP traffic detected without corresponding DNS query: 14.44.21.76
Source: unknown	TCP traffic detected without corresponding DNS query: 159.149.104.79
Source: unknown	TCP traffic detected without corresponding DNS query: 122.140.92.0
Source: unknown	TCP traffic detected without corresponding DNS query: 62.185.215.67
Source: unknown	TCP traffic detected without corresponding DNS query: 62.41.93.155
Source: unknown	TCP traffic detected without corresponding DNS query: 14.252.253.48
Source: unknown	TCP traffic detected without corresponding DNS query: 154.3.132.22
Source: unknown	TCP traffic detected without corresponding DNS query: 195.90.3.2
Source: unknown	TCP traffic detected without corresponding DNS query: 136.28.48.183
Source: unknown	TCP traffic detected without corresponding DNS query: 251.59.130.41
Source: unknown	TCP traffic detected without corresponding DNS query: 242.94.57.124
Source: unknown	TCP traffic detected without corresponding DNS query: 121.174.8.56
Source: unknown	TCP traffic detected without corresponding DNS query: 37.248.219.83
Source: unknown	TCP traffic detected without corresponding DNS query: 8.117.57.95
Source: unknown	TCP traffic detected without corresponding DNS query: 90.174.206.18
Source: unknown	TCP traffic detected without corresponding DNS query: 74.227.140.102
Source: unknown	TCP traffic detected without corresponding DNS query: 154.129.38.115
Source: unknown	TCP traffic detected without corresponding DNS query: 171.136.251.77
Source: unknown	TCP traffic detected without corresponding DNS query: 157.46.4.171
Source: unknown	TCP traffic detected without corresponding DNS query: 18.62.67.52
Source: unknown	TCP traffic detected without corresponding DNS query: 34.142.97.118
Source: unknown	TCP traffic detected without corresponding DNS query: 38.126.149.110
Source: unknown	TCP traffic detected without corresponding DNS query: 90.180.218.209
Source: unknown	TCP traffic detected without corresponding DNS query: 135.153.100.11
Source: unknown	TCP traffic detected without corresponding DNS query: 27.248.76.68
Source: unknown	TCP traffic detected without corresponding DNS query: 90.243.31.211
Source: unknown	TCP traffic detected without corresponding DNS query: 164.149.118.95
Source: unknown	TCP traffic detected without corresponding DNS query: 75.83.232.229
Source: unknown	TCP traffic detected without corresponding DNS query: 166.19.96.132
Source: unknown	TCP traffic detected without corresponding DNS query: 73.40.54.218
Source: unknown	TCP traffic detected without corresponding DNS query: 42.161.172.203
Source: unknown	TCP traffic detected without corresponding DNS query: 142.161.113.178
Source: unknown	TCP traffic detected without corresponding DNS query: 196.79.170.181
Source: unknown	TCP traffic detected without corresponding DNS query: 27.123.29.201
Source: unknown	TCP traffic detected without corresponding DNS query: 81.249.133.35
Source: unknown	TCP traffic detected without corresponding DNS query: 5.72.70.26
Source: unknown	TCP traffic detected without corresponding DNS query: 69.239.28.185

Source: sora.arm7

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Yara signature match

Source: sora.arm7, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Sample tries to kill a process (SIGKILL)

Source: /tmp/sora.arm7 (PID: 5242)

SIGKILL sent: pid: 936, result: successful

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.linARM7@0/2@0/0

Source: sora.arm7

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5261/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5262/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5263/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5264/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5265/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5266/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5267/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5268/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5260/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5272/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5273/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5270/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5271/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1860/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1463/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2156/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5269/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1629/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1627/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1900/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2294/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2050/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5040/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1877/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1633/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1599/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1632/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1477/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1476/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1872/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2048/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1475/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2289/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1639/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1638/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2208/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2180/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1809/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1494/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1890/fd	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34110
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34112
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34118
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34122
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34124
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34126
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34136
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58262
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58264
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58270
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58274
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45946
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45950
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58290
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45954
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58294
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58300
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45966
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45168
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45172
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45174
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45186
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39914
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45196
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45208
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45216
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39936
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39946
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39956
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39990
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46936
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46942
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46950
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46952
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46986
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46994

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/sora.arm7 (PID: 5240)

Queries kernel information via 'uname':

Jump to behavior

Source: sora.arm7, 5240.1.00000000ec5b085b.0000000030322648.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: sora.arm7, 5240.1.00000000ec5b085b.0000000030322648.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: sora.arm7, 5240.1.0000000057ff4a10.0000000007cc84c3.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: sora.arm7, 5240.1.0000000057ff4a10.0000000007cc84c3.rw-.sdmp	Binary or memory string: Vx86_64/usr/bin/qemu-arm/tmp/sora.arm7SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sora.arm7

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
105.180.23.20	unknown	Egypt	37069	MOBINILEG	false
38.5.198.77	unknown	United States	174	COGENT-174US	false
44.244.125.175	unknown	United States	16509	AMAZON-02US	false
108.198.1.171	unknown	United States	7018	ATT-INTERNET4US	false
213.60.85.253	unknown	Spain	12334	Galicia-SpainES	false
38.3.136.25	unknown	United States	174	COGENT-174US	false
250.29.133.144	unknown	Reserved	unknown	unknown	false
157.6.233.117	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
157.145.44.94	unknown	United States	719	ELISA-ASHelsinkiFinlandEU	false
73.198.119.83	unknown	United States	7922	COMCAST-7922US	false
162.65.245.129	unknown	United States	35893	ACPCA	false
152.43.75.176	unknown	United States	33401	CPCCUS	false
68.107.216.54	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
216.61.47.73	unknown	United States	7018	ATT-INTERNET4US	false
196.224.103.15	unknown	Tunisia	37492	ORANGE-TN	false
32.193.220.66	unknown	United States	2686	ATGS-MMD-ASUS	false
197.109.134.94	unknown	South Africa	37168	CELL-CZA	false
81.180.199.188	unknown	Romania	8953	ASN-ORANGE-ROMANIARO	false
147.48.140.172	unknown	United States	2852	CESNET2CZ	false
211.14.115.244	unknown	Japan	9605	DOCOMONTTDOCOMOINCJP	false
147.105.169.59	unknown	United States	22522	ULALAUNCHUS	false
220.232.49.252	unknown	Singapore	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
96.195.125.71	unknown	United States	7922	COMCAST-7922US	false
107.157.7.1	unknown	United States	7065	SONOMAUS	false
154.48.184.42	unknown	United States	203499	WI-NET-SOLIS-ASES	false
244.203.2.250	unknown	Reserved	unknown	unknown	false
253.241.166.61	unknown	Reserved	unknown	unknown	false
125.178.123.148	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
76.227.191.165	unknown	United States	7018	ATT-INTERNET4US	false
212.9.202.33	unknown	United Kingdom	8942	LondonOfficeGB	false
74.202.235.90	unknown	United States	395313	BRAINTREEUS	false
124.145.224.179	unknown	Japan	9824	JTCL-JP-ASJupiterTelecommunicationCoLtdJP	false
180.249.117.189	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
186.246.82.239	unknown	Brazil	7738	TelemarNorteLesteSABR	false
184.192.180.65	unknown	United States	10507	SPCSUS	false
180.145.69.198	unknown	Japan	17511	OPTAGEOPTAGEIncJP	false
171.99.205.149	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	false
111.196.171.136	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
43.74.235.99	unknown	Japan	4249	LILLY-ASUS	false
44.105.65.47	unknown	United States	7377	UCSDUS	false
218.181.74.77	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
53.191.190.220	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
152.241.29.184	unknown	Brazil	26599	TELEFONICABRASILSABR	false
91.186.75.42	unknown	Norway	56828	NORWEGIANHEALTHNETWORKNO	false
109.165.176.243	unknown	Bosnia and Herzegowina	25144	TELEKOM-SRPSKE-ASKraljaPetraIKaradjordjevica61aBA	false
156.0.172.146	unknown	South Africa	328112	Linux-Based-Systems-Design-ASZA	false
93.87.57.249	unknown	Serbia	8400	TELEKOM-ASRS	false
82.25.98.22	unknown	United Kingdom	5089	NTLGB	false
40.178.220.70	unknown	United States	4249	LILLY-ASUS	false
70.34.47.248	unknown	United States	15830	EQUINIX-CONNECT-EMEAGB	false
110.109.134.165	unknown	China	134810	CMNET-JILIN-AS-APChinaMobileGroupJiLincommunicationsco	false
139.0.170.93	unknown	Indonesia	23700	FASTNET-AS-IDLinknet-FastnetASNID	false
35.2.238.241	unknown	United States	36375	UMICH-AS-5US	false
183.109.40.165	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
161.58.199.192	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
189.181.107.156	unknown	Mexico	8151	UninetSAdeCVMX	false
248.38.186.19	unknown	Reserved	unknown	unknown	false
136.69.43.77	unknown	United States	60311	ONEFMCH	false
80.155.119.168	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
82.39.27.145	unknown	United Kingdom	5089	NTLGB	false
199.81.85.172	unknown	United States	7726	FITC-ASUS	false
163.109.89.198	unknown	France	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
90.158.71.173	unknown	Turkey	9021	ISNETTR	false
32.148.111.173	unknown	United States	2686	ATGS-MMD-ASUS	false
84.87.28.28	unknown	Netherlands	1136	KPNKPNNationalEU	false
78.152.92.58	unknown	Austria	35370	AINET-ASAT	false
187.51.205.102	unknown	Brazil	10429	TELEFONICABRASILSABR	false
36.75.177.224	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
142.166.65.11	unknown	Canada	855	CANET-ASN-4CA	false
70.210.207.227	unknown	United States	6167	CELLCO-PARTUS	false
18.102.226.164	unknown	United States	3	MIT-GATEWAYSUS	false
75.92.93.242	unknown	United States	7029	WINDSTREAMUS	false
84.73.147.144	unknown	Switzerland	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
60.126.184.178	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
144.44.178.235	unknown	European Union	21286	KPN-CORPORATE-MARKETNL	false
109.115.234.55	unknown	Italy	30722	VODAFONE-IT-ASNIT	false
253.85.73.245	unknown	Reserved	unknown	unknown	false
17.242.50.87	unknown	United States	714	APPLE-ENGINEERINGUS	false
251.59.93.2	unknown	Reserved	unknown	unknown	false
138.226.133.196	unknown	Switzerland	12980	EMEAHostingAutonomousSystemEU	false
247.52.50.28	unknown	Reserved	unknown	unknown	false
40.193.69.189	unknown	United States	4249	LILLY-ASUS	false
109.239.104.154	unknown	United Kingdom	33920	AQLGB	false
112.255.242.110	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
178.244.73.50	unknown	Turkey	16135	TURKCELL-ASTurkcellASTR	false
87.143.226.17	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
84.187.248.166	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
190.79.134.140	unknown	Venezuela	8048	CANTVServiciosVenezuelaVE	false
246.57.16.99	unknown	Reserved	unknown	unknown	false
126.97.154.254	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
48.235.60.188	unknown	United States	2686	ATGS-MMD-ASUS	false
43.143.51.89	unknown	Japan	4249	LILLY-ASUS	false
169.111.169.161	unknown	United States	37611	AfrihostZA	false
167.128.242.202	unknown	United States	25899	LSNETUS	false
110.53.232.225	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
93.47.218.64	unknown	Italy	12874	FASTWEBIT	false
45.205.88.180	unknown	Seychelles	54600	PEGTECHINCUS	false
58.162.208.60	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
247.160.162.94	unknown	Reserved	unknown	unknown	false
162.104.193.5	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false

AV Detection:

Multi AV Scanner detection for submitted file

Source: sora.arm7	Virustotal: Detection: 41%			Perma Link
Source: sora.arm7	ReversingLabs: Detection: 42%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:44004
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.251.57.101:23 -> 192.168.2.23:35992
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35188
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35188
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35198
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35198
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:44116
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35238
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35238
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35270
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35270
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35320
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.251.57.101:23 -> 192.168.2.23:36172
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35320
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35352
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35352
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.39.178.247:23 -> 192.168.2.23:47030
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.39.178.247:23 -> 192.168.2.23:47030
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.23:36114 -> 190.60.19.213:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35386
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:44304
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35386
Source: Traffic	Snort IDS: 716 INFO TELNET access 81.21.249.100:23 -> 192.168.2.23:56860
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35424
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35424
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35446
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35446
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.251.57.101:23 -> 192.168.2.23:36344
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.56.51.195:23 -> 192.168.2.23:35502
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.56.51.195:23 -> 192.168.2.23:35502
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.230.203:23 -> 192.168.2.23:36636
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.230.203:23 -> 192.168.2.23:36636
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.230.203:23 -> 192.168.2.23:36662
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.230.203:23 -> 192.168.2.23:36662
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:44482
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:45712
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.230.203:23 -> 192.168.2.23:36678
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.230.203:23 -> 192.168.2.23:36678
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.39.178.247:23 -> 192.168.2.23:47238
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.39.178.247:23 -> 192.168.2.23:47238
Source: Traffic	Snort IDS: 716 INFO TELNET access 81.21.249.100:23 -> 192.168.2.23:57024
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.230.203:23 -> 192.168.2.23:36692
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.230.203:23 -> 192.168.2.23:36692
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:41002 -> 87.75.69.53:23
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:41004 -> 87.75.69.53:23
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.23:41034 -> 87.75.69.53:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:45806
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.251.57.101:23 -> 192.168.2.23:36536
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:40516 -> 31.199.225.231:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 123.175.50.138:23 -> 192.168.2.23:52042
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58340
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.213.32.54:23 -> 192.168.2.23:38002
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58356
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58362
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45312
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45312
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58372
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:45924
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:44690
Source: Traffic	Snort IDS: 716 INFO TELNET access 81.21.249.100:23 -> 192.168.2.23:57234
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58388
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:34818
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:34818
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58396
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.39.178.247:23 -> 192.168.2.23:47468
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.39.178.247:23 -> 192.168.2.23:47468
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58406
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58426
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:36568 -> 190.60.19.213:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58456
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:45996
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45374
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45374
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.214.19:23 -> 192.168.2.23:58478
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:34886
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:34886
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.251.57.101:23 -> 192.168.2.23:36772
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:46076
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:34966
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:34966
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45486
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45486
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.213.32.54:23 -> 192.168.2.23:38210
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:46126
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:44910
Source: Traffic	Snort IDS: 716 INFO TELNET access 81.21.249.100:23 -> 192.168.2.23:57444
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:35036
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:35036
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45564
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45564
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:46168
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.39.178.247:23 -> 192.168.2.23:47722
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.39.178.247:23 -> 192.168.2.23:47722
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:35094
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:35094
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:46222
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.251.57.101:23 -> 192.168.2.23:36944
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45640
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45640
Source: Traffic	Snort IDS: 716 INFO TELNET access 187.8.88.19:23 -> 192.168.2.23:53706
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.132.132:23 -> 192.168.2.23:39756
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:46288
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:35168
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:35168
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:44362 -> 63.78.213.106:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.213.32.54:23 -> 192.168.2.23:38488
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.132.132:23 -> 192.168.2.23:39910
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.190.238.29:23 -> 192.168.2.23:52178
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.190.238.29:23 -> 192.168.2.23:52178
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.254.204.242:23 -> 192.168.2.23:46442
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.245.230:23 -> 192.168.2.23:45226
Source: Traffic	Snort IDS: 716 INFO TELNET access 81.21.249.100:23 -> 192.168.2.23:57786
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45824
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 5.134.192.143:23 -> 192.168.2.23:46000
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 5.134.192.143:23 -> 192.168.2.23:46000
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.228.187.182:23 -> 192.168.2.23:59192
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:44526 -> 63.78.213.106:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:35352
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:35352
Source: Traffic	Snort IDS: 716 INFO TELNET access 91.155.104.45:23 -> 192.168.2.23:44134
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.174.140.208:23 -> 192.168.2.23:56482
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.174.140.208:23 -> 192.168.2.23:56482
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.190.238.29:23 -> 192.168.2.23:52270
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.190.238.29:23 -> 192.168.2.23:52270
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 87.60.19.234: -> 192.168.2.23:
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:37136 -> 190.60.19.213:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 103.192.76.26:23 -> 192.168.2.23:52556
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.228.187.182:23 -> 192.168.2.23:59192
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.136.141.5:23 -> 192.168.2.23:49242
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.228.187.182:23 -> 192.168.2.23:59276
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.190.238.29:23 -> 192.168.2.23:52328
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.190.238.29:23 -> 192.168.2.23:52328
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.132.132:23 -> 192.168.2.23:40072
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.124.8.47:23 -> 192.168.2.23:56656
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.228.187.182:23 -> 192.168.2.23:59276
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.186.36.253:23 -> 192.168.2.23:35484
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.186.36.253:23 -> 192.168.2.23:35484
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.127.75.126:23 -> 192.168.2.23:45998
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.127.75.126:23 -> 192.168.2.23:45998
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.136.141.5:23 -> 192.168.2.23:49386
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.190.238.29:23 -> 192.168.2.23:52422
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.190.238.29:23 -> 192.168.2.23:52422
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 188.119.49.10:23 -> 192.168.2.23:52888
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 188.119.49.10:23 -> 192.168.2.23:52888
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.228.187.182:23 -> 192.168.2.23:59428

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34110
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34112
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34118
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34122
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34124
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34126
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34136
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58262
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58264
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58270
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58274
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45946
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45950
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58290
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45954
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58294
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58300
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45966
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45168
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45172
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45174
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45186
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39914
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45196
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45208
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45216
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39936
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39946
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39956
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39990
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46936
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46942
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46950
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46952
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46986
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46994

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:33146 -> 128.199.243.41:1312

Sample listens on a socket

Source: /tmp/sora.arm7 (PID: 5242)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	Socket: 0.0.0.0::0	Jump to behavior
Source: /usr/sbin/sshd (PID: 5274)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5274)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.243.41
Source: unknown	TCP traffic detected without corresponding DNS query: 222.140.219.5
Source: unknown	TCP traffic detected without corresponding DNS query: 252.214.35.97
Source: unknown	TCP traffic detected without corresponding DNS query: 169.8.20.4
Source: unknown	TCP traffic detected without corresponding DNS query: 155.223.51.109
Source: unknown	TCP traffic detected without corresponding DNS query: 42.131.237.138
Source: unknown	TCP traffic detected without corresponding DNS query: 191.127.186.244
Source: unknown	TCP traffic detected without corresponding DNS query: 122.80.228.224
Source: unknown	TCP traffic detected without corresponding DNS query: 222.33.193.194
Source: unknown	TCP traffic detected without corresponding DNS query: 5.57.145.87
Source: unknown	TCP traffic detected without corresponding DNS query: 157.79.58.251
Source: unknown	TCP traffic detected without corresponding DNS query: 74.143.129.21
Source: unknown	TCP traffic detected without corresponding DNS query: 183.24.19.102
Source: unknown	TCP traffic detected without corresponding DNS query: 14.44.21.76
Source: unknown	TCP traffic detected without corresponding DNS query: 159.149.104.79
Source: unknown	TCP traffic detected without corresponding DNS query: 122.140.92.0
Source: unknown	TCP traffic detected without corresponding DNS query: 62.185.215.67
Source: unknown	TCP traffic detected without corresponding DNS query: 62.41.93.155
Source: unknown	TCP traffic detected without corresponding DNS query: 14.252.253.48
Source: unknown	TCP traffic detected without corresponding DNS query: 154.3.132.22
Source: unknown	TCP traffic detected without corresponding DNS query: 195.90.3.2
Source: unknown	TCP traffic detected without corresponding DNS query: 136.28.48.183
Source: unknown	TCP traffic detected without corresponding DNS query: 251.59.130.41
Source: unknown	TCP traffic detected without corresponding DNS query: 242.94.57.124
Source: unknown	TCP traffic detected without corresponding DNS query: 121.174.8.56
Source: unknown	TCP traffic detected without corresponding DNS query: 37.248.219.83
Source: unknown	TCP traffic detected without corresponding DNS query: 8.117.57.95
Source: unknown	TCP traffic detected without corresponding DNS query: 90.174.206.18
Source: unknown	TCP traffic detected without corresponding DNS query: 74.227.140.102
Source: unknown	TCP traffic detected without corresponding DNS query: 154.129.38.115
Source: unknown	TCP traffic detected without corresponding DNS query: 171.136.251.77
Source: unknown	TCP traffic detected without corresponding DNS query: 157.46.4.171
Source: unknown	TCP traffic detected without corresponding DNS query: 18.62.67.52
Source: unknown	TCP traffic detected without corresponding DNS query: 34.142.97.118
Source: unknown	TCP traffic detected without corresponding DNS query: 38.126.149.110
Source: unknown	TCP traffic detected without corresponding DNS query: 90.180.218.209
Source: unknown	TCP traffic detected without corresponding DNS query: 135.153.100.11
Source: unknown	TCP traffic detected without corresponding DNS query: 27.248.76.68
Source: unknown	TCP traffic detected without corresponding DNS query: 90.243.31.211
Source: unknown	TCP traffic detected without corresponding DNS query: 164.149.118.95
Source: unknown	TCP traffic detected without corresponding DNS query: 75.83.232.229
Source: unknown	TCP traffic detected without corresponding DNS query: 166.19.96.132
Source: unknown	TCP traffic detected without corresponding DNS query: 73.40.54.218
Source: unknown	TCP traffic detected without corresponding DNS query: 42.161.172.203
Source: unknown	TCP traffic detected without corresponding DNS query: 142.161.113.178
Source: unknown	TCP traffic detected without corresponding DNS query: 196.79.170.181
Source: unknown	TCP traffic detected without corresponding DNS query: 27.123.29.201
Source: unknown	TCP traffic detected without corresponding DNS query: 81.249.133.35
Source: unknown	TCP traffic detected without corresponding DNS query: 5.72.70.26
Source: unknown	TCP traffic detected without corresponding DNS query: 69.239.28.185

Source: sora.arm7

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Yara signature match

Source: sora.arm7, type: SAMPLE

Sample tries to kill a process (SIGKILL)

Source: /tmp/sora.arm7 (PID: 5242)

SIGKILL sent: pid: 936, result: successful

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.linARM7@0/2@0/0

Source: sora.arm7

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5242)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5261/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5262/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5263/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5264/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5265/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5266/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5267/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5268/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5260/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5272/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5273/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5270/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5271/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1860/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1463/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2156/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5269/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1629/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1627/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1900/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2294/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2050/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/5040/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1877/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1633/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1599/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1632/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1477/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1476/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1872/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2048/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1475/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2289/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1639/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1638/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2208/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/2180/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1809/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1494/fd	Jump to behavior
Source: /tmp/sora.arm7 (PID: 5248)	File opened: /proc/1890/fd	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34110
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34112
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34118
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34122
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34124
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34126
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34136
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58262
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58264
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58270
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58274
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45946
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45950
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58290
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45954
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58294
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58300
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45966
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45168
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45172
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45174
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45186
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39914
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45196
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45208
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45216
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39936
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39946
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39956
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39990
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46936
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46942
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46950
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46952
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46986
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46994

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/sora.arm7 (PID: 5240)

Queries kernel information via 'uname':

Jump to behavior

Source: sora.arm7, 5240.1.00000000ec5b085b.0000000030322648.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: sora.arm7, 5240.1.00000000ec5b085b.0000000030322648.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: sora.arm7, 5240.1.0000000057ff4a10.0000000007cc84c3.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: sora.arm7, 5240.1.0000000057ff4a10.0000000007cc84c3.rw-.sdmp	Binary or memory string: Vx86_64/usr/bin/qemu-arm/tmp/sora.arm7SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sora.arm7

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

ID:	518886
Product:	CloudBasic
Start time:	03:52:22
Start date:	10.11.2021
Sample:	sora.arm7
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	c0530dfd3766a324673f37c1644de5bc
SHA1:	a45fb3c938ed307ed0f4a550bc17e460a0e5b661
SHA256:	8a6e72fa60a5be3c99b64bdbbf23839949e051dfaf9b975c040fa00c8edde1c6
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/proc/5274/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/run/sshd.pid	ASCII text	399A14B7B28E9470E1BE6F272272890A	5B82D7F69C166B978FBFC8009876BE4797BAAC8D	7C92CC37DF60EBCCC15A4175839687DD0EC20BD8FA9A730DD1C193473D3A5860

Linux Analysis Report sora.arm7

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs