Linux Analysis Report sora.mpsl

Overview

General Information

Sample Name: sora.mpsl
Analysis ID: 519593
MD5: 42ac0f5f0fd0d4e42fb7254730e94632
SHA1: 12369aa6f5ffd2e251a1e8924eee602b0ef7b2df
SHA256: 2dfc8c4568d6a3392fcd4d1837e17d3b4c6a412c8b98bdd91ce91a58250afbca
Tags: Mirai
Infos:

Most interesting Screenshot:

Detection

Mirai
Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample tries to kill many processes (SIGKILL)
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: sora.mpsl Virustotal: Detection: 38% Perma Link

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42040
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42098
Source: Traffic Snort IDS: 716 INFO TELNET access 180.65.13.186:23 -> 192.168.2.23:37412
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42134
Source: Traffic Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50178
Source: Traffic Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 93.167.73.106: -> 192.168.2.23:
Source: Traffic Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50186
Source: Traffic Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:44984
Source: Traffic Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50210
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42174
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:44984
Source: Traffic Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50236
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:36980 -> 220.93.151.186:23
Source: Traffic Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45038
Source: Traffic Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50252
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:50252 -> 132.255.123.219:23
Source: Traffic Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50270
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45038
Source: Traffic Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50286
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42244
Source: Traffic Snort IDS: 716 INFO TELNET access 180.65.13.186:23 -> 192.168.2.23:37550
Source: Traffic Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45094
Source: Traffic Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50300
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45094
Source: Traffic Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50316
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 194.186.52.137:23 -> 192.168.2.23:60396
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42286
Source: Traffic Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50336
Source: Traffic Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45128
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45128
Source: Traffic Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45200
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42372
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45200
Source: Traffic Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45236
Source: Traffic Snort IDS: 716 INFO TELNET access 118.69.185.59:23 -> 192.168.2.23:59230
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45236
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42406
Source: Traffic Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45248
Source: Traffic Snort IDS: 716 INFO TELNET access 180.65.13.186:23 -> 192.168.2.23:37724
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45248
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 194.186.52.137:23 -> 192.168.2.23:60618
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42498
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 223.70.241.130:23 -> 192.168.2.23:59070
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 223.70.241.130:23 -> 192.168.2.23:59070
Source: Traffic Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45348
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 194.186.52.137:23 -> 192.168.2.23:60634
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45348
Source: Traffic Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45378
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42554
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45378
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 223.70.241.130:23 -> 192.168.2.23:59138
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 223.70.241.130:23 -> 192.168.2.23:59138
Source: Traffic Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45420
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 223.70.241.130:23 -> 192.168.2.23:59164
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 223.70.241.130:23 -> 192.168.2.23:59164
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45420
Source: Traffic Snort IDS: 716 INFO TELNET access 58.185.117.97:23 -> 192.168.2.23:34506
Source: Traffic Snort IDS: 716 INFO TELNET access 178.45.122.237:23 -> 192.168.2.23:58346
Source: Traffic Snort IDS: 716 INFO TELNET access 180.65.13.186:23 -> 192.168.2.23:37914
Source: Traffic Snort IDS: 492 INFO TELNET login failed 58.185.117.97:23 -> 192.168.2.23:34506
Source: Traffic Snort IDS: 716 INFO TELNET access 178.45.122.237:23 -> 192.168.2.23:58352
Source: Traffic Snort IDS: 716 INFO TELNET access 218.23.111.163:23 -> 192.168.2.23:35742
Source: Traffic Snort IDS: 716 INFO TELNET access 218.23.111.163:23 -> 192.168.2.23:35744
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:35744 -> 218.23.111.163:23
Source: Traffic Snort IDS: 716 INFO TELNET access 58.185.117.97:23 -> 192.168.2.23:34528
Source: Traffic Snort IDS: 716 INFO TELNET access 218.23.111.163:23 -> 192.168.2.23:35750
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 223.70.241.130:23 -> 192.168.2.23:59216
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 223.70.241.130:23 -> 192.168.2.23:59216
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 194.186.52.137:23 -> 192.168.2.23:60752
Source: Traffic Snort IDS: 716 INFO TELNET access 218.23.111.163:23 -> 192.168.2.23:35752
Source: Traffic Snort IDS: 716 INFO TELNET access 178.45.122.237:23 -> 192.168.2.23:58362
Source: Traffic Snort IDS: 716 INFO TELNET access 218.23.111.163:23 -> 192.168.2.23:35760
Source: Traffic Snort IDS: 716 INFO TELNET access 218.23.111.163:23 -> 192.168.2.23:35774
Source: Traffic Snort IDS: 492 INFO TELNET login failed 58.185.117.97:23 -> 192.168.2.23:34528
Source: Traffic Snort IDS: 716 INFO TELNET access 178.45.122.237:23 -> 192.168.2.23:58392
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57698
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57700
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57704
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57706
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57708
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57710
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57712
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57714
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57716
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57718
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:44384 -> 86.126.191.187:1312
Sample listens on a socket
Source: /tmp/sora.mpsl (PID: 5242) Socket: 0.0.0.0::22 Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) Socket: 0.0.0.0::23 Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) Socket: 0.0.0.0::37215 Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) Socket: 0.0.0.0::23 Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) Socket: 0.0.0.0::37215 Jump to behavior
Source: /usr/sbin/sshd (PID: 5280) Socket: [::]::22 Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 86.126.191.187
Source: unknown TCP traffic detected without corresponding DNS query: 249.160.168.231
Source: unknown TCP traffic detected without corresponding DNS query: 18.180.160.250
Source: unknown TCP traffic detected without corresponding DNS query: 12.64.171.231
Source: unknown TCP traffic detected without corresponding DNS query: 92.121.112.28
Source: unknown TCP traffic detected without corresponding DNS query: 206.117.57.130
Source: unknown TCP traffic detected without corresponding DNS query: 93.243.190.76
Source: unknown TCP traffic detected without corresponding DNS query: 121.108.199.90
Source: unknown TCP traffic detected without corresponding DNS query: 60.27.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 111.7.75.134
Source: unknown TCP traffic detected without corresponding DNS query: 191.84.217.12
Source: unknown TCP traffic detected without corresponding DNS query: 209.45.98.211
Source: unknown TCP traffic detected without corresponding DNS query: 177.209.199.153
Source: unknown TCP traffic detected without corresponding DNS query: 195.27.80.46
Source: unknown TCP traffic detected without corresponding DNS query: 58.251.203.2
Source: unknown TCP traffic detected without corresponding DNS query: 194.158.79.55
Source: unknown TCP traffic detected without corresponding DNS query: 12.160.167.36
Source: unknown TCP traffic detected without corresponding DNS query: 173.60.182.205
Source: unknown TCP traffic detected without corresponding DNS query: 203.174.44.72
Source: unknown TCP traffic detected without corresponding DNS query: 135.1.203.103
Source: unknown TCP traffic detected without corresponding DNS query: 107.81.61.103
Source: unknown TCP traffic detected without corresponding DNS query: 126.38.223.216
Source: unknown TCP traffic detected without corresponding DNS query: 184.151.29.130
Source: unknown TCP traffic detected without corresponding DNS query: 159.240.172.93
Source: unknown TCP traffic detected without corresponding DNS query: 180.124.26.148
Source: unknown TCP traffic detected without corresponding DNS query: 253.4.69.28
Source: unknown TCP traffic detected without corresponding DNS query: 80.162.236.135
Source: unknown TCP traffic detected without corresponding DNS query: 133.222.243.226
Source: unknown TCP traffic detected without corresponding DNS query: 83.154.22.100
Source: unknown TCP traffic detected without corresponding DNS query: 96.98.126.158
Source: unknown TCP traffic detected without corresponding DNS query: 119.75.189.195
Source: unknown TCP traffic detected without corresponding DNS query: 67.150.155.192
Source: unknown TCP traffic detected without corresponding DNS query: 38.13.5.54
Source: unknown TCP traffic detected without corresponding DNS query: 94.247.109.232
Source: unknown TCP traffic detected without corresponding DNS query: 44.222.35.58
Source: unknown TCP traffic detected without corresponding DNS query: 154.243.149.241
Source: unknown TCP traffic detected without corresponding DNS query: 24.164.133.34
Source: unknown TCP traffic detected without corresponding DNS query: 40.193.239.103
Source: unknown TCP traffic detected without corresponding DNS query: 112.92.22.39
Source: unknown TCP traffic detected without corresponding DNS query: 109.145.140.9
Source: unknown TCP traffic detected without corresponding DNS query: 119.168.43.139
Source: unknown TCP traffic detected without corresponding DNS query: 178.156.230.210
Source: unknown TCP traffic detected without corresponding DNS query: 35.219.64.128
Source: unknown TCP traffic detected without corresponding DNS query: 183.232.45.174
Source: unknown TCP traffic detected without corresponding DNS query: 78.58.74.90
Source: unknown TCP traffic detected without corresponding DNS query: 206.162.185.205
Source: unknown TCP traffic detected without corresponding DNS query: 243.255.16.38
Source: unknown TCP traffic detected without corresponding DNS query: 13.144.6.193
Source: unknown TCP traffic detected without corresponding DNS query: 122.80.127.200
Source: unknown TCP traffic detected without corresponding DNS query: 195.139.152.201
Source: sora.mpsl String found in binary or memory: http://upx.sf.net

System Summary:

barindex
Sample tries to kill many processes (SIGKILL)
Source: /tmp/sora.mpsl (PID: 5242) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 5242, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 847, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 2097, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 2191, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x100000
Sample tries to kill a process (SIGKILL)
Source: /tmp/sora.mpsl (PID: 5242) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 5242, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 847, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 2097, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 2191, result: successful Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Source: classification engine Classification label: mal76.spre.troj.evad.linMPSL@0/2@0/0
Source: sora.mpsl Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link

Data Obfuscation:

barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

barindex
Enumerates processes within the "proc" file system
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/491/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/793/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/772/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/796/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/774/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/797/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/777/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/799/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/658/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/912/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/759/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/936/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/918/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/1/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/761/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/785/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/884/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/720/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/721/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/788/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/789/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/800/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/801/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/847/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5242) File opened: /proc/904/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5264/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5265/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5266/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5267/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5268/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2033/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2033/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1582/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1582/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2275/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2275/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1612/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1612/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1579/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1579/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1699/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1699/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1335/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1335/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1698/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1698/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2028/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2028/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1334/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1334/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1576/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1576/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2302/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2302/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/3236/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/3236/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2025/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2025/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2146/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2146/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/910/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/912/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/912/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/912/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/759/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/759/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/759/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/517/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2307/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2307/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/918/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/918/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/918/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5272/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5273/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5274/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5275/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5276/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5277/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5278/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1594/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1594/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2285/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2285/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2281/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/2281/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5270/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/5271/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1349/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1349/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1/fd Jump to behavior
Source: /tmp/sora.mpsl (PID: 5248) File opened: /proc/1/fd Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57698
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57700
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57704
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57706
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57708
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57710
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57712
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57714
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57716
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57718

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/sora.mpsl (PID: 5240) Queries kernel information via 'uname': Jump to behavior
Source: sora.mpsl, 5240.1.000000001907c40d.00000000de767c9a.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mipsel
Source: sora.mpsl, 5240.1.00000000d8e57db9.000000003c3a8a7a.rw-.sdmp Binary or memory string: Yx86_64/usr/bin/qemu-mipsel/tmp/sora.mpslSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sora.mpsl
Source: sora.mpsl, 5240.1.000000001907c40d.00000000de767c9a.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: sora.mpsl, 5240.1.00000000d8e57db9.000000003c3a8a7a.rw-.sdmp Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
148.57.98.39
 unknown United States
10753 LVLT-10753US false
36.63.232.128
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
178.166.17.66
 unknown Portugal
12353 VODAFONE-PTVodafonePortugalPT false
94.42.249.28
 unknown Poland
5588 GTSCEGTSCentralEuropeAntelGermanyCZ false
121.215.93.53
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
240.46.153.198
 unknown Reserved
unknown unknown false
202.126.161.125
 unknown Hong Kong
4637 ASN-TELSTRA-GLOBALTelstraGlobalHK false
111.0.17.150
 unknown China
56041 CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC false
108.152.25.20
 unknown United States
16509 AMAZON-02US false
141.205.80.8
 unknown United States
797 AMERITECH-ASUS false
98.99.70.119
 unknown United States
62566 STARBUCKSUS false
156.100.80.142
 unknown United States
393504 XNSTGCA false
123.231.123.165
 unknown Sri Lanka
18001 DIALOG-ASDialogAxiataPLCLK false
35.29.173.243
 unknown United States
36375 UMICH-AS-5US false
108.17.85.21
 unknown United States
701 UUNETUS false
222.226.56.23
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
94.62.51.199
 unknown Portugal
12353 VODAFONE-PTVodafonePortugalPT false
148.129.11.201
 unknown United States
7764 CENSUSBUREAUUS false
60.156.131.216
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
14.172.125.75
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN false
66.170.46.96
 unknown United States
16698 BRIGHTNETUS false
121.98.221.38
 unknown New Zealand
9790 VOCUSGROUPNZVocusGroupNZ false
44.80.188.194
 unknown United States
7377 UCSDUS false
78.74.7.68
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE false
85.220.9.229
 unknown Iceland
6677 ICENET-AS1IS false
79.149.221.198
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
116.31.232.129
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
209.92.8.169
 unknown United States
7029 WINDSTREAMUS false
88.196.160.49
 unknown Estonia
3249 ESTPAKEE false
165.104.225.187
 unknown United States
26305 ASN-SSMUS false
204.120.93.14
 unknown United States
1239 SPRINTLINKUS false
112.93.141.60
 unknown China
17816 CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi false
94.191.99.99
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false
94.63.199.231
 unknown Portugal
12353 VODAFONE-PTVodafonePortugalPT false
54.103.47.111
 unknown United States
16509 AMAZON-02US false
160.38.70.93
 unknown United Kingdom
3450 UTKUS false
68.54.35.217
 unknown United States
7922 COMCAST-7922US false
202.65.72.220
 unknown Australia
38195 SUPERLOOP-AS-APSuperloopAU false
1.45.25.239
 unknown China
45083 CHEERYZONEBeijingCheeryZoneScitechCoLtdCN false
166.64.126.168
 unknown Australia
58681 NSWPOLSERV-AS-APNewSouthWalesPoliceAU false
12.92.121.112
 unknown United States
7018 ATT-INTERNET4US false
112.125.161.208
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
39.176.217.227
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
218.119.166.110
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
109.126.60.17
 unknown Russian Federation
42038 VLADLINK-ASRU false
14.44.138.222
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
104.230.253.69
 unknown United States
10796 TWC-10796-MIDWESTUS false
177.87.59.184
 unknown Brazil
262648 BRAVATELECOMUNICACOESPONTESELACERDALTDA-EPPBR false
217.22.110.113
 unknown Spain
15711 IBERDROLABilbaoES false
47.87.41.39
 unknown United States
3209 VODANETInternationalIP-BackboneofVodafoneDE false
65.66.253.159
 unknown United States
7018 ATT-INTERNET4US false
112.96.183.188
 unknown China
17622 CNCGROUP-GZChinaUnicomGuangzhounetworkCN false
102.136.132.185
 unknown Cote D'ivoire
36974 AFNET-ASCI false
255.117.137.5
 unknown Reserved
unknown unknown false
242.184.151.122
 unknown Reserved
unknown unknown false
74.252.191.113
 unknown United States
6389 BELLSOUTH-NET-BLKUS false
188.95.165.168
 unknown Saudi Arabia
34397 CYBERIA-RUHCyberiaRiyadhAutonomousSystemSA false
191.237.129.95
 unknown Brazil
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
146.234.19.249
 unknown Germany
43857 FRAPORTDE false
9.211.168.137
 unknown United States
3356 LEVEL3US false
66.242.157.205
 unknown United States
13649 ASN-VINSUS false
252.201.180.233
 unknown Reserved
unknown unknown false
146.153.203.105
 unknown United States
197938 TRAVIANGAMESDE false
149.119.110.167
 unknown United States
11872 SYRACUSE-UNIVERSITYUS false
85.138.67.230
 unknown Portugal
2860 NOS_COMUNICACOESPT false
191.80.153.165
 unknown Argentina
22927 TelefonicadeArgentinaAR false
116.204.165.44
 unknown Pakistan
23607 LEONET-AS-APLeoNetPvtLtdPK false
5.101.107.41
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS false
221.83.33.106
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
24.71.77.191
 unknown Canada
6327 SHAWCA false
193.252.45.35
 unknown France
3215 FranceTelecom-OrangeFR false
32.93.232.170
 unknown United States
2686 ATGS-MMD-ASUS false
243.100.129.203
 unknown Reserved
unknown unknown false
57.24.98.110
 unknown Belgium
2686 ATGS-MMD-ASUS false
117.159.243.74
 unknown China
24445 CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN false
247.209.69.255
 unknown Reserved
unknown unknown false
160.247.147.135
 unknown Japan 2907 SINET-ASResearchOrganizationofInformationandSystemsN false
93.126.14.252
 unknown Iran (ISLAMIC Republic Of)
44375 AISDPIR false
190.95.251.255
 unknown Ecuador
27947 TelconetSAEC false
62.222.102.220
 unknown Ireland
8918 CARRIER1-ASIE false
178.161.16.206
 unknown Kuwait
42961 GPRS-ASZAINKW false
89.246.41.40
 unknown Germany
8881 VERSATELDE false
78.122.64.184
 unknown France
8228 CEGETEL-ASFR false
23.68.48.214
 unknown United States
7922 COMCAST-7922US false
65.133.167.221
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
164.137.70.99
 unknown United Kingdom
3303 SWISSCOMSwisscomSwitzerlandLtdCH false
253.163.201.162
 unknown Reserved
unknown unknown false
101.79.180.5
 unknown Korea Republic of
38661 HCLC-AS-KRpurplestonesKR false
208.98.29.101
 unknown United States
46844 ST-BGPUS false
254.148.39.84
 unknown Reserved
unknown unknown false
198.164.10.40
 unknown Canada
395431 IGTCANSOLCA false
183.183.7.155
 unknown Japan 45684 MIRAINETKyoceraCommunicationSystemsCoLtdJP false
146.12.254.26
 unknown United States
197938 TRAVIANGAMESDE false
199.45.249.232
 unknown United States
16618 FUC-AS-16618US false
35.145.114.33
 unknown United States
394141 ROCKET-FIBERUS false
63.154.17.178
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
118.117.199.51
 unknown China
139220 CHINANET-SICHUAN-CHUANXI-IDCSichuanChuanxnIDCCN false
223.179.12.206
 unknown India
45609 BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService false
204.25.184.75
 unknown United States
13325 STOMIUS false
158.30.134.23
 unknown United States
1504 DNIC-AS-01504US false