Play interactive tour

Edit tour

Linux Analysis Report sora.mpsl

Overview

General Information

Sample Name:	sora.mpsl
Analysis ID:	519593
MD5:	42ac0f5f0fd0d4e42fb7254730e94632
SHA1:	12369aa6f5ffd2e251a1e8924eee602b0ef7b2df
SHA256:	2dfc8c4568d6a3392fcd4d1837e17d3b4c6a412c8b98bdd91ce91a58250afbca
Tags:	Mirai
Infos:
Most interesting Screenshot:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample tries to kill many processes (SIGKILL)

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	519593
Start date:	10.11.2021
Start time:	22:57:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	sora.mpsl
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal76.spre.troj.evad.linMPSL@0/2@0/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100

Process Tree

system is lnxubuntu20

sora.mpsl (PID: 5240, Parent: 5118, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/sora.mpsl

sora.mpsl New Fork (PID: 5242, Parent: 5240)

sora.mpsl New Fork (PID: 5243, Parent: 5240)

sora.mpsl New Fork (PID: 5244, Parent: 5240)

sora.mpsl New Fork (PID: 5248, Parent: 5244)

sora.mpsl New Fork (PID: 5249, Parent: 5244)

sora.mpsl New Fork (PID: 5251, Parent: 5244)

systemd New Fork (PID: 5279, Parent: 1)

sshd (PID: 5279, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5280, Parent: 1)

sshd (PID: 5280, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

cleanup

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: sora.mpsl

Virustotal: Detection: 38%

Perma Link

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42040
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42098
Source: Traffic	Snort IDS: 716 INFO TELNET access 180.65.13.186:23 -> 192.168.2.23:37412
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42134
Source: Traffic	Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50178
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 93.167.73.106: -> 192.168.2.23:
Source: Traffic	Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50186
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:44984
Source: Traffic	Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50210
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42174
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:44984
Source: Traffic	Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50236
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:36980 -> 220.93.151.186:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45038
Source: Traffic	Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50252
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:50252 -> 132.255.123.219:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50270
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45038
Source: Traffic	Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50286
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42244
Source: Traffic	Snort IDS: 716 INFO TELNET access 180.65.13.186:23 -> 192.168.2.23:37550
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45094
Source: Traffic	Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50300
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45094
Source: Traffic	Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50316
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 194.186.52.137:23 -> 192.168.2.23:60396
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42286
Source: Traffic	Snort IDS: 716 INFO TELNET access 132.255.123.219:23 -> 192.168.2.23:50336
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45128
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45128
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45200
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42372
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45200
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45236
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.69.185.59:23 -> 192.168.2.23:59230
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45236
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42406
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45248
Source: Traffic	Snort IDS: 716 INFO TELNET access 180.65.13.186:23 -> 192.168.2.23:37724
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45248
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 194.186.52.137:23 -> 192.168.2.23:60618
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42498
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 223.70.241.130:23 -> 192.168.2.23:59070
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 223.70.241.130:23 -> 192.168.2.23:59070
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45348
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 194.186.52.137:23 -> 192.168.2.23:60634
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45348
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45378
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.175.221.90:23 -> 192.168.2.23:42554
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45378
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 223.70.241.130:23 -> 192.168.2.23:59138
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 223.70.241.130:23 -> 192.168.2.23:59138
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.201.143.166:23 -> 192.168.2.23:45420
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 223.70.241.130:23 -> 192.168.2.23:59164
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 223.70.241.130:23 -> 192.168.2.23:59164
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.201.143.166:23 -> 192.168.2.23:45420
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.185.117.97:23 -> 192.168.2.23:34506
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.45.122.237:23 -> 192.168.2.23:58346
Source: Traffic	Snort IDS: 716 INFO TELNET access 180.65.13.186:23 -> 192.168.2.23:37914
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 58.185.117.97:23 -> 192.168.2.23:34506
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.45.122.237:23 -> 192.168.2.23:58352
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.23.111.163:23 -> 192.168.2.23:35742
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.23.111.163:23 -> 192.168.2.23:35744
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:35744 -> 218.23.111.163:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.185.117.97:23 -> 192.168.2.23:34528
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.23.111.163:23 -> 192.168.2.23:35750
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 223.70.241.130:23 -> 192.168.2.23:59216
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 223.70.241.130:23 -> 192.168.2.23:59216
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 194.186.52.137:23 -> 192.168.2.23:60752
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.23.111.163:23 -> 192.168.2.23:35752
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.45.122.237:23 -> 192.168.2.23:58362
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.23.111.163:23 -> 192.168.2.23:35760
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.23.111.163:23 -> 192.168.2.23:35774
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 58.185.117.97:23 -> 192.168.2.23:34528
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.45.122.237:23 -> 192.168.2.23:58392

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57698
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57700
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57704
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57706
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57708
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57712
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57714
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57718

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:44384 -> 86.126.191.187:1312

Source: /tmp/sora.mpsl (PID: 5242)	Socket: 0.0.0.0::22
Source: /tmp/sora.mpsl (PID: 5242)	Socket: 0.0.0.0::23
Source: /tmp/sora.mpsl (PID: 5242)	Socket: 0.0.0.0::53413
Source: /tmp/sora.mpsl (PID: 5242)	Socket: 0.0.0.0::80
Source: /tmp/sora.mpsl (PID: 5242)	Socket: 0.0.0.0::52869
Source: /tmp/sora.mpsl (PID: 5242)	Socket: 0.0.0.0::37215
Source: /tmp/sora.mpsl (PID: 5248)	Socket: 0.0.0.0::0
Source: /tmp/sora.mpsl (PID: 5248)	Socket: 0.0.0.0::23
Source: /tmp/sora.mpsl (PID: 5248)	Socket: 0.0.0.0::53413
Source: /tmp/sora.mpsl (PID: 5248)	Socket: 0.0.0.0::80
Source: /tmp/sora.mpsl (PID: 5248)	Socket: 0.0.0.0::52869
Source: /tmp/sora.mpsl (PID: 5248)	Socket: 0.0.0.0::37215
Source: /usr/sbin/sshd (PID: 5280)	Socket: [::]::22

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 86.126.191.187
Source: unknown	TCP traffic detected without corresponding DNS query: 249.160.168.231
Source: unknown	TCP traffic detected without corresponding DNS query: 18.180.160.250
Source: unknown	TCP traffic detected without corresponding DNS query: 12.64.171.231
Source: unknown	TCP traffic detected without corresponding DNS query: 92.121.112.28
Source: unknown	TCP traffic detected without corresponding DNS query: 206.117.57.130
Source: unknown	TCP traffic detected without corresponding DNS query: 93.243.190.76
Source: unknown	TCP traffic detected without corresponding DNS query: 121.108.199.90
Source: unknown	TCP traffic detected without corresponding DNS query: 60.27.82.21
Source: unknown	TCP traffic detected without corresponding DNS query: 111.7.75.134
Source: unknown	TCP traffic detected without corresponding DNS query: 191.84.217.12
Source: unknown	TCP traffic detected without corresponding DNS query: 209.45.98.211
Source: unknown	TCP traffic detected without corresponding DNS query: 177.209.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 195.27.80.46
Source: unknown	TCP traffic detected without corresponding DNS query: 58.251.203.2
Source: unknown	TCP traffic detected without corresponding DNS query: 194.158.79.55
Source: unknown	TCP traffic detected without corresponding DNS query: 12.160.167.36
Source: unknown	TCP traffic detected without corresponding DNS query: 173.60.182.205
Source: unknown	TCP traffic detected without corresponding DNS query: 203.174.44.72
Source: unknown	TCP traffic detected without corresponding DNS query: 135.1.203.103
Source: unknown	TCP traffic detected without corresponding DNS query: 107.81.61.103
Source: unknown	TCP traffic detected without corresponding DNS query: 126.38.223.216
Source: unknown	TCP traffic detected without corresponding DNS query: 184.151.29.130
Source: unknown	TCP traffic detected without corresponding DNS query: 159.240.172.93
Source: unknown	TCP traffic detected without corresponding DNS query: 180.124.26.148
Source: unknown	TCP traffic detected without corresponding DNS query: 253.4.69.28
Source: unknown	TCP traffic detected without corresponding DNS query: 80.162.236.135
Source: unknown	TCP traffic detected without corresponding DNS query: 133.222.243.226
Source: unknown	TCP traffic detected without corresponding DNS query: 83.154.22.100
Source: unknown	TCP traffic detected without corresponding DNS query: 96.98.126.158
Source: unknown	TCP traffic detected without corresponding DNS query: 119.75.189.195
Source: unknown	TCP traffic detected without corresponding DNS query: 67.150.155.192
Source: unknown	TCP traffic detected without corresponding DNS query: 38.13.5.54
Source: unknown	TCP traffic detected without corresponding DNS query: 94.247.109.232
Source: unknown	TCP traffic detected without corresponding DNS query: 44.222.35.58
Source: unknown	TCP traffic detected without corresponding DNS query: 154.243.149.241
Source: unknown	TCP traffic detected without corresponding DNS query: 24.164.133.34
Source: unknown	TCP traffic detected without corresponding DNS query: 40.193.239.103
Source: unknown	TCP traffic detected without corresponding DNS query: 112.92.22.39
Source: unknown	TCP traffic detected without corresponding DNS query: 109.145.140.9
Source: unknown	TCP traffic detected without corresponding DNS query: 119.168.43.139
Source: unknown	TCP traffic detected without corresponding DNS query: 178.156.230.210
Source: unknown	TCP traffic detected without corresponding DNS query: 35.219.64.128
Source: unknown	TCP traffic detected without corresponding DNS query: 183.232.45.174
Source: unknown	TCP traffic detected without corresponding DNS query: 78.58.74.90
Source: unknown	TCP traffic detected without corresponding DNS query: 206.162.185.205
Source: unknown	TCP traffic detected without corresponding DNS query: 243.255.16.38
Source: unknown	TCP traffic detected without corresponding DNS query: 13.144.6.193
Source: unknown	TCP traffic detected without corresponding DNS query: 122.80.127.200
Source: unknown	TCP traffic detected without corresponding DNS query: 195.139.152.201

Source: sora.mpsl

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Show sources

Source: /tmp/sora.mpsl (PID: 5242)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 5242, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 1860, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 2191, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 2208, result: successful

Source: LOAD without section mappings

Program segment: 0x100000

Source: /tmp/sora.mpsl (PID: 5242)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 5242, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 1860, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 2191, result: successful
Source: /tmp/sora.mpsl (PID: 5248)	SIGKILL sent: pid: 2208, result: successful

Source: classification engine

Classification label: mal76.spre.troj.evad.linMPSL@0/2@0/0

Source: sora.mpsl

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Data Obfuscation:

Sample is packed with UPX

Show sources

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/491/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/793/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/772/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/796/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/774/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/797/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/777/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/799/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/658/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/912/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/759/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/936/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/918/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/1/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/761/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/785/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/884/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/720/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/721/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/788/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/789/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/800/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/801/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/847/fd
Source: /tmp/sora.mpsl (PID: 5242)	File opened: /proc/904/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5264/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5265/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5266/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5267/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5268/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2033/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2033/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2033/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1582/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1582/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1582/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2275/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2275/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1612/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1612/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1612/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1579/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1579/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1579/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1699/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1699/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1699/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1335/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1335/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1335/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1698/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1698/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1698/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2028/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2028/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2028/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1334/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1334/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1334/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1576/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1576/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1576/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2302/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2302/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/3236/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/3236/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2025/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2025/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2025/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2146/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2146/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2146/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/910/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/912/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/912/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/912/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/759/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/759/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/759/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/517/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2307/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2307/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/918/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/918/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/918/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5272/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5273/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5274/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5275/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5276/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5277/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5278/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1594/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1594/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1594/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2285/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2285/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2281/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/2281/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5270/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/5271/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1349/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1349/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1349/exe
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1/fd
Source: /tmp/sora.mpsl (PID: 5248)	File opened: /proc/1/fd

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57698
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57700
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57704
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57706
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57708
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57712
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57714
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57718

Source: /tmp/sora.mpsl (PID: 5240)

Queries kernel information via 'uname':

Source: sora.mpsl, 5240.1.000000001907c40d.00000000de767c9a.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: sora.mpsl, 5240.1.00000000d8e57db9.000000003c3a8a7a.rw-.sdmp	Binary or memory string: Yx86_64/usr/bin/qemu-mipsel/tmp/sora.mpslSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sora.mpsl
Source: sora.mpsl, 5240.1.000000001907c40d.00000000de767c9a.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: sora.mpsl, 5240.1.00000000d8e57db9.000000003c3a8a7a.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Obfuscated Files or Information1	OS Credential Dumping1	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sora.mpsl	39%	Virustotal		Browse

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	sora.mpsl	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
148.57.98.39	unknown	United States	10753	LVLT-10753US	false
36.63.232.128	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
178.166.17.66	unknown	Portugal	12353	VODAFONE-PTVodafonePortugalPT	false
94.42.249.28	unknown	Poland	5588	GTSCEGTSCentralEuropeAntelGermanyCZ	false
121.215.93.53	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
240.46.153.198	unknown	Reserved	unknown	unknown	false
202.126.161.125	unknown	Hong Kong	4637	ASN-TELSTRA-GLOBALTelstraGlobalHK	false
111.0.17.150	unknown	China	56041	CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC	false
108.152.25.20	unknown	United States	16509	AMAZON-02US	false
141.205.80.8	unknown	United States	797	AMERITECH-ASUS	false
98.99.70.119	unknown	United States	62566	STARBUCKSUS	false
156.100.80.142	unknown	United States	393504	XNSTGCA	false
123.231.123.165	unknown	Sri Lanka	18001	DIALOG-ASDialogAxiataPLCLK	false
35.29.173.243	unknown	United States	36375	UMICH-AS-5US	false
108.17.85.21	unknown	United States	701	UUNETUS	false
222.226.56.23	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
94.62.51.199	unknown	Portugal	12353	VODAFONE-PTVodafonePortugalPT	false
148.129.11.201	unknown	United States	7764	CENSUSBUREAUUS	false
60.156.131.216	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
14.172.125.75	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
66.170.46.96	unknown	United States	16698	BRIGHTNETUS	false
121.98.221.38	unknown	New Zealand	9790	VOCUSGROUPNZVocusGroupNZ	false
44.80.188.194	unknown	United States	7377	UCSDUS	false
78.74.7.68	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
85.220.9.229	unknown	Iceland	6677	ICENET-AS1IS	false
79.149.221.198	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
116.31.232.129	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
209.92.8.169	unknown	United States	7029	WINDSTREAMUS	false
88.196.160.49	unknown	Estonia	3249	ESTPAKEE	false
165.104.225.187	unknown	United States	26305	ASN-SSMUS	false
204.120.93.14	unknown	United States	1239	SPRINTLINKUS	false
112.93.141.60	unknown	China	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
94.191.99.99	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
94.63.199.231	unknown	Portugal	12353	VODAFONE-PTVodafonePortugalPT	false
54.103.47.111	unknown	United States	16509	AMAZON-02US	false
160.38.70.93	unknown	United Kingdom	3450	UTKUS	false
68.54.35.217	unknown	United States	7922	COMCAST-7922US	false
202.65.72.220	unknown	Australia	38195	SUPERLOOP-AS-APSuperloopAU	false
1.45.25.239	unknown	China	45083	CHEERYZONEBeijingCheeryZoneScitechCoLtdCN	false
166.64.126.168	unknown	Australia	58681	NSWPOLSERV-AS-APNewSouthWalesPoliceAU	false
12.92.121.112	unknown	United States	7018	ATT-INTERNET4US	false
112.125.161.208	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
39.176.217.227	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
218.119.166.110	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
109.126.60.17	unknown	Russian Federation	42038	VLADLINK-ASRU	false
14.44.138.222	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
104.230.253.69	unknown	United States	10796	TWC-10796-MIDWESTUS	false
177.87.59.184	unknown	Brazil	262648	BRAVATELECOMUNICACOESPONTESELACERDALTDA-EPPBR	false
217.22.110.113	unknown	Spain	15711	IBERDROLABilbaoES	false
47.87.41.39	unknown	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
65.66.253.159	unknown	United States	7018	ATT-INTERNET4US	false
112.96.183.188	unknown	China	17622	CNCGROUP-GZChinaUnicomGuangzhounetworkCN	false
102.136.132.185	unknown	Cote D'ivoire	36974	AFNET-ASCI	false
255.117.137.5	unknown	Reserved	unknown	unknown	false
242.184.151.122	unknown	Reserved	unknown	unknown	false
74.252.191.113	unknown	United States	6389	BELLSOUTH-NET-BLKUS	false
188.95.165.168	unknown	Saudi Arabia	34397	CYBERIA-RUHCyberiaRiyadhAutonomousSystemSA	false
191.237.129.95	unknown	Brazil	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
146.234.19.249	unknown	Germany	43857	FRAPORTDE	false
9.211.168.137	unknown	United States	3356	LEVEL3US	false
66.242.157.205	unknown	United States	13649	ASN-VINSUS	false
252.201.180.233	unknown	Reserved	unknown	unknown	false
146.153.203.105	unknown	United States	197938	TRAVIANGAMESDE	false
149.119.110.167	unknown	United States	11872	SYRACUSE-UNIVERSITYUS	false
85.138.67.230	unknown	Portugal	2860	NOS_COMUNICACOESPT	false
191.80.153.165	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
116.204.165.44	unknown	Pakistan	23607	LEONET-AS-APLeoNetPvtLtdPK	false
5.101.107.41	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	false
221.83.33.106	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
24.71.77.191	unknown	Canada	6327	SHAWCA	false
193.252.45.35	unknown	France	3215	FranceTelecom-OrangeFR	false
32.93.232.170	unknown	United States	2686	ATGS-MMD-ASUS	false
243.100.129.203	unknown	Reserved	unknown	unknown	false
57.24.98.110	unknown	Belgium	2686	ATGS-MMD-ASUS	false
117.159.243.74	unknown	China	24445	CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN	false
247.209.69.255	unknown	Reserved	unknown	unknown	false
160.247.147.135	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
93.126.14.252	unknown	Iran (ISLAMIC Republic Of)	44375	AISDPIR	false
190.95.251.255	unknown	Ecuador	27947	TelconetSAEC	false
62.222.102.220	unknown	Ireland	8918	CARRIER1-ASIE	false
178.161.16.206	unknown	Kuwait	42961	GPRS-ASZAINKW	false
89.246.41.40	unknown	Germany	8881	VERSATELDE	false
78.122.64.184	unknown	France	8228	CEGETEL-ASFR	false
23.68.48.214	unknown	United States	7922	COMCAST-7922US	false
65.133.167.221	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
164.137.70.99	unknown	United Kingdom	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
253.163.201.162	unknown	Reserved	unknown	unknown	false
101.79.180.5	unknown	Korea Republic of	38661	HCLC-AS-KRpurplestonesKR	false
208.98.29.101	unknown	United States	46844	ST-BGPUS	false
254.148.39.84	unknown	Reserved	unknown	unknown	false
198.164.10.40	unknown	Canada	395431	IGTCANSOLCA	false
183.183.7.155	unknown	Japan	45684	MIRAINETKyoceraCommunicationSystemsCoLtdJP	false
146.12.254.26	unknown	United States	197938	TRAVIANGAMESDE	false
199.45.249.232	unknown	United States	16618	FUC-AS-16618US	false
35.145.114.33	unknown	United States	394141	ROCKET-FIBERUS	false
63.154.17.178	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
118.117.199.51	unknown	China	139220	CHINANET-SICHUAN-CHUANXI-IDCSichuanChuanxnIDCCN	false
223.179.12.206	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
204.25.184.75	unknown	United States	13325	STOMIUS	false
158.30.134.23	unknown	United States	1504	DNIC-AS-01504US	false

Runtime Messages

Command:	/tmp/sora.mpsl
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CHINANET-BACKBONENo31Jin-rongStreetCN	l0vNaPgd6f	Get hash	malicious	Browse	106.82.51.213
	8fVDxGRR8S	Get hash	malicious	Browse	121.234.206.186
	s36oh8I6I0	Get hash	malicious	Browse	59.48.199.216
	3ObdCtruss	Get hash	malicious	Browse	117.77.54.225
	uRQVqbl0sQ	Get hash	malicious	Browse	125.123.119.138
	63BjZ1IcIh	Get hash	malicious	Browse	1.193.195.217
	trynagetmybinsufucker98575.arm7	Get hash	malicious	Browse	183.151.71.1
	m-p.s-l.Sakura	Get hash	malicious	Browse	125.89.54.95
	QXFOZ3Cshc	Get hash	malicious	Browse	222.168.38.12
	sora.x86	Get hash	malicious	Browse	113.77.117.207
	sora.arm7	Get hash	malicious	Browse	182.98.40.207
	sora.arm	Get hash	malicious	Browse	182.244.34.68
	lDawzTbABc	Get hash	malicious	Browse	1.71.43.54
	DVHEnaPp2d	Get hash	malicious	Browse	119.126.143.146
	HwcNrhNfZg	Get hash	malicious	Browse	27.185.59.72
	X5bKvoLX1E	Get hash	malicious	Browse	42.203.201.215
	e9e6i5D2gK	Get hash	malicious	Browse	115.217.129.91
	19kG57P043	Get hash	malicious	Browse	123.175.36.144
	Smlp3eBtOI	Get hash	malicious	Browse	118.122.17.150
	eGH4d5FDoU	Get hash	malicious	Browse	27.28.94.97
LVLT-10753US	Kod7jprn7K.exe	Get hash	malicious	Browse	193.56.146.64
	44508.5578762732.dat.dll	Get hash	malicious	Browse	193.56.146.60
	setup_x86_x64_install.exe	Get hash	malicious	Browse	193.56.146.36
	2LG87UfOTH.exe	Get hash	malicious	Browse	193.56.146.64
	0A223AA68AF0C2AF0BAABDA61D82748629078720A017E.exe	Get hash	malicious	Browse	193.56.146.36
	951049989EB772C71EC4FA9F0685AB45CAE755CA5D34C.exe	Get hash	malicious	Browse	193.56.146.36
	C9DE02209482359466292BE7BC0464FC65037698B38C1.exe	Get hash	malicious	Browse	193.56.146.36
	setup_installer.exe	Get hash	malicious	Browse	193.56.146.36
	CB7D321954760DE22CCBF59ECE43D94E503350B18203D.exe	Get hash	malicious	Browse	193.56.146.36
	D1F610AF3C46FFF6C857BE0136C696604EB8E7466B4A7.exe	Get hash	malicious	Browse	193.56.146.36
	F1F6AEEE9A42004E68765A83E9CBD51BC878A0AFD7C80.exe	Get hash	malicious	Browse	193.56.146.36
	4Lkdxnkt9M.exe	Get hash	malicious	Browse	193.56.146.64
	22275B7C5A57111ACA919F6BBFAE171E5E99F5EF777D1.exe	Get hash	malicious	Browse	193.56.146.36
	4AE186F9A645695962B47F37C8B8E64C4D45F2B2A12AE.exe	Get hash	malicious	Browse	193.56.146.36
	O4eFetVyO4.exe	Get hash	malicious	Browse	193.56.146.36
	6PjJy5iOgU.exe	Get hash	malicious	Browse	193.56.146.36
	2FA81F4A4C64E5595C5D538062B4E8435E10FCCD9F81B.exe	Get hash	malicious	Browse	193.56.146.36
	t2E05q13ox.exe	Get hash	malicious	Browse	193.56.146.64
	I3O28Z5uqy.exe	Get hash	malicious	Browse	193.56.146.64
	Hf34l6qunJ.exe	Get hash	malicious	Browse	193.56.146.64

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/proc/5280/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	high, very likely benign file
Preview:	-1000.

/run/sshd.pid Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:C/:C/
MD5:	0FB51AB07BECFCF5B764E59B0957E47B
SHA1:	07616041CD80AD91C6AA10FF67BFEBA563B7C869
SHA-256:	FB1A28528DCFF52E97348E800604313D3E228AAA6AE947D7204F6C1512A5DEC2
SHA-512:	25A69A478FB7B9E63A3748FCE192E292B14EF021A0ACBACAAAE672B7FCC04C41957EFC2177DF13CEB84B7A33D577913477A57CAAD949B49EA0A06C8B00789C0C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	5280.

Static File Info

General
File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	7.879578898375912
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	sora.mpsl
File size:	27236
MD5:	42ac0f5f0fd0d4e42fb7254730e94632
SHA1:	12369aa6f5ffd2e251a1e8924eee602b0ef7b2df
SHA256:	2dfc8c4568d6a3392fcd4d1837e17d3b4c6a412c8b98bdd91ce91a58250afbca
SHA512:	76e5a2ba9a9576f3bedb6d2fcbef73e6b042471f5c8f537c99e1b43726ef32182eef1b69c29cd960b0ce1cb41f7fb8e0e10aecb27b7d3dcbe3a39367ccf58ae0
SSDEEP:	768:w9CUFskb2JgIs/E2+OocrfJiHNjfmQ2q7IoqdBhUWx:GCrJgHiOJrfwmQrctpj
File Content Preview:	.ELF.....................V..4...........4. ...(.....................=i..=i....................E...E....................tUPX!`.......T...T.......T..........?.E.h;....#......b.L#4E..,,....M..D{c....j;.D .A....~.....hE.:.O........L..N.7g..\....R.............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x105600
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0x693d	0x693d	4.2069	0x5	R E	0x10000
LOAD	0x18c0	0x4518c0	0x4518c0	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 10, 2021 22:57:48.125638008 CET	44384	1312	192.168.2.23	86.126.191.187
Nov 10, 2021 22:57:48.164361000 CET	33513	23	192.168.2.23	249.160.168.231
Nov 10, 2021 22:57:48.164433956 CET	33513	23	192.168.2.23	18.180.160.250
Nov 10, 2021 22:57:48.164437056 CET	33513	23	192.168.2.23	12.64.171.231
Nov 10, 2021 22:57:48.164460897 CET	33513	23	192.168.2.23	92.121.112.28
Nov 10, 2021 22:57:48.164472103 CET	33513	23	192.168.2.23	206.117.57.130
Nov 10, 2021 22:57:48.164536953 CET	33513	23	192.168.2.23	93.243.190.76
Nov 10, 2021 22:57:48.164541960 CET	33513	23	192.168.2.23	121.108.199.90
Nov 10, 2021 22:57:48.164551973 CET	33513	23	192.168.2.23	60.27.82.21
Nov 10, 2021 22:57:48.164563894 CET	33513	23	192.168.2.23	111.7.75.134
Nov 10, 2021 22:57:48.164604902 CET	33513	23	192.168.2.23	191.84.217.12
Nov 10, 2021 22:57:48.164613008 CET	33513	23	192.168.2.23	209.45.98.211
Nov 10, 2021 22:57:48.164628029 CET	33513	23	192.168.2.23	177.209.199.153
Nov 10, 2021 22:57:48.164633036 CET	33513	23	192.168.2.23	195.27.80.46
Nov 10, 2021 22:57:48.164638042 CET	33513	23	192.168.2.23	58.251.203.2
Nov 10, 2021 22:57:48.164643049 CET	33513	23	192.168.2.23	194.158.79.55
Nov 10, 2021 22:57:48.164645910 CET	33513	23	192.168.2.23	12.160.167.36
Nov 10, 2021 22:57:48.164654970 CET	33513	23	192.168.2.23	173.60.182.205
Nov 10, 2021 22:57:48.164686918 CET	33513	23	192.168.2.23	203.174.44.72
Nov 10, 2021 22:57:48.164688110 CET	33513	23	192.168.2.23	135.1.203.103
Nov 10, 2021 22:57:48.164696932 CET	33513	23	192.168.2.23	107.81.61.103
Nov 10, 2021 22:57:48.164705038 CET	33513	23	192.168.2.23	126.38.223.216
Nov 10, 2021 22:57:48.164719105 CET	33513	23	192.168.2.23	184.151.29.130
Nov 10, 2021 22:57:48.164727926 CET	33513	23	192.168.2.23	159.240.172.93
Nov 10, 2021 22:57:48.164727926 CET	33513	23	192.168.2.23	180.124.26.148
Nov 10, 2021 22:57:48.164748907 CET	33513	23	192.168.2.23	253.4.69.28
Nov 10, 2021 22:57:48.164766073 CET	33513	23	192.168.2.23	80.162.236.135
Nov 10, 2021 22:57:48.164836884 CET	33513	23	192.168.2.23	133.222.243.226
Nov 10, 2021 22:57:48.164838076 CET	33513	23	192.168.2.23	83.154.22.100
Nov 10, 2021 22:57:48.164841890 CET	33513	23	192.168.2.23	96.98.126.158
Nov 10, 2021 22:57:48.164859056 CET	33513	23	192.168.2.23	119.75.189.195
Nov 10, 2021 22:57:48.164864063 CET	33513	23	192.168.2.23	67.150.155.192
Nov 10, 2021 22:57:48.164868116 CET	33513	23	192.168.2.23	38.13.5.54
Nov 10, 2021 22:57:48.164870977 CET	33513	23	192.168.2.23	94.247.109.232
Nov 10, 2021 22:57:48.164877892 CET	33513	23	192.168.2.23	44.222.35.58
Nov 10, 2021 22:57:48.164885044 CET	33513	23	192.168.2.23	154.243.149.241
Nov 10, 2021 22:57:48.164887905 CET	33513	23	192.168.2.23	24.164.133.34
Nov 10, 2021 22:57:48.164891958 CET	33513	23	192.168.2.23	40.193.239.103
Nov 10, 2021 22:57:48.164891005 CET	33513	23	192.168.2.23	112.92.22.39
Nov 10, 2021 22:57:48.164899111 CET	33513	23	192.168.2.23	109.145.140.9
Nov 10, 2021 22:57:48.164900064 CET	33513	23	192.168.2.23	119.168.43.139
Nov 10, 2021 22:57:48.164905071 CET	33513	23	192.168.2.23	178.156.230.210
Nov 10, 2021 22:57:48.164910078 CET	33513	23	192.168.2.23	35.219.64.128
Nov 10, 2021 22:57:48.164911985 CET	33513	23	192.168.2.23	183.232.45.174
Nov 10, 2021 22:57:48.164925098 CET	33513	23	192.168.2.23	78.58.74.90
Nov 10, 2021 22:57:48.164927959 CET	33513	23	192.168.2.23	206.162.185.205
Nov 10, 2021 22:57:48.164948940 CET	33513	23	192.168.2.23	243.255.16.38
Nov 10, 2021 22:57:48.164951086 CET	33513	23	192.168.2.23	13.144.6.193
Nov 10, 2021 22:57:48.164963007 CET	33513	23	192.168.2.23	122.80.127.200
Nov 10, 2021 22:57:48.164962053 CET	33513	23	192.168.2.23	195.139.152.201
Nov 10, 2021 22:57:48.164974928 CET	33513	23	192.168.2.23	148.42.189.150
Nov 10, 2021 22:57:48.164974928 CET	33513	23	192.168.2.23	139.225.46.28
Nov 10, 2021 22:57:48.164975882 CET	33513	23	192.168.2.23	218.11.101.179
Nov 10, 2021 22:57:48.164983034 CET	33513	23	192.168.2.23	244.92.160.177
Nov 10, 2021 22:57:48.165016890 CET	33513	23	192.168.2.23	158.124.4.205
Nov 10, 2021 22:57:48.165035963 CET	33513	23	192.168.2.23	82.132.90.111
Nov 10, 2021 22:57:48.165043116 CET	33513	23	192.168.2.23	247.5.112.121
Nov 10, 2021 22:57:48.165055990 CET	33513	23	192.168.2.23	84.169.170.163
Nov 10, 2021 22:57:48.165076971 CET	33513	23	192.168.2.23	98.230.144.165
Nov 10, 2021 22:57:48.165081024 CET	33513	23	192.168.2.23	165.82.2.228
Nov 10, 2021 22:57:48.165122032 CET	33513	23	192.168.2.23	70.183.237.50
Nov 10, 2021 22:57:48.165133953 CET	33513	23	192.168.2.23	183.17.119.27
Nov 10, 2021 22:57:48.165146112 CET	33513	23	192.168.2.23	247.231.1.26
Nov 10, 2021 22:57:48.165154934 CET	33513	23	192.168.2.23	121.219.62.180
Nov 10, 2021 22:57:48.165162086 CET	33513	23	192.168.2.23	109.227.166.253
Nov 10, 2021 22:57:48.165167093 CET	33513	23	192.168.2.23	176.204.99.147
Nov 10, 2021 22:57:48.165177107 CET	33513	23	192.168.2.23	245.69.54.137
Nov 10, 2021 22:57:48.165194035 CET	33513	23	192.168.2.23	101.44.231.244
Nov 10, 2021 22:57:48.165308952 CET	33513	23	192.168.2.23	69.8.79.170
Nov 10, 2021 22:57:48.165308952 CET	33513	23	192.168.2.23	153.251.232.35
Nov 10, 2021 22:57:48.165340900 CET	33513	23	192.168.2.23	68.36.139.172
Nov 10, 2021 22:57:48.165347099 CET	33513	23	192.168.2.23	166.72.61.128
Nov 10, 2021 22:57:48.165354967 CET	33513	23	192.168.2.23	120.178.45.232
Nov 10, 2021 22:57:48.165369034 CET	33513	23	192.168.2.23	135.147.136.19
Nov 10, 2021 22:57:48.165369987 CET	33513	23	192.168.2.23	8.207.13.45
Nov 10, 2021 22:57:48.165379047 CET	33513	23	192.168.2.23	91.253.255.35
Nov 10, 2021 22:57:48.165384054 CET	33513	23	192.168.2.23	139.225.50.239
Nov 10, 2021 22:57:48.165386915 CET	33513	23	192.168.2.23	12.254.76.201
Nov 10, 2021 22:57:48.165390015 CET	33513	23	192.168.2.23	194.70.115.65
Nov 10, 2021 22:57:48.165393114 CET	33513	23	192.168.2.23	115.110.153.215
Nov 10, 2021 22:57:48.165410042 CET	33513	23	192.168.2.23	167.57.59.213
Nov 10, 2021 22:57:48.165433884 CET	33513	23	192.168.2.23	87.182.234.103
Nov 10, 2021 22:57:48.165452003 CET	33513	23	192.168.2.23	91.110.181.13
Nov 10, 2021 22:57:48.165482998 CET	33513	23	192.168.2.23	60.0.23.223
Nov 10, 2021 22:57:48.165493011 CET	33513	23	192.168.2.23	169.166.155.25
Nov 10, 2021 22:57:48.165543079 CET	33513	23	192.168.2.23	72.8.22.99
Nov 10, 2021 22:57:48.165587902 CET	33513	23	192.168.2.23	175.108.140.248
Nov 10, 2021 22:57:48.165590048 CET	33513	23	192.168.2.23	160.202.60.48
Nov 10, 2021 22:57:48.165591002 CET	33513	23	192.168.2.23	41.37.15.82
Nov 10, 2021 22:57:48.165595055 CET	33513	23	192.168.2.23	197.237.130.70
Nov 10, 2021 22:57:48.165596962 CET	33513	23	192.168.2.23	202.153.155.219
Nov 10, 2021 22:57:48.165600061 CET	33513	23	192.168.2.23	167.121.128.163
Nov 10, 2021 22:57:48.165601015 CET	33513	23	192.168.2.23	85.132.69.150
Nov 10, 2021 22:57:48.165606022 CET	33513	23	192.168.2.23	216.190.134.189
Nov 10, 2021 22:57:48.165606976 CET	33513	23	192.168.2.23	70.159.150.154
Nov 10, 2021 22:57:48.165617943 CET	33513	23	192.168.2.23	82.30.54.46
Nov 10, 2021 22:57:48.165627956 CET	33513	23	192.168.2.23	155.159.192.22
Nov 10, 2021 22:57:48.165633917 CET	33513	23	192.168.2.23	44.6.0.163
Nov 10, 2021 22:57:48.165688992 CET	33513	23	192.168.2.23	245.94.65.66
Nov 10, 2021 22:57:48.165700912 CET	33513	23	192.168.2.23	59.3.240.30

System Behavior

Analysis Process: sora.mpsl PID: 5240 Parent PID: 5118

General

Start time:	22:57:46
Start date:	10/11/2021
Path:	/tmp/sora.mpsl
Arguments:	/tmp/sora.mpsl
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: sora.mpsl PID: 5242 Parent PID: 5240

General

Start time:	22:57:47
Start date:	10/11/2021
Path:	/tmp/sora.mpsl
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: sora.mpsl PID: 5243 Parent PID: 5240

General

Start time:	22:57:47
Start date:	10/11/2021
Path:	/tmp/sora.mpsl
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: sora.mpsl PID: 5244 Parent PID: 5240

General

Start time:	22:57:47
Start date:	10/11/2021
Path:	/tmp/sora.mpsl
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: sora.mpsl PID: 5248 Parent PID: 5244

General

Start time:	22:57:47
Start date:	10/11/2021
Path:	/tmp/sora.mpsl
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: sora.mpsl PID: 5249 Parent PID: 5244

General

Start time:	22:57:47
Start date:	10/11/2021
Path:	/tmp/sora.mpsl
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: sora.mpsl PID: 5251 Parent PID: 5244

General

Start time:	22:57:47
Start date:	10/11/2021
Path:	/tmp/sora.mpsl
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: systemd PID: 5279 Parent PID: 1

General

Start time:	22:58:02
Start date:	10/11/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5279 Parent PID: 1

General

Start time:	22:58:02
Start date:	10/11/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5280 Parent PID: 1

General

Start time:	22:58:02
Start date:	10/11/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5280 Parent PID: 1

General

Start time:	22:58:02
Start date:	10/11/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report sora.mpsl

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

PCAP (Network Traffic)

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: sora.mpsl PID: 5240 Parent PID: 5118

General

Analysis Process: sora.mpsl PID: 5242 Parent PID: 5240

General

Analysis Process: sora.mpsl PID: 5243 Parent PID: 5240

General

Analysis Process: sora.mpsl PID: 5244 Parent PID: 5240

General

Analysis Process: sora.mpsl PID: 5248 Parent PID: 5244

General

Analysis Process: sora.mpsl PID: 5249 Parent PID: 5244

General

Analysis Process: sora.mpsl PID: 5251 Parent PID: 5244

General

Analysis Process: systemd PID: 5279 Parent PID: 1

General

Analysis Process: sshd PID: 5279 Parent PID: 1

General

Analysis Process: systemd PID: 5280 Parent PID: 1

General