a46770913fba87921b56d789396e07cdfd68a846b2e80a77aa07e1c62f9304d6

Analysis

max time kernel
0s
max time network
155s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
29-11-2022 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

robinbot
Size

130KB
MD5

500009d8f68330a8f82b59884a9afe47
SHA1

575f5e6894b1a2f7a728435487666acdb9758f83
SHA256

a46770913fba87921b56d789396e07cdfd68a846b2e80a77aa07e1c62f9304d6
SHA512

ec62621ec2e037cb9f3890486ff4fb127ee6b34657ee7c2b1e3401de5d7fa2bb554e62d5c378dd93c43a3bb0bf4d210556cf8e67c0ff8449d0c615262e94dfba
SSDEEP

3072:xffIDJOocVBUbd8A2W3M/fvLUpANet2xBTd:xgDAtVmB8sM/fvLUpANet2xBTd

Score

9^/10

discovery

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

description ioc

/etc/hosts /etc/hosts
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

/proc/net/tcp /proc/net/tcp
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

description ioc

/proc/net/tcp /proc/net/tcp
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

robinbot

description ioc process

/tmp/robinbot /tmp/robinbot robinbot

description	ioc
/etc/hosts	/etc/hosts

description	ioc
/proc/net/tcp	/proc/net/tcp

description	ioc
/proc/net/tcp	/proc/net/tcp

description	ioc	process
/tmp/robinbot	/tmp/robinbot	robinbot

/tmp/robinbot
/tmp/robinbot
1⤵
- Writes file to tmp directory
PID:581

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads